General

  • Target

    2fa1edfb1d2dcc02be7f6dc9976ad3c2de69090e4eadf37e7b589bd600bc36e4.zip

  • Size

    852KB

  • Sample

    240925-bt1r1swhjn

  • MD5

    2d1c5df66be5a1120833e878b39dd0b4

  • SHA1

    145ad971ae2f9061f9331b0289f05bfd5e681499

  • SHA256

    2fa1edfb1d2dcc02be7f6dc9976ad3c2de69090e4eadf37e7b589bd600bc36e4

  • SHA512

    df70d25dae757bdc0071292fb81048c936374e6aff5b34fccb9630d0b573bc009562f5e3fd09c100e9259dcc0139114140f8e7ae24da05ad5f48cae2657fc329

  • SSDEEP

    12288:SPmTX00w6DTfFUgrm++P/WlRFmvFE+lpL9N6slVj6Y:OmTE0ZDb2gr8WlQzfL9sslQY

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

vncnew1984.duckdns.org:1984

Mutex

ecZCILAfG

Targets

    • Target

      e659861670260fa5252d5315d71466659e321a90a357aa3005304f145c4a2027

    • Size

      300.0MB

    • MD5

      135b97e053b660f8e6cacd58965b93cd

    • SHA1

      828e92ad30ac243ec063252a338519e4429940e3

    • SHA256

      e659861670260fa5252d5315d71466659e321a90a357aa3005304f145c4a2027

    • SHA512

      6b19d2143f021feeccf5833b57fff55fbae3c72ea0eb480a893b48acd9ce2bdb0c895cd3516133436b4e937f97ee4e42ce58b4aa3729d1f3c29fa837bc19366c

    • SSDEEP

      12288:VD9TFmMwfrck/YEwEVhftq6rmIGD9P5X5U4LVkYdS7Ffi:KgERVNQ6Fq9hX5U4L94Zi

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks