arrowrat | b4b5626f40c75e92f91e0d98e7250827f3080b1c268b9861fdd37e05928359c1 | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows11-21h2-x64

Sharing

General

Target

Client.exe
Size

158KB
Sample

241105-kme2eaxhle
MD5

648c702925548284a6455ccad0393887
SHA1

9dacf5df7f98ad089fa5b75ec5c2e699e75c07f8
SHA256

b4b5626f40c75e92f91e0d98e7250827f3080b1c268b9861fdd37e05928359c1
SHA512

026b9d65c29254bc3375e0d7bdd593ec2cfe554036c121da0d29f87a752ec807ca771a93ecb419d0db355e469d4ce3029854ce2446b1af9f5dbd6cdc0d35d55f
SSDEEP

3072:7bzIH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPkqO8Y:7bzIe0ODhTEPgnjuIJzo+PPcfPkV8

Score

10^/10

arrowrat skibidia discovery execution persistence rat

Static task

static1

skibidia arrowrat

2 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win11-20241007-en

arrowrat skibidia discovery execution persistence rat

windows11-21h2-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Skibidia

C2

147.185.221.23:49157

Mutex

NDKfDLExh

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  648c702925548284a6455ccad0393887
- SHA1
  
  9dacf5df7f98ad089fa5b75ec5c2e699e75c07f8
- SHA256
  
  b4b5626f40c75e92f91e0d98e7250827f3080b1c268b9861fdd37e05928359c1
- SHA512
  
  026b9d65c29254bc3375e0d7bdd593ec2cfe554036c121da0d29f87a752ec807ca771a93ecb419d0db355e469d4ce3029854ce2446b1af9f5dbd6cdc0d35d55f
- SSDEEP
  
  3072:7bzIH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPkqO8Y:7bzIe0ODhTEPgnjuIJzo+PPcfPkV8
Score

10^/10

arrowrat skibidia discovery execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

skibidiaarrowrat

behavioral1

arrowratskibidiadiscoveryexecutionpersistencerat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.