arrowrat | Client[.]exe | Triage

Sharing

General

Target

Client.exe
Size

158KB
MD5

e342241a46ccb69a5e50aab1c3910172
SHA1

63f28e0544c4689fc934e61269c5b5c47e8585a8
SHA256

6e720a7d86006e8cc69a9edf11e3e78608061cf606eca26d235db6282b002b97
SHA512

98a799f600c4562228d5f6b3c431bffac7595908dbffa6484995fe5b958656eb31c9b42dd873f72aa49feec203e8db16c384dccaeb377d34f55beeffc7b8ceda
SSDEEP

3072:qbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPGKO8Y:qbzme0ODhTEPgnjuIJzo+PPcfPG18

Score

10^/10

client arrowrat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

185.103.101.105:1337

Mutex

VzRgLAhmN

Signatures

Arrowrat family
arrowrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
Client.exe

Files

Client.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 153KB - Virtual size: 152KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ