arrowrat | 01b5d985ba53c1d789b144694e179d04c8c0ff95e88659ce9e8b9b6e77f357ff | Triage

Sharing

General

Target

Client.exe
Size

158KB
Sample

240801-lx8l5svcrn
MD5

ed0eb58e701a62ef732db4bb2223565e
SHA1

882f556e08047535c88f33eb7a53652134d1081f
SHA256

01b5d985ba53c1d789b144694e179d04c8c0ff95e88659ce9e8b9b6e77f357ff
SHA512

f7395647176b2a3ff456eda2924bb2fa3fe507bacf93933bfb0588c03a7a87ab8b0339ca2f8b258a9acb7b5d68cd8aae948382251ea274e0dd8d81360890ced2
SSDEEP

3072:wbziH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPYdO8Y:wbzie0ODhTEPgnjuIJzo+PPcfPYQ8

Score

10^/10

arrowrat client1 credential_access discovery execution persistence rat stealer

Malware Config

Extracted

Family

arrowrat

Botnet

Client1

C2

and-statements.gl.at.ply.gg:43442

Mutex

JeaMEllZK

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  ed0eb58e701a62ef732db4bb2223565e
- SHA1
  
  882f556e08047535c88f33eb7a53652134d1081f
- SHA256
  
  01b5d985ba53c1d789b144694e179d04c8c0ff95e88659ce9e8b9b6e77f357ff
- SHA512
  
  f7395647176b2a3ff456eda2924bb2fa3fe507bacf93933bfb0588c03a7a87ab8b0339ca2f8b258a9acb7b5d68cd8aae948382251ea274e0dd8d81360890ced2
- SSDEEP
  
  3072:wbziH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPYdO8Y:wbzie0ODhTEPgnjuIJzo+PPcfPYQ8
Score

10^/10

arrowrat client1 credential_access discovery execution persistence rat stealer
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

client1arrowrat

behavioral1

arrowratclient1credential_accessdiscoveryexecutionpersistenceratstealer