MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArechClient2


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1
SHA3-384 hash: 902586cf044629cb2f1aa421c6ec456865c4fbcbfe2771f8f366aa60469ceb4572b843360d90d660a5ce4cb8a93e590f
SHA1 hash: 91e8c569d9eface858d8819201d3cee703b31cdd
MD5 hash: 610b2aaa7212100cf98bc5aeb3ae8b6e
humanhash: eleven-hotel-five-fish
File name:AppInstaller 10.9.exe
Download: download sample
Signature ArechClient2
Create hunting rule
File size:9'881'944 bytes
First seen:2023-05-17 02:53:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15423dc83ee252508ef10ebd90747f83 (1 x ArechClient2)
ssdeep 196608:x2tsQFGc2rBPKwOIWpMmPfglC3P+Um9i/J1B0dHGpYlbmDz:xtrPKJzue4WP+U8i/Dazm3
Threatray 924 similar samples on MalwareBazaar
TLSH T17AA633CE02A75968E6AD52F5C5FDE090688383B49D06046B741F9A485BC270EFFF62CD
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter RussianPanda95
Tags:Arechclient2 exe scrubcrypt signed

Code Signing Certificate

Organisation:Cloudflare
Issuer:Managed CA 093898f08deeb6bb5760e0678a3324b9
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-18T05:05:00Z
Valid to:2033-04-15T05:05:00Z
Serial number: 1a3d87b9fbecee3ca7d6529e7d92ecbba1c573be
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a471ff3ac6744c5cf7462bd44215c7a0302912787de30483030aaa3b73edfebd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
482
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8e3938fb73733a961e6b4e1db7e8b89-sample.zip
Verdict:
No threats detected
Analysis date:
2023-05-17 14:33:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4df49ad4-2f7d-47d0-9e5d-f98f1c4b4615

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390580/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.12116.20364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll stealer
Link:
https://www.filescan.io/uploads/646441cbca9bd335790019f7/reports/078d456e-23d0-4af3-a579-2bf7f4321586/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ed81cce-f1e5-44ae-8d64-e51da4170022
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1234548
Signature
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Very long command line found
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867531 Sample: AppInstaller 10.9.exe Startdate: 16/05/2023 Architecture: WINDOWS Score: 92 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected AntiVM3 2->48 50 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->50 52 4 other signatures 2->52 8 AppInstaller 10.9.exe 5 2->8         started        process3 dnsIp4 40 35.246.173.130, 1345, 49704 GOOGLEUS United States 8->40 42 pastebin.com 104.20.67.143, 443, 49702 CLOUDFLARENETUS United States 8->42 44 2 other IPs or domains 8->44 36 C:\Users\user\AppData\...\t6EvAvYao5USvRG.exe, PE32 8->36 dropped 56 Query firmware table information (likely to detect VMs) 8->56 58 Hides threads from debuggers 8->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->60 13 cmd.exe 1 8->13         started        16 t6EvAvYao5USvRG.exe 18 8->16         started        file5 signatures6 process7 dnsIp8 62 Very long command line found 13->62 20 cmd.exe 2 13->20         started        24 conhost.exe 13->24         started        38 fpdownload.macromedia.com 16->38 30 C:\Windows\SysWOW64\Macromed\Temp\...\fpb.tmp, PE32 16->30 dropped 32 C:\Windows\SysWOW64\Macromed\Temp\...\fpb.tmp, PE32 16->32 dropped file9 signatures10 process11 file12 34 C:\Users\user\...\BXlgcG2pKPrYxQB.bat.exe, PE32 20->34 dropped 54 Very long command line found 20->54 26 BXlgcG2pKPrYxQB.bat.exe 11 20->26         started        28 conhost.exe 20->28         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-13 23:26:04 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghfxg56ifoyzd7dnh5fbbahlybnbne4jypk25klqpmrhsqjkzsyq._file
Verdict:
unknown
Similar samples:
9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9
ArechClient2
ae549fa1767c7d3949741aeaf34fd1d0c4fcc1acdbf83704acba694d373292a6
ArechClient2
b413ff17b7b0246d7a7d4cb1bb92eaa4cbaf4dee3a9b90076d8eb19b556b2d51
ArechClient2
b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd
ArechClient2
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
ArechClient2
c2f357f6d88d014312346bcb9e534f8bafba1d572600168018af8ce3402d1799
ArechClient2
e2819306cb005122235fe1fb6ee4ca47da2077f637a6f368f15bd7e75f7a50f2
ArechClient2
e388f58cb819d7d603ab71b8909a439ee9e4ac1630c7c64386112a75f2e60966
ArechClient2
eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
ArechClient2
+ 914 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit evasion persistence trojan
Link:
https://tria.ge/reports/230517-ddv8psde96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Looks for VMWare drivers on disk
Looks for VirtualBox drivers on disk
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1
MD5 hash:
610b2aaa7212100cf98bc5aeb3ae8b6e
SHA1 hash:
91e8c569d9eface858d8819201d3cee703b31cdd
Link:
https://www.unpac.me/results/5323d179-e0b2-4601-a5e7-a80d5aa489c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31cb7377c82bb191fc6d3f4a1080ebc05a169389c3d5aea9707b2279412accb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/AnFam17/status/1658666291308163072?s=20
Cape
Cape
https://www.capesandbox.com/analysis/390580/

Comments