MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
SHA3-384 hash: 8594b468690084587db1ef928f84891e4b1a8e181711d39949cfb26d9b6986da664ddd21986e660ba62dd8b625e741d8
SHA1 hash: a21cc8e454927fa878efb34491fdba1cd7ff90c7
MD5 hash: aedef5976cbed764e16089f0cd5b79e0
humanhash: london-cup-quebec-pluto
File name:315B63093AE9218EBDEAEB5120E17D7FA81BC7BAE694F.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:1'204'736 bytes
First seen:2023-03-18 09:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:5Q+7rOqFARbKlkTPiZ/V2RdpldkWeaoF9pG5QqRtuAZ:5Q+7rOqF8bKuIULp7kWexte
Threatray 330 similar samples on MalwareBazaar
TLSH T17745235396E8423BDAA257B240FE1353573DBDA1872C935F21C82AD348632C4B47976F
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 16461cf8e828e8cc (1 x Arechclient2)
Reporter abuse_ch
Tags:Arechclient2 exe


Avatar
abuse_ch
Arechclient2 C2:
35.226.102.12:15649

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
315B63093AE9218EBDEAEB5120E17D7FA81BC7BAE694F.exe
Verdict:
Malicious activity
Analysis date:
2023-03-18 09:30:41 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/00ef26bd-23b1-4fbf-ad11-45da6daf90b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375272/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49311304.10055.13855.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73716/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll alien anti-vm CAB installer packed redline rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/641584d7c65d1ebf04c141a1/reports/e5e76a45-9976-4fc9-9bda-93e560d73738/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9735db8b-073e-4fd5-883f-4f0940696bd8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196554
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates processes via WMI
DLL reload attack detected
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829451 Sample: 315B63093AE9218EBDEAEB5120E... Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 7 other signatures 2->78 10 315B63093AE9218EBDEAEB5120E17D7FA81BC7BAE694F.exe 1 5 2->10         started        12 wscript.exe 2->12         started        15 KzmFiRkxPq.exe.com 2->15         started        17 2 other processes 2->17 process3 signatures4 19 cmd.exe 1 10->19         started        22 TapiUnattend.exe 10->22         started        100 Creates processes via WMI 12->100 process5 signatures6 88 Obfuscated command line found 19->88 90 Uses ping.exe to sleep 19->90 92 Drops PE files with a suspicious file extension 19->92 94 Uses ping.exe to check the status of other devices and networks 19->94 24 cmd.exe 2 19->24         started        28 conhost.exe 19->28         started        30 PING.EXE 1 19->30         started        96 Creates processes via WMI 22->96 process7 file8 60 C:\Users\user\AppData\...behaviorgraphrandi.exe.pif, PE32 24->60 dropped 98 Obfuscated command line found 24->98 32 Grandi.exe.pif 5 24->32         started        37 tasklist.exe 1 24->37         started        39 findstr.exe 1 24->39         started        41 find.exe 1 24->41         started        signatures9 process10 dnsIp11 64 TYJSNCwvIVGLQksFlLFVIxacRi.TYJSNCwvIVGLQksFlLFVIxacRi 32->64 56 C:\Users\user\AppData\...\KzmFiRkxPq.exe.com, PE32 32->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\Tomt.dll, PE32 32->58 dropped 80 Multi AV Scanner detection for dropped file 32->80 82 DLL reload attack detected 32->82 84 Drops PE files with a suspicious file extension 32->84 86 4 other signatures 32->86 43 jsc.exe 15 4 32->43         started        47 cmd.exe 2 32->47         started        50 schtasks.exe 1 32->50         started        file12 signatures13 process14 dnsIp15 66 eth0.me 5.132.162.27, 49698, 80 INTERNEX-ASAT Austria 43->66 68 35.226.102.12, 15649, 49697 GOOGLEUS United States 43->68 70 3 other IPs or domains 43->70 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->104 106 Tries to harvest and steal browser information (history, passwords, etc) 43->106 108 Tries to steal Crypto Currency Wallets 43->108 62 C:\Users\user\AppData\...\KzmFiRkxPq.url, MS 47->62 dropped 52 conhost.exe 47->52         started        54 conhost.exe 50->54         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 01:13:59 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
23 of 39 (58.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfnwgcj25eqy5ppk5nisbyl5p6ubxr5242kp75ttuic67kw5poda._file
Verdict:
malicious
Similar samples:
3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855
Arechclient2
392a280d0771a774bf35f681527f09852ffa9700d2a4b78dbd5f42de35d8b274
Arechclient2
63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
Arechclient2
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
Arechclient2
f7e50575e32d3accb8157aa1916a260477a3297eaead3242038ed93e775ff5e5
Arechclient2
fba15156d1643a118567ce96099f57214d3fa33ce9a6f1baa83826c134a92975
Arechclient2
+ 320 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat evasion persistence rat spyware trojan
Link:
https://tria.ge/reports/230318-lg2hwsdh5s/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Unpacked files
SH256 hash:
1a2e8329a2f3255c06825aed711ae65ad476aef811b21737cbef1ccc451872aa
MD5 hash:
1dd1a9c59ff05cced864226e1d5e00bb
SHA1 hash:
528f9f4642c498c78d45f74b5e7712fca9eb1959
Link:
https://www.unpac.me/results/8a7fe227-dcd6-4b5f-a1a0-93effaac47e6/
SH256 hash:
315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
MD5 hash:
aedef5976cbed764e16089f0cd5b79e0
SHA1 hash:
a21cc8e454927fa878efb34491fdba1cd7ff90c7
Link:
https://www.unpac.me/results/8a7fe227-dcd6-4b5f-a1a0-93effaac47e6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/315b63093ae9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/375272/

Comments