arrowrat | 876f5ce0e85c7bd4fd29f3b29333e3b6d130306a53ba4a9dff02151cfc8bda63 | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows10-1703-x64

Client.exe

windows10-2004-x64

Client.exe

windows11-21h2-x64

Sharing

General

Target

Client.exe
Size

158KB
Sample

240618-z3txts1clj
MD5

332bc09f4e96b4c92fba644fa6b49585
SHA1

56fe70b2cfa0507fd1c6cb67b7456bba2e93bc39
SHA256

876f5ce0e85c7bd4fd29f3b29333e3b6d130306a53ba4a9dff02151cfc8bda63
SHA512

49c0a97e8f2b4a11f0261722c1c8495f9d8d438ad63a6f0f4bef0661b4ff2f05a0672caf6264d7d03fe91752def7d346b7d0ad752a0f9f8296859a543c7d10fa
SSDEEP

3072:MbzgH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPUJO8Y:Mbzge0ODhTEPgnjuIJzo+PPcfPUk8

Score

10^/10

arrowrat client execution persistence rat

Static task

static1

client arrowrat

2 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10-20240404-en

arrowrat client persistence rat

windows10-1703-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Client.exe

Resource

win10v2004-20240508-en

arrowrat client execution persistence rat

windows10-2004-x64

20 signatures

150 seconds

Behavioral task

behavioral3

Sample

Client.exe

Resource

win11-20240419-en

arrowrat client execution persistence rat

windows11-21h2-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

runderscore00-37568.portmap.host:37568

Mutex

qxzqapnkK

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  332bc09f4e96b4c92fba644fa6b49585
- SHA1
  
  56fe70b2cfa0507fd1c6cb67b7456bba2e93bc39
- SHA256
  
  876f5ce0e85c7bd4fd29f3b29333e3b6d130306a53ba4a9dff02151cfc8bda63
- SHA512
  
  49c0a97e8f2b4a11f0261722c1c8495f9d8d438ad63a6f0f4bef0661b4ff2f05a0672caf6264d7d03fe91752def7d346b7d0ad752a0f9f8296859a543c7d10fa
- SSDEEP
  
  3072:MbzgH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPUJO8Y:Mbzge0ODhTEPgnjuIJzo+PPcfPUk8
Score

10^/10

arrowrat client persistence rat execution
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientpersistencerat

behavioral2

arrowratclientexecutionpersistencerat

behavioral3

arrowratclientexecutionpersistencerat

© 2018-2024

Terms | Privacy