Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client.exe

  • Size

    158KB

  • Sample

    240514-sbdyzaca36

  • MD5

    0dd200d5163a677c9f2c4eaa73210ed6

  • SHA1

    a828ef3fd25efc9896fd6488a0d07a4bf91804d7

  • SHA256

    e9d64e1290c710d5d24535336eb50aadcd001cbcee1a95693849cc3d1f8f6bc1

  • SHA512

    f247fc1f557be801e6661e08201a40bbd4292666627a3cbe29df75545728ce975aa2fc2a90a2452690cebf2be0cfe98eabef5cab05c423617ccb26c8b20803a0

  • SSDEEP

    3072:gbzbDH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPSSO8Y:gbzbDe0ODhTEPgnjuIJzo+PPcfPSN8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

192.168.56.1:2600

Mutex

IGmexvmSD

Targets

    • Target

      Client.exe

    • Size

      158KB

    • MD5

      0dd200d5163a677c9f2c4eaa73210ed6

    • SHA1

      a828ef3fd25efc9896fd6488a0d07a4bf91804d7

    • SHA256

      e9d64e1290c710d5d24535336eb50aadcd001cbcee1a95693849cc3d1f8f6bc1

    • SHA512

      f247fc1f557be801e6661e08201a40bbd4292666627a3cbe29df75545728ce975aa2fc2a90a2452690cebf2be0cfe98eabef5cab05c423617ccb26c8b20803a0

    • SSDEEP

      3072:gbzbDH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPSSO8Y:gbzbDe0ODhTEPgnjuIJzo+PPcfPSN8

    Score
    10/10
    arrowratclientpersistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks