arrowrat | b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

Emiditor.exe

windows7-x64

9

Emiditor.exe

windows10-2004-x64

Sharing

General

Target

Emiditor.exe
Size

8.1MB
Sample

221127-w12ccahc87
MD5

e08805d6085d6402dcaeb253e4375a09
SHA1

2c79a1203c135aa1a7d5fbed566c94983278b40c
SHA256

b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
SHA512

517d723f46c11a10eb303d655ffca77b1bc3f863450208e659cfea70276f15a7d921d52c04597d035faebb7278e66ff55bbb45b451568f11bc176650bd149db9
SSDEEP

98304:iFBz9bmxmtOfP7TI/OKIdSOwSmGrjvvLYq5dkcDNckgHDJHZt:qBzQxmtOfzsWKgwS1jvvH5uFHn

Score

10^/10

arrowrat client evasion persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Emiditor.exe

Resource

win7-20220812-en

evasion themida trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Emiditor.exe

Resource

win10v2004-20221111-en

arrowrat client evasion persistence rat themida trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

65.108.204.97:1337

Mutex

PreIzXewwN

Targets

- Target
  
  Emiditor.exe
- Size
  
  8.1MB
- MD5
  
  e08805d6085d6402dcaeb253e4375a09
- SHA1
  
  2c79a1203c135aa1a7d5fbed566c94983278b40c
- SHA256
  
  b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
- SHA512
  
  517d723f46c11a10eb303d655ffca77b1bc3f863450208e659cfea70276f15a7d921d52c04597d035faebb7278e66ff55bbb45b451568f11bc176650bd149db9
- SSDEEP
  
  98304:iFBz9bmxmtOfP7TI/OKIdSOwSmGrjvvLYq5dkcDNckgHDJHZt:qBzQxmtOfzsWKgwS1jvvH5uFHn
Score

10^/10

evasion themida trojan arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

arrowratclientevasionpersistenceratthemidatrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.