MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArrowRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 12 File information Comments

SHA256 hash:	020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9
SHA3-384 hash:	43d32406ca50db2cb495caa2cba86700708288f7dcafbc0766378c337000a271fc80b33b1db2bdb943bc9d975843d4c7
SHA1 hash:	88843937e92ad048813a6f1d1d528c047c5363c2
MD5 hash:	82983c1da882225b9312367ee4f38e3d
humanhash:	mockingbird-zulu-ink-illinois
File name:	020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9
Download:	download sample
Signature	ArrowRAT Create hunting rule
File size:	708'608 bytes
First seen:	2025-06-11 12:40:59 UTC
Last seen:	2025-06-11 12:50:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	436f7e4bc6bece183fb5bacd9f2ff7d3 (1 x njrat, 1 x Arechclient2, 1 x Healer)
ssdeep	12288:Nl/0DUI24ptpaBiVEQpbbG684HFDr0G20oU/2CdP9FtjwAo:YoI24ptpnFR668C7oUR9Fi
Threatray	492 similar samples on MalwareBazaar
TLSH	T12EE423EE9B530525C6B0B6B260F717F867F878B75E1A0153384F860E4F9074DE70AA86
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4504/4/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	ArrowRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

454

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9

Verdict:

No threats detected

Analysis date:

2025-06-11 13:46:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0599f319-d958-4448-8a44-59d15f52b8c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLAgent10

Link:

https://www.capesandbox.com/analysis/8975/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-12

PUA.Win.Packer.EnigmaProtector-5

PUA.Win.Packer.EnigmaProtector-1

SecuriteInfo.com.Trojan.Inject5.24863.22817.26011.UNOFFICIAL

PUA.Win.Packer.EnigmaProtector-9852682-0

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684979788bd5d68a12e7b492

Tags:

enigmaprotector delphi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file

Searching for the window

Forced system process termination

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Symmi.Generic

Link:

https://www.hybrid-analysis.com/sample/020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9

Malware family:

Icarus Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e264538-bf5c-48a9-9026-fca6d4d2ff50

Result

Threat name:

ArrowRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1712267

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Sigma detected: Explorer NOUACCHECK Flag

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected ArrowRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9/

Threat name:

Win32.Trojan.Symmi

Status:

Malicious

First seen:

2025-04-26 10:46:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aiefpk72qnxxae6qdb5sbgbozfjqs6rjl56hap4gevf3ch7ko64q._file

Verdict:

malicious

Label(s):

arrowrat

ArrowRAT

1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1

ArrowRAT

d1c8da230e62c1bae3b69154d4e2befac79a63574181e4f80cabd05e3b9f782d

ArrowRAT

d47a220f4dac6bc8a1f0e7afb71f1201838cdf132fc79d04b1ae63122b42d27c

ArrowRAT

d7d7a968b030fc13462423b2c45489cbc83d865914a4cd1ace2210e5487ffab5

ArrowRAT

error

ArrowRAT

ff889cb550a51a8316374ec14a32a756bc62706eae1f087c5daac746a42f2a8b

ArrowRAT

+ 482 additional samples on MalwareBazaar

Result

Malware family:

arrowrat

Score:

10/10

Tags:

family:arrowrat botnet:client discovery persistence rat

Link:

https://tria.ge/reports/250611-pwy8vsgl4z/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates connected drives

Boot or Logon Autostart Execution: Active Setup

ArrowRat

Arrowrat family

Malware Config

C2 Extraction:

46.39.253.217:1177

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5cb3e237-7fa9-4b65-a5dd-d2bbc0b2539b

Unpacked files

SH256 hash:

020857abfa836f7013d0187b20982ec953097a295f7c703f86254bb11fea77b9

MD5 hash:

82983c1da882225b9312367ee4f38e3d

SHA1 hash:

88843937e92ad048813a6f1d1d528c047c5363c2

Link:

https://www.unpac.me/results/8b163c0f-2c55-4b73-be6d-a33b3f402421/

SH256 hash:

dde41bb606694af7eb71ec040f2ce190e42003c171ff7857ff91a604f80e0a63

MD5 hash:

09b4453e949670c5713f880bb5058792

SHA1 hash:

1febd0837731e24dd42641d0e6a9ec5e6b96af16

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

INDICATOR_SUSPICIOUS_Binary_References_Browsers

MALWARE_Win_DLAgent10

Link:

https://www.unpac.me/results/8b163c0f-2c55-4b73-be6d-a33b3f402421/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/020857abfa83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	EnigmaProtector11X13XSukhovVladimirSergeNMarkin Create hunting rule
Author:	malware-lu

Rule name:	EnigmaProtector1XSukhovVladimirSergeNMarkin Create hunting rule
Author:	malware-lu

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Runtime_Broker_Variant_1 Create hunting rule
Author:	Sn0wFr0$t
Description:	Detecting malicious Runtime Broker

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/8975/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (NX_COMPAT)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA
WIN_BASE_IO_API	Can Create Files	version.dll::GetFileVersionInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample