General
-
Target
Client.exe
-
Size
158KB
-
Sample
230522-knzgfahh5z
-
MD5
ae1a31fccddf3c728479e181ee16c74b
-
SHA1
767c87adcd18546e3ae40d781579071f7f8035a2
-
SHA256
279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342
-
SHA512
9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905
-
SSDEEP
3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
arrowrat
Client
6.tcp.eu.ngrok.io:19154
Runtime Broker
Targets
-
-
Target
Client.exe
-
Size
158KB
-
MD5
ae1a31fccddf3c728479e181ee16c74b
-
SHA1
767c87adcd18546e3ae40d781579071f7f8035a2
-
SHA256
279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342
-
SHA512
9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905
-
SSDEEP
3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8
Score10/10-
Modifies WinLogon for persistence
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-