MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
SHA3-384 hash: 63fae08589164def771c5c69206a082fab9cb9cf7aeb0001715477853d4f790c81b39b7309b8d7718460ed7e34f4266d
SHA1 hash: b3512459421416274301f7bbaa1cbd4022a78101
MD5 hash: a8ce6032cbb0d077ec2e2b7cefc99b99
humanhash: high-double-autumn-jersey
File name:SRITNIYE.exe.bin
Download: download sample
Signature Arechclient2
Create hunting rule
File size:4'434'355 bytes
First seen:2025-05-09 11:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pK6fakp1GC6AY2jXAE/tH1oeuk313f5pb7ZjzE:+pK6/vyAYSrH10klP7+
Threatray 90 similar samples on MalwareBazaar
TLSH T191263312B7807CF1CB60D4B2DF4DCB2A5177DB9BA6511F0B93962F692EA724283135C2
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter JAMESWT_WT
Tags:Arechclient2 exe verifyyourconnect-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
497
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E5PbBNcn.ps1
Verdict:
Malicious activity
Analysis date:
2025-05-09 11:22:43 UTC
Tags:
hijackloader loader amsi-bypass
Link:
https://app.any.run/tasks/49dd5b38-9169-4d20-9575-7ce7ffc87d02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681de76e4a59e5a2ce03411e
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Connection attempt
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm fingerprint installer masquerade microsoft_visual_cc overlay overlay packed packer_detected sectoprat
Link:
https://www.filescan.io/uploads/681de65b0b64e174c41f9186/reports/9f022b7a-e67b-4efa-a6d5-b69530c5cc2a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/414d3c98-af03-4ffb-b621-18ad9132204a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1685293
Signature
Contains functionality to infect the boot sector
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1685293 Sample: SRITNIYE.exe.bin.exe Startdate: 09/05/2025 Architecture: WINDOWS Score: 96 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 2 other signatures 2->71 9 SRITNIYE.exe.bin.exe 8 2->9         started        12 CircuTransmitter.exe 4 2->12         started        process3 file4 41 C:\Users\user\...\CircuTransmitter.exe, PE32+ 9->41 dropped 43 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32+ 9->45 dropped 47 C:\Users\user\AppData\Local\...\mfc140u.dll, PE32+ 9->47 dropped 15 CircuTransmitter.exe 7 9->15         started        49 C:\Users\user\AppData\Local\...\1A83642.tmp, PE32 12->49 dropped 79 Maps a DLL or memory area into another process 12->79 19 cmd.exe 1 12->19         started        21 OmeScanner.exe 1 12->21         started        signatures5 process6 file7 51 C:\ProgramData\...\CircuTransmitter.exe, PE32+ 15->51 dropped 53 C:\ProgramData\...\vcruntime140.dll, PE32+ 15->53 dropped 55 C:\ProgramData\...\msvcp140.dll, PE32+ 15->55 dropped 57 C:\ProgramData\DockerSecure_x64\mfc140u.dll, PE32+ 15->57 dropped 61 Contains functionality to infect the boot sector 15->61 63 Found direct / indirect Syscall (likely to bypass EDR) 15->63 23 CircuTransmitter.exe 5 15->23         started        27 conhost.exe 19->27         started        signatures8 process9 file10 37 C:\Users\user\AppData\Local\OmeScanner.exe, PE32 23->37 dropped 39 C:\Users\user\AppData\Local\...\33A9DAC.tmp, PE32 23->39 dropped 73 Found hidden mapped module (file has been removed from disk) 23->73 75 Maps a DLL or memory area into another process 23->75 77 Found direct / indirect Syscall (likely to bypass EDR) 23->77 29 OmeScanner.exe 2 23->29         started        33 cmd.exe 3 23->33         started        signatures11 process12 dnsIp13 59 185.125.50.140, 443, 49696, 49700 INPLATLABS-ASRU Russian Federation 29->59 81 Switches to a custom stack to bypass stack traces 29->81 83 Found direct / indirect Syscall (likely to bypass EDR) 29->83 35 conhost.exe 33->35         started        signatures14 process15
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763/
Threat name:
Win32.Downloader.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 19:12:10 UTC
File Type:
PE (Exe)
Extracted files:
862
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3jynlsbfh5thhh5faprij43zmuyqxvzwir6wmwi6mqqefsdi5rq._file
Verdict:
malicious
Label(s):
sectoprat
Create hunting rule
Similar samples:
06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
Arechclient2
10ca5ae075a32a4a999ecfde045a336140921818204aee741f744931ab1375a0
Arechclient2
411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
Arechclient2
a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e
Arechclient2
b60f66fa4f045d4dae25b591bda0b19ecbd649e3a981dd7a13fbaa2ec347da45
Arechclient2
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
Arechclient2
error
Arechclient2
f0c4a6b27087f9088069bda77366d79e9eca98329827396f4381a31e2b75ad29
Arechclient2
+ 80 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery rat trojan
Link:
https://tria.ge/reports/250509-njz4ysttcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
SectopRAT
SectopRAT payload
Sectoprat family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6da201a5-85c5-4918-bf00-07a211388986
Unpacked files
SH256 hash:
06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
MD5 hash:
a8ce6032cbb0d077ec2e2b7cefc99b99
SHA1 hash:
b3512459421416274301f7bbaa1cbd4022a78101
Link:
https://www.unpac.me/results/78ff261d-181a-4aa2-bf7f-cae7804d89ee/
SH256 hash:
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094
MD5 hash:
9ff712c25312821b8aec84c4f8782a34
SHA1 hash:
1a7a250d92a59c3af72a9573cffec2fcfa525f33
Link:
https://www.unpac.me/results/78ff261d-181a-4aa2-bf7f-cae7804d89ee/
SH256 hash:
a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e
MD5 hash:
18247442e0f9378e739f650fd51acb4e
SHA1 hash:
41c3145d0a63f2cb87ae9f4f6107855ddaa72886
Link:
https://www.unpac.me/results/78ff261d-181a-4aa2-bf7f-cae7804d89ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments