MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArrowRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 17 File information Comments

SHA256 hash:	97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77
SHA3-384 hash:	1140603cce513745335168a776a63dfbfd512c43d1f717eb5cb8a8b783b76a82af382b914ca0861b31ad149154a88ca3
SHA1 hash:	c2d4cace269ec64b5c184445b76ba7adfa572c92
MD5 hash:	cc1c78b44bbc2ffe0308d077a5280f37
humanhash:	charlie-pasta-pennsylvania-venus
File name:	97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77
Download:	download sample
Signature	ArrowRAT Create hunting rule
File size:	162'304 bytes
First seen:	2025-06-13 05:11:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:Tbz6H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPi1O8Y:Tbz6e0ODhTEPgnjuIJzo+PPcfPiY8
Threatray	26 similar samples on MalwareBazaar
TLSH	T1B2F36D243AFA5029F173AF765FE47596CA2FB7733B07A85D2050038A4B23A81DDD153A
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	ArrowRAT exe psedrfjygyugyufyt-duckdns-org

Intelligence

File Origin

# of uploads :

# of downloads :

456

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77

Verdict:

Malicious activity

Analysis date:

2025-06-13 05:14:22 UTC

Tags:

uac stealer arrowrat rat api-base64

Link:

https://app.any.run/tasks/ba55bdc1-3629-46de-b7ac-38dc0bdbb0ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ArrowRAT

Link:

https://www.capesandbox.com/analysis/9252/

Detection(s):

Win.Packed.Injectorx-9916498-0

Win.Keylogger.Marsilia-10040488-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684bb3068bd5d68a12e85dc5

Tags:

shell virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a window

Forced system process termination

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Reading critical registry keys

DNS request

Using the Windows Management Instrumentation requests

Connection attempt

Setting a global event handler for the keyboard

Enabling autorun with the shell\open\command registry branches

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

MSIL.Krypt.Generic

Link:

https://www.hybrid-analysis.com/sample/97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77

Malware family:

Evilnum

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1831ee24-a401-48d4-ab08-8183100ffba4

Result

Threat name:

ArrowRAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1713809

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Custom File Open Handler Executes PowerShell

Sigma detected: Explorer NOUACCHECK Flag

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

UAC bypass detected (Fodhelper)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected ArrowRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77/

Threat name:

ByteCode-MSIL.Backdoor.Xhvnc

Status:

Malicious

First seen:

2025-06-13 05:11:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s7t6ljxs3ke3pc43jniyu56gtranz7qp5wrzsfejeh7dcrotnv3q._file

Verdict:

malicious

Label(s):

arrowrat

ArrowRAT

040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51

ArrowRAT

083a768ec4dfeec0b5d0e4320979ab0fede45e53aa4971846a6878912664e47a

ArrowRAT

0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335

ArrowRAT

0ad5cab14a21c9e0876221f78e9061ca3c2f8712f09c4a49699575de7722e0b3

ArrowRAT

0d765dc413009ddb31ab0685ee4eb1a1dd9e68d415c0f75df36fd08c195bc216

ArrowRAT

21994949d4df4bdbe5834379c2f7f023c8fa20eb1bdd7a5756f651fe2ff91ae7

ArrowRAT

79ec7c271adcd148064e5324c66d8ea9c1eefd81c44bde7c9ca754f4fb9d80b3

ArrowRAT

+ 16 additional samples on MalwareBazaar

Result

Malware family:

arrowrat

Score:

10/10

Tags:

family:arrowrat botnet:og discovery execution persistence rat

Link:

https://tria.ge/reports/250613-fvfwfsar91/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Enumerates connected drives

Checks computer location settings

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

ArrowRat

Arrowrat family

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

psedrfjygyugyufyt.duckdns.org:1337

Verdict:

Malicious

Tags:

rat arrowrat Win.Packed.Injectorx-9916498-0

YARA:

MALWARE_Win_ArrowRAT

Link:

https://app.threat.zone/submission/afd0a05d-2fd0-4596-a948-7fe3a49ef02d

Unpacked files

SH256 hash:

97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77

MD5 hash:

cc1c78b44bbc2ffe0308d077a5280f37

SHA1 hash:

c2d4cace269ec64b5c184445b76ba7adfa572c92

Link:

https://www.unpac.me/results/ab3c31da-a856-4409-95d7-e9b82655acc5/

SH256 hash:

65af41452cb1eb8e98cbd4238ccff79bd619d2453ce2e2eaa31620b0b83077be

MD5 hash:

5bb9bba5beeacaef4c481c6813932490

SHA1 hash:

402574cf96c8d17701944f03e36d9d80ab367907

Detections:

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

MALWARE_Win_DLAgent10

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/ab3c31da-a856-4409-95d7-e9b82655acc5/

Parent samples :

a73f67009d77906b2dfee216b4e7cb940eef13304c22e909b65cd2834e291b1a
040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51
083a768ec4dfeec0b5d0e4320979ab0fede45e53aa4971846a6878912664e47a
0a53456ad2ce6a20c459e38a8fb0be2751c7543a0d8a47f52bb48a8b6d24d335
0d765dc413009ddb31ab0685ee4eb1a1dd9e68d415c0f75df36fd08c195bc216
79ec7c271adcd148064e5324c66d8ea9c1eefd81c44bde7c9ca754f4fb9d80b3
21994949d4df4bdbe5834379c2f7f023c8fa20eb1bdd7a5756f651fe2ff91ae7
97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77
fb7e10845d0ebac00b55f38a29e141c689a33cae3719eefb26fbb572b39aa3a4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97e7e5a6f2da89b78b9b4b518a77c69c40dcfe0feda399148921fe3145d36d77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	growtopia Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked growtopia stealer malware samples.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_ArrowRAT Create hunting rule
Author:	ditekSHen
Description:	Detects ArrowRAT

Rule name:	MALWARE_Win_DLAgent10 Create hunting rule
Author:	ditekSHen
Description:	Detects known downloader agent

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Runtime_Broker_Variant_1 Create hunting rule
Author:	Sn0wFr0$t
Description:	Detecting malicious Runtime Broker

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Generic_Threat_21253888 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/9252/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample