General
-
Target
Client.exe
-
Size
158KB
-
Sample
241118-qshx5sxdpb
-
MD5
16a66efc62e16195848483277f81cb3b
-
SHA1
5b3b70e9df9b025576386abfa9ed7c342e8d7a46
-
SHA256
e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6
-
SHA512
87d682acb2b44506711e4758762e16c3f29101c5a20c1b144ff2c337c37a82f8bd0bbf13c65bb1e5e2423bcf3f042cd9d114256846aeb5c8e66119b64d6d1393
-
SSDEEP
3072:gbzxH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPMiO8Y:gbzxe0ODhTEPgnjuIJzo+PPcfPMd8
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
arrowrat
Pf030dc1ckld12od3
192.168.1.46:1337
QplfyCtwT
Targets
-
-
Target
Client.exe
-
Size
158KB
-
MD5
16a66efc62e16195848483277f81cb3b
-
SHA1
5b3b70e9df9b025576386abfa9ed7c342e8d7a46
-
SHA256
e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6
-
SHA512
87d682acb2b44506711e4758762e16c3f29101c5a20c1b144ff2c337c37a82f8bd0bbf13c65bb1e5e2423bcf3f042cd9d114256846aeb5c8e66119b64d6d1393
-
SSDEEP
3072:gbzxH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPMiO8Y:gbzxe0ODhTEPgnjuIJzo+PPcfPMd8
-
Arrowrat family
-
Modifies WinLogon for persistence
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1