Overview

overview

10

Static

static

10

Client.exe

windows11-21h2-x64

10

Client.exe

windows7-x64

10

Client.exe

windows10-1703-x64

10

Client.exe

windows10-2004-x64

10

Client.exe

windows11-21h2-x64

10

Client.exe

android-11-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client.exe

  • Size

    158KB

  • Sample

    240507-m3mgjafg23

  • MD5

    d0a55dda2e691dbb7eedcd02cc7eaffa

  • SHA1

    37433d28c8f89e0f3b63e145d592e86e9da9b22f

  • SHA256

    0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335

  • SHA512

    de5975c1c76799649b917b5e43c681ea2aff06813f43d363d4dc2ec8c99d33ba17026cb07a26931e6f637e26add9090be0eccc95f753f625461c75fe2b07327a

  • SSDEEP

    3072:wbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPzdO8Y:wbzme0ODhTEPgnjuIJzo+PPcfPzQ8

Score
10/10
arrowratclientandroidexecutionpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

26.137.109.175:1337

Mutex

pqjvqGUKv

Targets

    • Target

      Client.exe

    • Size

      158KB

    • MD5

      d0a55dda2e691dbb7eedcd02cc7eaffa

    • SHA1

      37433d28c8f89e0f3b63e145d592e86e9da9b22f

    • SHA256

      0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335

    • SHA512

      de5975c1c76799649b917b5e43c681ea2aff06813f43d363d4dc2ec8c99d33ba17026cb07a26931e6f637e26add9090be0eccc95f753f625461c75fe2b07327a

    • SSDEEP

      3072:wbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPzdO8Y:wbzme0ODhTEPgnjuIJzo+PPcfPzQ8

    Score
    10/10
    arrowratclientexecutionpersistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • Modifies WinLogon for persistence

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks