arrowrat | 66475b24c13dab1ac718c17eb8a36a19c965144026c87ab504a73ced3896e43c | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows10-2004-x64

Sharing

General

Target

Client.exe
Size

158KB
Sample

240801-ltl9qsvblk
MD5

5e59614770589b6f9ccd26931cedbf45
SHA1

dc5ee9bcda9d90c24574b9e420842c9a8789f1a3
SHA256

66475b24c13dab1ac718c17eb8a36a19c965144026c87ab504a73ced3896e43c
SHA512

2a8eaf627a11962ae5de96c6d2147c45094ecac1a547560aed8d451341998b1b0a7dbcdc957bee98b3bb270d5538129d12e53c6758129fc28cca250b064e2d34
SSDEEP

3072:HbzFH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP6ZO8Y:HbzFe0ODhTEPgnjuIJzo+PPcfP608

Score

10^/10

arrowrat windows anti virus detections discovery execution persistence rat

Static task

static1

windows anti virus detections arrowrat

2 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10v2004-20240730-en

arrowrat windows anti virus detections discovery execution persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Windows Anti Virus Detections

C2

and-statements.gl.at.ply.gg2a04:4a43:976f:fbc4:a03b:6599:d257:fc04:43442

Mutex

xNageaqsy

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  5e59614770589b6f9ccd26931cedbf45
- SHA1
  
  dc5ee9bcda9d90c24574b9e420842c9a8789f1a3
- SHA256
  
  66475b24c13dab1ac718c17eb8a36a19c965144026c87ab504a73ced3896e43c
- SHA512
  
  2a8eaf627a11962ae5de96c6d2147c45094ecac1a547560aed8d451341998b1b0a7dbcdc957bee98b3bb270d5538129d12e53c6758129fc28cca250b064e2d34
- SSDEEP
  
  3072:HbzFH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP6ZO8Y:HbzFe0ODhTEPgnjuIJzo+PPcfP608
Score

10^/10

arrowrat windows anti virus detections discovery execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

windows anti virus detectionsarrowrat

behavioral1

arrowratwindows anti virus detectionsdiscoveryexecutionpersistencerat

© 2018-2024

Terms | Privacy