MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArrowRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
SHA3-384 hash: 1c04e1c4568d3ed7ea3cf54b65969d67e9c376585812bc58fdacd9dca8e9a8b8641361ab8b66181ad9359bf279587ff1
SHA1 hash: 2c79a1203c135aa1a7d5fbed566c94983278b40c
MD5 hash: e08805d6085d6402dcaeb253e4375a09
humanhash: arkansas-oven-vegan-march
File name:Emiditor.exe
Download: download sample
Signature ArrowRAT
Create hunting rule
File size:8'529'584 bytes
First seen:2022-11-27 18:23:20 UTC
Last seen:2022-11-27 19:33:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep 98304:iFBz9bmxmtOfP7TI/OKIdSOwSmGrjvvLYq5dkcDNckgHDJHZt:qBzQxmtOfzsWKgwS1jvvH5uFHn
Threatray 49 similar samples on MalwareBazaar
TLSH T139861AF232C1768EC156C0BAC712F97E8A8FBD724625A4E3E454B2369D37C80791AF45
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter SquiblydooBlog
Tags:ArrowRAT exe


Avatar
SquiblydooBlog
Packaged with Vidar; downloaded off of Discord CDN: https://cdn.discordapp.com/attachments/1039892370289860653/1040379101652992090/Emiditor.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Emiditor.exe
Verdict:
No threats detected
Analysis date:
2022-11-27 18:26:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01201b39-ab82-4ad8-9a51-3f6873b8bf51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339128/
Detection(s):
SecuriteInfo.com.Variant.Lazy.263438.8142.3382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Launching a process
Creating a file
Сreating synchronization primitives
Creating a process with a hidden window
Creating a window
Forced system process termination
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed quasarrat
Link:
https://www.filescan.io/uploads/6383ab455be128ac718f26f1/reports/9291bec0-f3db-471a-89a2-a4ffce6bb349/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4689718-b9b0-4dad-8f8f-bb592fb06ecd
Result
Threat name:
ArrowRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122025
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected ArrowRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754742 Sample: Emiditor.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 10 other signatures 2->39 8 Emiditor.exe 1 1 2->8         started        12 Emiditor.exe 2->12         started        14 Emiditor.exe 2->14         started        16 explorer.exe 5 4 2->16         started        process3 file4 29 C:\Users\user\AppData\...miditor.exe.log, CSV 8->29 dropped 49 Detected unpacking (changes PE section rights) 8->49 51 Query firmware table information (likely to detect VMs) 8->51 53 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->53 59 3 other signatures 8->59 18 CasPol.exe 4 8->18         started        55 Hides threads from debuggers 12->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->57 signatures5 process6 signatures7 41 Writes to foreign memory regions 18->41 43 Allocates memory in foreign processes 18->43 45 Injects a PE file into a foreign processes 18->45 21 cvtres.exe 4 18->21         started        25 explorer.exe 18->25         started        process8 dnsIp9 31 65.108.204.97, 1337, 49700, 49701 ALABANZA-BALTUS United States 21->31 47 Tries to harvest and steal browser information (history, passwords, etc) 21->47 27 conhost.exe 21->27         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e/
Threat name:
Win64.Backdoor.QuasarRAT
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 20:47:56 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvmucpcd25vwp2fqndeefifgcwye23lippugbymnugw4ipp6lnpa._file
Verdict:
malicious
Similar samples:
54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e
ArrowRAT
5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94
ArrowRAT
76594bfde86ba22d8decd126752d700a9567551aff57ff9c85f1cc53b5b51ba5
ArrowRAT
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
ArrowRAT
98980b5d5796c559c08ea5b20a4a459048087758b1149767af47788ea3388fdd
ArrowRAT
99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd
ArrowRAT
a1f85be67018434f06e910c13c4833aae7689793a7ce80a70ca5028877e9f40e
ArrowRAT
e1689f695b580c88f6b58274cfed905541749bd86f9f3cd95b70ae22387313ca
ArrowRAT
+ 39 additional samples on MalwareBazaar
Result
Malware family:
arrowrat
Create hunting rule
Score:
  10/10
Tags:
family:arrowrat botnet:client evasion persistence rat themida trojan
Link:
https://tria.ge/reports/221127-w12ccahc87/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Themida packer
Modifies Installed Components in the registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
ArrowRat
Malware Config
C2 Extraction:
65.108.204.97:1337
Gathering data
Unpacked files
SH256 hash:
b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
MD5 hash:
e08805d6085d6402dcaeb253e4375a09
SHA1 hash:
2c79a1203c135aa1a7d5fbed566c94983278b40c
Link:
https://www.unpac.me/results/3dde3419-f134-49b7-8205-6e502e722075/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/221127-wtfgascd7s/behavioral2
  
URLhaus
https://cdn.discordapp.com/attachments/1039892370289860653/1040379101652992090/Emiditor.exe
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2434978/
Cape
Cape
https://www.capesandbox.com/analysis/339128/

Comments