arrowrat | d020ce862bf6ba26a1b4b0ca76ebc2ce9bc5ade16e52c66b11bc4253a16318a7 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Client.exe

windows7-x64

Client.exe

windows10-2004-x64

Sharing

General

Target

Client.exe
Size

158KB
Sample

241226-tv9qeszqcs
MD5

b9e38162af37c0f29b683c3c307fae6c
SHA1

646eedd6062086bb394c5f5727ff3cfff940e090
SHA256

d020ce862bf6ba26a1b4b0ca76ebc2ce9bc5ade16e52c66b11bc4253a16318a7
SHA512

85440ad4b1258171ddd280e373b31ea2018538256c21ff024d138f4032bb4717875351073fd987e2c0e120f7dbea5bfc9cf32484224e2c04685a13916b8e44b5
SSDEEP

3072:Mbz3H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPmOO8Y:Mbz3e0ODhTEPgnjuIJzo+PPcfPmB8

Score

10^/10

arrowrat client discovery execution persistence rat

Static task

static1

client arrowrat

2 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win7-20240729-en

arrowrat client persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Client.exe

Resource

win10v2004-20241007-en

arrowrat client discovery execution persistence rat

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

24.ip.gl.ply.gg:46885

Mutex

BVCkbzdsT

Targets

- Target
  
  Client.exe
- Size
  
  158KB
- MD5
  
  b9e38162af37c0f29b683c3c307fae6c
- SHA1
  
  646eedd6062086bb394c5f5727ff3cfff940e090
- SHA256
  
  d020ce862bf6ba26a1b4b0ca76ebc2ce9bc5ade16e52c66b11bc4253a16318a7
- SHA512
  
  85440ad4b1258171ddd280e373b31ea2018538256c21ff024d138f4032bb4717875351073fd987e2c0e120f7dbea5bfc9cf32484224e2c04685a13916b8e44b5
- SSDEEP
  
  3072:Mbz3H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPmOO8Y:Mbz3e0ODhTEPgnjuIJzo+PPcfPmB8
Score

10^/10

arrowrat client persistence rat discovery execution
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientpersistencerat

behavioral2

arrowratclientdiscoveryexecutionpersistencerat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.