General

  • Target

    T.T_Copy.12.18.2024.exe

  • Size

    1.2MB

  • Sample

    241219-jmjh6awmcr

  • MD5

    4542c9e57e9d955244262c035aaffe94

  • SHA1

    3dfade02ec7892ebdfa977c25354a352e0c55f56

  • SHA256

    98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

  • SHA512

    ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9

  • SSDEEP

    24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

Malware Config

Extracted

Family

arrowrat

Botnet

Client01

C2

127.0.0.1:1338

Mutex

OSHPAW

Targets

    • Target

      T.T_Copy.12.18.2024.exe

    • Size

      1.2MB

    • MD5

      4542c9e57e9d955244262c035aaffe94

    • SHA1

      3dfade02ec7892ebdfa977c25354a352e0c55f56

    • SHA256

      98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

    • SHA512

      ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9

    • SSDEEP

      24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Arrowrat family

    • Modifies WinLogon for persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks