arrowrat | hxxps://www[.]upload[.]ee/files/16384710/Client[.]exe[.]html | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://www.upload.e...

windows10-2004-x64

Sharing

General

Target

https://www.upload.ee/files/16384710/Client.exe.html
Sample

240315-cqmlnagb84

Score

10^/10

arrowrat svchost persistence rat

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://www.upload.ee/files/16384710/Client.exe.html

Resource

win10v2004-20240226-en

arrowrat svchost persistence rat

windows10-2004-x64

24 signatures

300 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

svchost

C2

authority-amazon.gl.at.ply.gg:41414

Mutex

mNnfMgqNP

Targets

- Target
  
  https://www.upload.ee/files/16384710/Client.exe.html
Score

10^/10

arrowrat svchost persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

arrowratsvchost persistencerat

© 2018-2024

Terms | Privacy