arrowrat | 2546c02930cc08af5cff35a94d0501f8c0fecb64f1f215c03da6f0b58c1dce40 | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows10-ltsc 2021-x64

Sharing

General

Target

Client.exe
Size

158KB
Sample

241102-wharns1gmk
MD5

3301ae650283538d07ce86b24ee3fe9b
SHA1

6a7a80c7094b14c4c905ad48f0308b5b7bd49f42
SHA256

2546c02930cc08af5cff35a94d0501f8c0fecb64f1f215c03da6f0b58c1dce40
SHA512

f844169694e0390addd8e889c6d3c6df3d8ac815caec5cef329eac01b90cda647b772192facfdf7487b131e7054d04ee104ba849e1bbdd453b5357d203e0fba7
SSDEEP

3072:wbz8H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPHdO8Y:wbz8e0ODhTEPgnjuIJzo+PPcfPHQ8

Score

10^/10

arrowrat client discovery execution persistence rat

Static task

static1

client arrowrat

2 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10ltsc2021-20241023-en

arrowrat client discovery execution persistence rat

windows10-ltsc 2021-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

options-printing.gl.at.ply.gg:4449

Mutex

KzvKtMMlK

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  3301ae650283538d07ce86b24ee3fe9b
- SHA1
  
  6a7a80c7094b14c4c905ad48f0308b5b7bd49f42
- SHA256
  
  2546c02930cc08af5cff35a94d0501f8c0fecb64f1f215c03da6f0b58c1dce40
- SHA512
  
  f844169694e0390addd8e889c6d3c6df3d8ac815caec5cef329eac01b90cda647b772192facfdf7487b131e7054d04ee104ba849e1bbdd453b5357d203e0fba7
- SSDEEP
  
  3072:wbz8H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPHdO8Y:wbz8e0ODhTEPgnjuIJzo+PPcfPHQ8
Score

10^/10

arrowrat client discovery execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientdiscoveryexecutionpersistencerat

© 2018-2024

Terms | Privacy