arrowrat | 284ccf8fa7c86c6e59fb379c82c757a01b170b210f6751e4955c4e20a5f5d7df | Triage

Submit
Reports

Overview

overview

Static

static

1

AlbertVaca...mp.exe

windows10-2004-x64

AlbertVaca...mp.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

AlbertVacation_nopump.exe
Size

1.0MB
Sample

250520-yzjr1s1py5
MD5

85e800052c6c4c666ab5b34780683d7f
SHA1

3ad8c16c28271e7eb0e6272f2cbb4379e91ec234
SHA256

284ccf8fa7c86c6e59fb379c82c757a01b170b210f6751e4955c4e20a5f5d7df
SHA512

942a81c0d5dee3a0081c04df9144ee03668831034bc78ed3c36b09f56f5950d7420c4f9dc668f2b80c36765bf9912c2e37964d2151e694fb12a61607a9c5e920
SSDEEP

24576:O0a2p2Dg5NocIAg5ViGcn/IaUcVDQE9bmZdBNKqiRxht+O4l5H53v2LzO+mz:OEgWGpvQI9kDFbDqibhtzkZv2LK3z

Score

10^/10

arrowrat xxx discovery persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

AlbertVacation_nopump.exe

Resource

win10v2004-20250502-en

arrowrat xxx discovery persistence rat

windows10-2004-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

AlbertVacation_nopump.exe

Resource

win11-20250502-en

arrowrat xxx discovery persistence rat

windows11-21h2-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

xxx

C2

65.108.77.73:1330

Mutex

uwDUxBeCD

Targets

- Target
  
  AlbertVacation_nopump.exe
- Size
  
  1.0MB
- MD5
  
  85e800052c6c4c666ab5b34780683d7f
- SHA1
  
  3ad8c16c28271e7eb0e6272f2cbb4379e91ec234
- SHA256
  
  284ccf8fa7c86c6e59fb379c82c757a01b170b210f6751e4955c4e20a5f5d7df
- SHA512
  
  942a81c0d5dee3a0081c04df9144ee03668831034bc78ed3c36b09f56f5950d7420c4f9dc668f2b80c36765bf9912c2e37964d2151e694fb12a61607a9c5e920
- SSDEEP
  
  24576:O0a2p2Dg5NocIAg5ViGcn/IaUcVDQE9bmZdBNKqiRxht+O4l5H53v2LzO+mz:OEgWGpvQI9kDFbDqibhtzkZv2LK3z
Score

10^/10

arrowrat xxx discovery persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratxxxdiscoverypersistencerat

behavioral2

arrowratxxxdiscoverypersistencerat

© 2018-2025

Terms | Privacy