arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4 | Triage

Submit
Reports

Overview

overview

Static

static

winprofile

windows7-x64

winprofile

windows10-1703-x64

Sharing

General

Target

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
Size

18.4MB
Sample

221111-17ybgseh8s
MD5

464502cbaae7b9ed1cd6da844d38ba86
SHA1

30dd42539cbfad04564f9db45ca40f2b9e81546c
SHA256

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
SHA512

e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
SSDEEP

98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe

Resource

win7-20220812-en

arrowrat redline @noxycloud client infostealer persistence rat spyware

windows7-x64

21 signatures

300 seconds

Behavioral task

behavioral2

Sample

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe

Resource

win10-20220901-en

arrowrat redline @noxycloud client infostealer persistence rat spyware

windows10-1703-x64

26 signatures

300 seconds

Malware Config

Extracted

Family

redline

Botnet

@NoxyCloud

C2

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Extracted

Family

arrowrat

Botnet

Client

C2

213.239.219.58:1337

Mutex

nPxRArUjc

Targets

- Target
  
  6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
- Size
  
  18.4MB
- MD5
  
  464502cbaae7b9ed1cd6da844d38ba86
- SHA1
  
  30dd42539cbfad04564f9db45ca40f2b9e81546c
- SHA256
  
  6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
- SHA512
  
  e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
- SSDEEP
  
  98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU
Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat spyware
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

arrowratredline@noxycloudclientinfostealerpersistenceratspyware

behavioral2

arrowratredline@noxycloudclientinfostealerpersistenceratspyware

© 2018-2024

Terms | Privacy