arrowrat | e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6 | Triage

Sharing

General

Target

Client.exe
Size

158KB
Sample

241118-qn1x6asmcj
MD5

16a66efc62e16195848483277f81cb3b
SHA1

5b3b70e9df9b025576386abfa9ed7c342e8d7a46
SHA256

e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6
SHA512

87d682acb2b44506711e4758762e16c3f29101c5a20c1b144ff2c337c37a82f8bd0bbf13c65bb1e5e2423bcf3f042cd9d114256846aeb5c8e66119b64d6d1393
SSDEEP

3072:gbzxH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPMiO8Y:gbzxe0ODhTEPgnjuIJzo+PPcfPMd8

Score

10^/10

arrowrat pf030dc1ckld12od3 discovery execution persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Pf030dc1ckld12od3

C2

192.168.1.46:1337

Mutex

QplfyCtwT

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  16a66efc62e16195848483277f81cb3b
- SHA1
  
  5b3b70e9df9b025576386abfa9ed7c342e8d7a46
- SHA256
  
  e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6
- SHA512
  
  87d682acb2b44506711e4758762e16c3f29101c5a20c1b144ff2c337c37a82f8bd0bbf13c65bb1e5e2423bcf3f042cd9d114256846aeb5c8e66119b64d6d1393
- SSDEEP
  
  3072:gbzxH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPMiO8Y:gbzxe0ODhTEPgnjuIJzo+PPcfPMd8
Score

10^/10

arrowrat pf030dc1ckld12od3 persistence rat discovery execution
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

pf030dc1ckld12od3arrowrat

behavioral1

arrowratpf030dc1ckld12od3persistencerat

behavioral2

arrowratpf030dc1ckld12od3discoveryexecutionpersistencerat