MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArrowRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee
SHA3-384 hash: ad400f2faa0a3c5560e8fa5e9d76ace28145d964388b8d8c1b83ef23430fa0df7a86bd1c44b165e1731de48f4926fdb6
SHA1 hash: 78e65ca4aef33eea338a2972f19679552cb7c701
MD5 hash: 6082510f97c65c06f1d21809efa9d040
humanhash: red-happy-purple-island
File name:6082510f97c65c06f1d21809efa9d040
Download: download sample
Signature ArrowRAT
Create hunting rule
File size:28'672 bytes
First seen:2022-01-19 20:45:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:heqX/79Z4TCXfVsNuRVbpLchtszwBRUgT6TtQ0nt:hBX/zlsNuRVbWawBKgT6TtQK
Threatray 414 similar samples on MalwareBazaar
TLSH T1C0D2AF0677999751C8AD8BB6C4F7E27003F8D642B563CE1F68262BE26C133999F81F50
File icon (PE):PE icon
dhash icon 78e6d9d8c3c4c0c2 (1 x ArrowRAT)
Reporter zbetcheckin
Tags:32 ArrowRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6082510f97c65c06f1d21809efa9d040
Verdict:
Malicious activity
Analysis date:
2022-01-20 01:28:44 UTC
Tags:
trojan firebird rat stealer
Link:
https://app.any.run/tasks/b7a426f2-2af1-49e6-815f-de8b8d57ff80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220806/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.12165.32014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61e87896d32385db630a8ac5/reports/4e03c1dc-7c10-4baf-aa8f-1b9f7c67c0a1/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70feabb6-e620-4164-b375-c87dfcbad09d
Result
Threat name:
ArrowRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923863
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected ArrowRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556341 Sample: V5dn32NKTC Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 7 other signatures 2->81 8 V5dn32NKTC.exe 16 7 2->8         started        13 winobj.exe 14 3 2->13         started        15 winobj.exe 2->15         started        17 explorer.exe 5 4 2->17         started        process3 dnsIp4 57 82.146.63.54, 49790, 80 THEFIRST-ASRU Russian Federation 8->57 59 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49757, 49761 YAHOO-IRDGB United Kingdom 8->59 65 8 other IPs or domains 8->65 51 C:\Users\user\AppData\Roaming\...\winobj.exe, PE32 8->51 dropped 53 C:\Users\user\...\winobj.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\...\V5dn32NKTC.exe.log, ASCII 8->55 dropped 91 Injects a PE file into a foreign processes 8->91 19 V5dn32NKTC.exe 1 2 8->19         started        23 cmd.exe 1 8->23         started        61 74.6.143.25 YAHOO-3US United States 13->61 67 2 other IPs or domains 13->67 93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 25 cmd.exe 13->25         started        63 87.248.100.214 YAHOO-IRDGB United Kingdom 15->63 69 2 other IPs or domains 15->69 27 cmd.exe 15->27         started        file5 signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\pDoHiqMLp.exe, PE32 19->49 dropped 83 Creates an undocumented autostart registry key 19->83 85 Writes to foreign memory regions 19->85 87 Allocates memory in foreign processes 19->87 89 Injects a PE file into a foreign processes 19->89 29 cvtres.exe 14 6 19->29         started        33 explorer.exe 19->33         started        35 conhost.exe 23->35         started        37 timeout.exe 1 23->37         started        39 conhost.exe 25->39         started        41 timeout.exe 25->41         started        43 conhost.exe 27->43         started        45 timeout.exe 27->45         started        signatures9 process10 dnsIp11 71 188.119.112.140, 1338, 49834 SERVERIUS-ASNL Russian Federation 29->71 73 51.254.27.112, 1337, 49839 OVHFR France 29->73 97 Tries to harvest and steal browser information (history, passwords, etc) 29->97 47 conhost.exe 29->47         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee/
Threat name:
ByteCode-MSIL.Ransomware.PolyRansom
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 20:46:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
ArrowRAT
1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
ArrowRAT
28d0ac2b1be7545097b6594c9fa467345214473dc91ea83b245735894e47cb61
ArrowRAT
898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
ArrowRAT
9a498a01595504b0d2afc00ce9ebf2c3e7ce6d557fef89cf9d99759ee032d921
ArrowRAT
b9a1c2a5ed66d7d8acf7c41a44fd0534cecf86a8e673e389a4e5b01c79d29c36
ArrowRAT
fd463d6ccf33883236cae97f301cfb62e9844a73c885d58f22ebcd3ecc18dcfe
ArrowRAT
+ 404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220119-zkb93adbb3/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee
MD5 hash:
6082510f97c65c06f1d21809efa9d040
SHA1 hash:
78e65ca4aef33eea338a2972f19679552cb7c701
Link:
https://www.unpac.me/results/1dda0ab5-413d-4bb9-9484-79c4695e1638/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2fb8100d4fb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArrowRAT

Executable exe 2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1990349/
Cape
Cape
https://www.capesandbox.com/analysis/220806/

Comments


Avatar
zbet commented on 2022-01-19 20:45:12 UTC

url : hxxp://45.144.225.57/USA/oranges500us.exe