arrowrat | Client[.]exe | Triage

Sharing

General

Target

Client.exe
Size

158KB
MD5

332bc09f4e96b4c92fba644fa6b49585
SHA1

56fe70b2cfa0507fd1c6cb67b7456bba2e93bc39
SHA256

876f5ce0e85c7bd4fd29f3b29333e3b6d130306a53ba4a9dff02151cfc8bda63
SHA512

49c0a97e8f2b4a11f0261722c1c8495f9d8d438ad63a6f0f4bef0661b4ff2f05a0672caf6264d7d03fe91752def7d346b7d0ad752a0f9f8296859a543c7d10fa
SSDEEP

3072:MbzgH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPUJO8Y:Mbzge0ODhTEPgnjuIJzo+PPcfPUk8

Score

10^/10

client arrowrat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

runderscore00-37568.portmap.host:37568

Mutex

qxzqapnkK

Signatures

Arrowrat family
arrowrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
Client.exe

Files

Client.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 153KB - Virtual size: 152KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ