arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

18.4MB
Sample

221111-yxrd3sbb59
MD5

464502cbaae7b9ed1cd6da844d38ba86
SHA1

30dd42539cbfad04564f9db45ca40f2b9e81546c
SHA256

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
SHA512

e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
SSDEEP

98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220812-en

arrowrat redline @noxycloud client infostealer rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220901-en

arrowrat redline @noxycloud client infostealer persistence rat

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@NoxyCloud

C2

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Extracted

Family

arrowrat

Botnet

Client

C2

213.239.219.58:1337

Mutex

nPxRArUjc

Targets

- Target
  
  tmp
- Size
  
  18.4MB
- MD5
  
  464502cbaae7b9ed1cd6da844d38ba86
- SHA1
  
  30dd42539cbfad04564f9db45ca40f2b9e81546c
- SHA256
  
  6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
- SHA512
  
  e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
- SSDEEP
  
  98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU
Score

10^/10

arrowrat redline @noxycloud client infostealer rat persistence
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratredline@noxycloudclientinfostealerrat

behavioral2

arrowratredline@noxycloudclientinfostealerpersistencerat

© 2018-2025

Terms | Privacy