General

  • Target

    b41b657eb9883b9d2de872e7200d4fd2.exe

  • Size

    158KB

  • Sample

    240811-hr3l6atdjb

  • MD5

    b41b657eb9883b9d2de872e7200d4fd2

  • SHA1

    a9b102d7b76416bc4beaa2702e3b90206c323b66

  • SHA256

    a73f67009d77906b2dfee216b4e7cb940eef13304c22e909b65cd2834e291b1a

  • SHA512

    eb290a85597c934485887d7ccf21642042ceff82b052784543a55569af404b60fc9d42dcd42da027750d439a55a928705d4f9c1e40824e8f0b91d2e92110d73f

  • SSDEEP

    3072:5bzwH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP6OO8Y:5bzwe0ODhTEPgnjuIJzo+PPcfP6B8

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

and-statements.gl.at.ply.gg:43442

Mutex

KRSSneMpK

Targets

    • Target

      b41b657eb9883b9d2de872e7200d4fd2.exe

    • Size

      158KB

    • MD5

      b41b657eb9883b9d2de872e7200d4fd2

    • SHA1

      a9b102d7b76416bc4beaa2702e3b90206c323b66

    • SHA256

      a73f67009d77906b2dfee216b4e7cb940eef13304c22e909b65cd2834e291b1a

    • SHA512

      eb290a85597c934485887d7ccf21642042ceff82b052784543a55569af404b60fc9d42dcd42da027750d439a55a928705d4f9c1e40824e8f0b91d2e92110d73f

    • SSDEEP

      3072:5bzwH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP6OO8Y:5bzwe0ODhTEPgnjuIJzo+PPcfP6B8

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks