General
-
Target
Client.exe
-
Size
158KB
-
Sample
240902-wk51lavbpn
-
MD5
ff04efb632b00fdd46fd3fe992ea8a37
-
SHA1
8a6f3fd785ac3d78e8de79656a9fa8f0c9527fb7
-
SHA256
dee58e8a247eab9726675a03ddc8485c66a204d7b9f2211d8fea89729d45e7a5
-
SHA512
a5747653fcaa76aea2cf7bc601b87e583c37f9fa34e399f30d4eaa816655b04c1ec14807477ddb965d6f276e4023560618550d124483e9608585fcbf392dde5a
-
SSDEEP
3072:qbzGH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPTKO8Y:qbzGe0ODhTEPgnjuIJzo+PPcfPT18
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
arrowrat
Client
6.tcp.eu.ngrok.io:13114
rLGiSBuYa
Targets
-
-
Target
Client.exe
-
Size
158KB
-
MD5
ff04efb632b00fdd46fd3fe992ea8a37
-
SHA1
8a6f3fd785ac3d78e8de79656a9fa8f0c9527fb7
-
SHA256
dee58e8a247eab9726675a03ddc8485c66a204d7b9f2211d8fea89729d45e7a5
-
SHA512
a5747653fcaa76aea2cf7bc601b87e583c37f9fa34e399f30d4eaa816655b04c1ec14807477ddb965d6f276e4023560618550d124483e9608585fcbf392dde5a
-
SSDEEP
3072:qbzGH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPTKO8Y:qbzGe0ODhTEPgnjuIJzo+PPcfPT18
-
Modifies WinLogon for persistence
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1