Extracted

• • Target

    Client.exe

  • Size

    158KB

  • MD5

    330f9ca88df2bb08b5d92df02830a8ab

  • SHA1

    1d94ac49a57ea8c5a77c15b0f9252528f4d429f9

  • SHA256

    8a032aa8eba9f5f0727f26ec74ca3dff029955ae6be9c1e7b7a7a84c41820910

  • SHA512

    aa8d9d9fe801315472bfaada35a56dfc6c64ba0d7cfd9a467858eb2797e365bbc69de4c2afba5667abf6304a266dbeed1a8e13b39a86d2c6b884d12069113f39

  • SSDEEP

    3072:gbzRH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP+iO8Y:gbzRe0ODhTEPgnjuIJzo+PPcfP+d8

  Score

  10^/10

  arrowratclientpersistenceratcredential_accessdiscoveryexecutionstealer

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat

  • Modifies WinLogon for persistence

    persistence

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2