MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArrowRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5
SHA3-384 hash: 5ebb91bcaae9e95279aa3399102d447c6ff157c86709c12e7a82adfdbf838d4d97a541533a389c707c65fb53f0b33f07
SHA1 hash: 18ff7a2ec479855e65ba2a83deeb917abed16ff9
MD5 hash: e41f3d5033575c4f4cf2acd0d1d0624d
humanhash: diet-ohio-six-kansas
File name:Jikte.exe
Download: download sample
Signature ArrowRAT
Create hunting rule
File size:17'920 bytes
First seen:2022-02-09 18:56:14 UTC
Last seen:2022-02-09 21:11:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:eBAiyJNFVJU14KU6nX2D+bFQkNubvg+4OXEW46njPHoWWDDDDDDDDDDN:iGFwWp6nnb+/XjDjYDDDDDDDDDDN
Threatray 5'192 similar samples on MalwareBazaar
TLSH T1E1823AB46F9E8635D76E0A7DBCA7CB901630FA49CCE2570FB444350AEC72E42CE95A50
File icon (PE):PE icon
dhash icon 424a5ededededa40 (1 x NanoCore, 1 x ArrowRAT, 1 x QuasarRAT)
Reporter pr0xylife
Tags:ArrowRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239814/
Detection(s):
SecuriteInfo.com.MSIL.TrojanDownloader.Agent.KJC.31395.32646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62040e8636f9921918327172/reports/b15ad713-2ffa-42e9-9a6e-46d61ec9c1cf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ab824ce7-2e1e-41d3-a46e-f3360c68a9f5
Result
Threat name:
ArrowRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937183
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected ArrowRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569659 Sample: Jikte.exe Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 61 limanlimanlawyers.com 2->61 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected ArrowRAT 2->81 83 9 other signatures 2->83 9 Jikte.exe 16 7 2->9         started        14 Test.exe 2->14         started        16 Test.exe 2->16         started        signatures3 process4 dnsIp5 63 limanlimanlawyers.com 23.94.150.194, 443, 49760, 49844 AS-COLOCROSSINGUS United States 9->63 55 C:\Users\user\AppData\Roaming\Demo\Test.exe, PE32 9->55 dropped 57 C:\Users\user\...\Test.exe:Zone.Identifier, ASCII 9->57 dropped 59 C:\Users\user\AppData\Local\...\Jikte.exe.log, ASCII 9->59 dropped 85 Encrypted powershell cmdline option found 9->85 87 Writes to foreign memory regions 9->87 89 Allocates memory in foreign processes 9->89 91 Injects a PE file into a foreign processes 9->91 18 MSBuild.exe 2 9->18         started        21 powershell.exe 9 9->21         started        23 MSBuild.exe 9->23         started        93 Multi AV Scanner detection for dropped file 14->93 95 Machine Learning detection for dropped file 14->95 25 powershell.exe 14->25         started        27 powershell.exe 16->27         started        file6 signatures7 process8 signatures9 71 Writes to foreign memory regions 18->71 73 Allocates memory in foreign processes 18->73 75 Injects a PE file into a foreign processes 18->75 29 cvtres.exe 18->29         started        33 explorer.exe 2 129 18->33         started        35 cmd.exe 1 21->35         started        37 conhost.exe 21->37         started        39 cmd.exe 25->39         started        41 conhost.exe 25->41         started        43 cmd.exe 27->43         started        45 conhost.exe 27->45         started        process10 dnsIp11 65 vncnew1984.duckdns.org 194.5.98.12, 1984, 49822 DANILENKODE Netherlands 29->65 67 51.254.27.112, 1337, 49829 OVHFR France 29->67 97 Tries to harvest and steal browser information (history, passwords, etc) 29->97 47 conhost.exe 29->47         started        69 192.168.2.1 unknown unknown 33->69 49 timeout.exe 1 35->49         started        51 timeout.exe 39->51         started        53 timeout.exe 43->53         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 18:57:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
ArrowRAT
2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee
ArrowRAT
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
ArrowRAT
898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
ArrowRAT
9a498a01595504b0d2afc00ce9ebf2c3e7ce6d557fef89cf9d99759ee032d921
ArrowRAT
b9a1c2a5ed66d7d8acf7c41a44fd0534cecf86a8e673e389a4e5b01c79d29c36
ArrowRAT
fd463d6ccf33883236cae97f301cfb62e9844a73c885d58f22ebcd3ecc18dcfe
ArrowRAT
+ 5'182 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220209-xlxlaabbg9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Modifies Installed Components in the registry
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5
MD5 hash:
e41f3d5033575c4f4cf2acd0d1d0624d
SHA1 hash:
18ff7a2ec479855e65ba2a83deeb917abed16ff9
Link:
https://www.unpac.me/results/a2e9f093-67d3-45e4-88c0-0d1df1a8914b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4c4d844ace41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239814/

Comments