MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 20

Intelligence 20 IOCs YARA 16 File information Comments

SHA256 hash:	272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d
SHA3-384 hash:	fc9167ff3f5699954d4a995ad2a38900693f96e571c740d4bc7f4854ae03640e6f35e1595c4c0cdbabaff1051c81671c
SHA1 hash:	ef475832e20860dd692d044758f323486a362484
MD5 hash:	1bfd2f3590fb00301952cc3162c72370
humanhash:	tennis-moon-mexico-april
File name:	Microsoft OneDrive.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	15'154'176 bytes
First seen:	2025-09-03 17:37:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:h9F/h26spdQ2R7VAwWVn8UQjtUEyViciZ74Vl8IQ7d1HNgrs75hWdQXMF6Ji:jF/bspSvn8UItsViciZyOnK+vWdQy6J
Threatray	2 similar samples on MalwareBazaar
TLSH	T154E6B583EADB9EA1C6062FF6C657A110C311D281B773E70E255B62272B12BBE57453C3
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	smica83
Tags:	103-249-132-235 Arechclient2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

approve.exe

Verdict:

Malicious activity

Analysis date:

2025-09-03 11:33:08 UTC

Tags:

auto-reg netreactor xor-url generic

Link:

https://app.any.run/tasks/0abae937-5109-4462-989a-f9a94878959d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Arechclient2

Link:

https://www.capesandbox.com/analysis/24947/

Detection(s):

MiscreantPunch.SingleXOR.EXE.90.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b87ce73e988eb6ab83a73b

Tags:

obfuscated virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Connection attempt

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a window

Reading critical registry keys

Changing a file

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Setting a global event handler for the keyboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated obfuscated obfuscated overlay packed reconnaissance redline stealer stealer threat tiger windows xor-pe xor-url

Link:

https://www.filescan.io/uploads/68b87cde39a6221faa7cfd0f/reports/777e5932-538f-4ce0-865a-17916941eda8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-03T08:40:00Z UTC

Last seen:

2025-09-03T08:40:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Stealerc.HTTP.ServerRequest Trojan-PSW.Reline.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Reline.gen Backdoor.Broide.TCP.ServerRequest HEUR:Trojan-PSW.MSIL.Stealerc.gen

Link:

https://opentip.kaspersky.com/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4099dbe-fc0c-45be-97fb-f916d7798703

Result

Threat name:

Arechclient2, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1770610

Signature

Bypasses PowerShell execution policy

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Powershell creates an autostart link

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Arechclient2

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d

Verdict:

Malware

YARA:

7 match(es)

Tags:

.Net .Net Obfuscator .Net Reactor Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.90 Win 64 Exe x64

Link:

https://app.malva.re/file/1bfd2f3590fb00301952cc3162c72370

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d/

Verdict:

Malicious

Threat:

Family.SECTOPRAT

Link:

https://tip.neiki.dev/file/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-09-03 11:33:09 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e4vtzwicimuv3iujg2272uquqdek36u256zq3xff5s77nrcuxiwq._file

Verdict:

malicious

Label(s):

sectoprat

Arechclient2

ec3f20c3aa488962b546566c3e5c76d3c50ba60951c658c0bc473e564a9f74b4

Arechclient2

error

Arechclient2

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/250903-v7ew9aal9x/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Reads user/profile data of web browsers

SectopRAT

SectopRAT payload

Sectoprat family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ebb128a-e6d5-412a-b813-5e4c6eb65ff0

Unpacked files

SH256 hash:

272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d

MD5 hash:

1bfd2f3590fb00301952cc3162c72370

SHA1 hash:

ef475832e20860dd692d044758f323486a362484

Link:

https://www.unpac.me/results/90402336-cdbf-4077-8012-13fef1950c8d/

SH256 hash:

22ab4b0c531afc3e28822b02daac4c1834ea3abd4b632472fe18fee74a5ef861

MD5 hash:

687bacd6bea03765a4dc233d4c528ee0

SHA1 hash:

a4ea5fbc23fad5ae579580e1ebfc8bc8c4f4c549

Detections:

SUSP_XORed_URL_In_EXE

MALWARE_Win_Arechclient2

Link:

https://www.unpac.me/results/90402336-cdbf-4077-8012-13fef1950c8d/

Malware family:

SectopRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/272b3cd90243/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RC6_Constants Create hunting rule
Author:	chort (@chort0)
Description:	Look for RC6 magic constants in binary
Reference:	https://twitter.com/mikko/status/417620511397400576

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24947/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample