Extracted

• • Target

    Client.exe

  • Size

    158KB

  • MD5

    ff04efb632b00fdd46fd3fe992ea8a37

  • SHA1

    8a6f3fd785ac3d78e8de79656a9fa8f0c9527fb7

  • SHA256

    dee58e8a247eab9726675a03ddc8485c66a204d7b9f2211d8fea89729d45e7a5

  • SHA512

    a5747653fcaa76aea2cf7bc601b87e583c37f9fa34e399f30d4eaa816655b04c1ec14807477ddb965d6f276e4023560618550d124483e9608585fcbf392dde5a

  • SSDEEP

    3072:qbzGH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPTKO8Y:qbzGe0ODhTEPgnjuIJzo+PPcfPT18

  Score

  10^/10

  arrowratclientpersistenceprivilege_escalationratcredential_accessdiscoveryexecutionstealer

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat

  • Modifies WinLogon for persistence

    persistence

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2