General

  • Target

    2be002d8f440059579b6eec67e37a127208_JC.exe

  • Size

    2.4MB

  • Sample

    230730-qnckkahc56

  • MD5

    6eb284564aa7bd24f4f6df02ef05d185

  • SHA1

    47f85ddc0b1a090d1852c37b2e2e1449e5b6db88

  • SHA256

    2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb

  • SHA512

    49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179

  • SSDEEP

    49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

line-ellis.gl.at.ply.gg:10735

Mutex

nAChhjAnR

Targets

    • Target

      2be002d8f440059579b6eec67e37a127208_JC.exe

    • Size

      2.4MB

    • MD5

      6eb284564aa7bd24f4f6df02ef05d185

    • SHA1

      47f85ddc0b1a090d1852c37b2e2e1449e5b6db88

    • SHA256

      2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb

    • SHA512

      49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179

    • SSDEEP

      49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Modifies WinLogon for persistence

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks