Resubmissions

05-09-2024 13:44

240905-q16deasbkr 10

02-09-2024 17:59

240902-wk51lavbpn 10

General

  • Target

    Client.exe

  • Size

    158KB

  • Sample

    240902-wk51lavbpn

  • MD5

    ff04efb632b00fdd46fd3fe992ea8a37

  • SHA1

    8a6f3fd785ac3d78e8de79656a9fa8f0c9527fb7

  • SHA256

    dee58e8a247eab9726675a03ddc8485c66a204d7b9f2211d8fea89729d45e7a5

  • SHA512

    a5747653fcaa76aea2cf7bc601b87e583c37f9fa34e399f30d4eaa816655b04c1ec14807477ddb965d6f276e4023560618550d124483e9608585fcbf392dde5a

  • SSDEEP

    3072:qbzGH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPTKO8Y:qbzGe0ODhTEPgnjuIJzo+PPcfPT18

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

6.tcp.eu.ngrok.io:13114

Mutex

rLGiSBuYa

Targets

    • Target

      Client.exe

    • Size

      158KB

    • MD5

      ff04efb632b00fdd46fd3fe992ea8a37

    • SHA1

      8a6f3fd785ac3d78e8de79656a9fa8f0c9527fb7

    • SHA256

      dee58e8a247eab9726675a03ddc8485c66a204d7b9f2211d8fea89729d45e7a5

    • SHA512

      a5747653fcaa76aea2cf7bc601b87e583c37f9fa34e399f30d4eaa816655b04c1ec14807477ddb965d6f276e4023560618550d124483e9608585fcbf392dde5a

    • SSDEEP

      3072:qbzGH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPTKO8Y:qbzGe0ODhTEPgnjuIJzo+PPcfPT18

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Modifies WinLogon for persistence

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks