General

  • Target

    a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe

  • Size

    732KB

  • Sample

    240925-cqbjdsyglk

  • MD5

    ab0d49fdafb94d853b64632422636c97

  • SHA1

    114878c7437c44b9d33085f3f75ca16f4e3aa9dc

  • SHA256

    a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b

  • SHA512

    d358354275e32cdb8526687f9e27ef3d419d5ed2449d22f1b9230dbce92aed8bade6d2b5d45b3504336b76a8718af782c9ef78e42b3a0fb8a5428e41a99a529a

  • SSDEEP

    12288:VD9TFmMwfrck/YEwEVhftq6rmIGD9P5X5U4LVkYdS7Ffi:KgERVNQ6Fq9hX5U4L94Zi

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

vncnew1984.duckdns.org:1984

Mutex

ecZCILAfG

Targets

    • Target

      a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe

    • Size

      732KB

    • MD5

      ab0d49fdafb94d853b64632422636c97

    • SHA1

      114878c7437c44b9d33085f3f75ca16f4e3aa9dc

    • SHA256

      a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b

    • SHA512

      d358354275e32cdb8526687f9e27ef3d419d5ed2449d22f1b9230dbce92aed8bade6d2b5d45b3504336b76a8718af782c9ef78e42b3a0fb8a5428e41a99a529a

    • SSDEEP

      12288:VD9TFmMwfrck/YEwEVhftq6rmIGD9P5X5U4LVkYdS7Ffi:KgERVNQ6Fq9hX5U4L94Zi

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks