MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArrowRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 17 File information Comments

SHA256 hash:	465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a
SHA3-384 hash:	7ecf142d44a8ff9279b84e8774ed9a00d1f86942c019a7c41abc4dd37650356ea16349c8cd059c706f1ed6f71707e722
SHA1 hash:	ae48033129db1264a8eaee2b99912167e06f762d
MD5 hash:	227e258aadd4b009ad8587098bcd4074
humanhash:	east-pasta-texas-pennsylvania
File name:	465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a
Download:	download sample
Signature	ArrowRAT Create hunting rule
File size:	2'777'600 bytes
First seen:	2025-05-28 06:29:57 UTC
Last seen:	2025-05-28 11:56:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	49152:K4wxEJ/2Cl0RuRVoDPqH7w3IwAypQx7g1Y3paSwJAaDlvfb3D:K4wxEJ/2C2RYeOUgypS7l3paSmAMlHbz
TLSH	T116D5224463F88D11E2BF4BB1AD701009CBB2F207CE8BE74E9C4991E91AEA791ED54753
TrID	43.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 25.7% (.EXE) InstallShield setup (43053/19/16) 9.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 6.2% (.EXE) Win64 Executable (generic) (10522/11/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	147-124-223-218 ArrowRAT exe MSIL-Spy-Agent-ESY qatar-uhdengine-com QatarC

Intelligence

File Origin

# of uploads :

# of downloads :

557

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a

Verdict:

Malicious activity

Analysis date:

2025-05-28 06:33:08 UTC

Tags:

discordgrabber generic stealer celestialrat rat evasion

Link:

https://app.any.run/tasks/71df9ff4-30d6-44af-befb-0ae8a1668432

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ArrowRAT

Link:

https://www.capesandbox.com/analysis/5966/

Detection(s):

Win.Packed.AsyncRAT-9938103-1

Win.Packed.Msilperseus-9956592-0

Win.Packed.Msilmamut-10007182-0

Win.Dropper.LokiBot-10010685-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6836af6bacf88f5815e7d339

Tags:

dropper packed micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Blocking the Windows Defender launch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 cmd cmstp evasive explorer fingerprint hacktool lolbin obfuscated packed packed packer_detected reconnaissance rundll32 runonce schtasks stealer telegram vbnet wscript

Link:

https://www.filescan.io/uploads/6836addcfd02ed5e058bc947/reports/e7fcfc1c-0ad7-4dd9-a1c2-fac1632f63c1/overview

Verdict:

Malicious

Labled as:

MSIL.PasswordStealerA.Generic

Link:

https://www.hybrid-analysis.com/sample/465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d9192d3-bacd-4fcd-b9ef-a5d7bb379292

Result

Threat name:

QatarC

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1700448

Signature

.NET source code contains potential unpacker

Contains functionality to disable the Task Manager (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses threadpools to delay analysis

Yara detected Costura Assembly Loader

Yara detected QatarCRAT

Yara detected Telegram Recon

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a/

Threat name:

ByteCode-MSIL.Trojan.CelestialCStealer

Status:

Malicious

First seen:

2025-05-28 04:31:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=izpjf325ymemxwhnphkqhyfhoaxn3upctbtcxsdjlsxwxi4doufa._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery evasion trojan

Link:

https://tria.ge/reports/250528-g9y61stnv8/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Modifies Windows Defender DisableAntiSpyware settings

Verdict:

Malicious

Tags:

rat arrowrat Win.Packed.AsyncRAT-9938103-1

YARA:

MALWARE_Win_ArrowRAT

Link:

https://app.threat.zone/submission/18893cdd-60d6-40ba-ab57-65f1c083cde6

Unpacked files

SH256 hash:

465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a

MD5 hash:

227e258aadd4b009ad8587098bcd4074

SHA1 hash:

ae48033129db1264a8eaee2b99912167e06f762d

Detections:

win_lumma_a0

Link:

https://www.unpac.me/results/1bee7768-4fc3-453e-abf2-a066542daa01/

SH256 hash:

650f757e133cd6fc030977c4f847aeaa36eb554ba1848a291f30e4ff0ff63b8d

MD5 hash:

6bdd50f6716d0519413d840a55cd6a43

SHA1 hash:

05456650b761058aa10200e2ec6b3e97297c136d

Link:

https://www.unpac.me/results/1bee7768-4fc3-453e-abf2-a066542daa01/

Malware family:

DCRat

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/465e92ef5dc3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Rule name:	MALWARE_Win_ArrowRAT Create hunting rule
Author:	ditekSHen
Description:	Detects ArrowRAT

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/5966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample