arrowrat | 0e128c8329b4ac17b548b4e78ee4ac813a938d1b6bcf1dceff816ba97202a1e4 | Triage

Submit
Reports

Overview

overview

Static

static

sqjxHtZQi8.ps1

windows7-x64

sqjxHtZQi8.ps1

windows10-2004-x64

Sharing

General

Target

sqjxHtZQi8.ps1
Size

1.2MB
Sample

240718-tckzcayfjg
MD5

ca1aa65d11c546f737d20939aac7577f
SHA1

ba6ac400f4729fc1d25bdbe7b46e18fc203c8d8b
SHA256

0e128c8329b4ac17b548b4e78ee4ac813a938d1b6bcf1dceff816ba97202a1e4
SHA512

b3e43ca2617fed5862d7e25e1ab02dadbdb666a7e75eb07d65ee9065c0b1ce741a3213f744972d18574b05fe7b283bf3dc69ab05abf20f051c02b86792b53242
SSDEEP

12288:iZmTk3LmZmTk3Lv2RDsUU1VG2RDsUU1VP2RDsUU1V/:iZmTAKZmTAr25gG25gP25g/

Score

10^/10

arrowrat r00t execution persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

sqjxHtZQi8.ps1

Resource

win7-20240708-en

arrowrat r00t execution persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

sqjxHtZQi8.ps1

Resource

win10v2004-20240709-en

arrowrat r00t execution persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

r00t

C2

necessary-sick.gl.at.ply.gg:32835

Mutex

DsCbljCVL

Targets

- Target
  
  sqjxHtZQi8.ps1
- Size
  
  1.2MB
- MD5
  
  ca1aa65d11c546f737d20939aac7577f
- SHA1
  
  ba6ac400f4729fc1d25bdbe7b46e18fc203c8d8b
- SHA256
  
  0e128c8329b4ac17b548b4e78ee4ac813a938d1b6bcf1dceff816ba97202a1e4
- SHA512
  
  b3e43ca2617fed5862d7e25e1ab02dadbdb666a7e75eb07d65ee9065c0b1ce741a3213f744972d18574b05fe7b283bf3dc69ab05abf20f051c02b86792b53242
- SSDEEP
  
  12288:iZmTk3LmZmTk3Lv2RDsUU1VG2RDsUU1VP2RDsUU1V/:iZmTAKZmTAr25gG25gP25g/
Score

10^/10

arrowrat r00t execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratr00texecutionpersistencerat

behavioral2

arrowratr00texecutionpersistencerat

© 2018-2024

Terms | Privacy