General

  • Target

    Client.exe

  • Size

    158KB

  • Sample

    240507-m3mgjafg23

  • MD5

    d0a55dda2e691dbb7eedcd02cc7eaffa

  • SHA1

    37433d28c8f89e0f3b63e145d592e86e9da9b22f

  • SHA256

    0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335

  • SHA512

    de5975c1c76799649b917b5e43c681ea2aff06813f43d363d4dc2ec8c99d33ba17026cb07a26931e6f637e26add9090be0eccc95f753f625461c75fe2b07327a

  • SSDEEP

    3072:wbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPzdO8Y:wbzme0ODhTEPgnjuIJzo+PPcfPzQ8

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

26.137.109.175:1337

Mutex

pqjvqGUKv

Targets

    • Target

      Client.exe

    • Size

      158KB

    • MD5

      d0a55dda2e691dbb7eedcd02cc7eaffa

    • SHA1

      37433d28c8f89e0f3b63e145d592e86e9da9b22f

    • SHA256

      0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335

    • SHA512

      de5975c1c76799649b917b5e43c681ea2aff06813f43d363d4dc2ec8c99d33ba17026cb07a26931e6f637e26add9090be0eccc95f753f625461c75fe2b07327a

    • SSDEEP

      3072:wbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPzdO8Y:wbzme0ODhTEPgnjuIJzo+PPcfPzQ8

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Modifies WinLogon for persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks