MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35
SHA3-384 hash: 1ead2e3b44523572c7f636773cd47d24aec77e0b56cb5683b1ff94e81f197add192b689962f9deb5ae2781212a6618e3
SHA1 hash: 6949d89a9357e01bd620e54683e68d50757a9985
MD5 hash: 5d8015f50eea4c4dc4e99aa83da9fdf4
humanhash: ink-sweet-princess-johnny
File name:5d8015f50eea4c4dc4e99aa83da9fdf4.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:2'504'792 bytes
First seen:2024-08-23 14:45:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (20 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 49152:+pz3qVn+A4GA+B5ROpbmQFNioD77iabCv/+dZMETIUdffL/X/CH93YHLicHM:+p2p+HGA+B5Rybdv/u/aZHzH723YH0
Threatray 6 similar samples on MalwareBazaar
TLSH T119C5335337D4A4F1CA96C8B7DF06CB618576D3E436404F47864B2E096EE32B1A20B9DB
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter abuse_ch
Tags:Arechclient2 exe


Avatar
abuse_ch
Arechclient2 C2:
194.26.29.100:15647

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.26.29.100:15647 https://threatfox.abuse.ch/ioc/1315403/

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5d8015f50eea4c4dc4e99aa83da9fdf4.exe
Verdict:
Malicious activity
Analysis date:
2024-08-23 14:48:15 UTC
Tags:
xor-url generic arechclient2 backdoor stealer
Link:
https://app.any.run/tasks/17119ed8-8b57-4e7f-a261-d721c4e50387

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Rugmi-10034649-0
Create hunting rule

SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c8a0adb2a4681a72968425
Tags:
Encryption Network Stealth Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching cmd.exe command interpreter
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
Sending a TCP request to an infection source
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66c8a0ad160755393ef01d7f/reports/51f05ea9-cf27-44bd-bb5f-5b22db4cf4ab/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/02835598-9880-477e-bbdf-378cf1a22118
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498100
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1498100 Sample: C0DcOwxwfi.exe Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 7 other signatures 2->77 9 C0DcOwxwfi.exe 7 2->9         started        12 Newfts.exe 1 2->12         started        process3 file4 41 C:\Users\user\AppData\...\RegisterIdr.dll, PE32 9->41 dropped 43 C:\Users\user\...\ProductStatistics3.dll, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\Temp45ewfts.exe, PE32 9->45 dropped 15 Newfts.exe 10 9->15         started        95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->95 97 Maps a DLL or memory area into another process 12->97 99 Found direct / indirect Syscall (likely to bypass EDR) 12->99 19 cmd.exe 2 12->19         started        signatures5 process6 file7 49 C:\Users\user\AppData\...\RegisterIdr.dll, PE32 15->49 dropped 51 C:\Users\user\...\ProductStatistics3.dll, PE32 15->51 dropped 53 C:\Users\user\AppData\Roaming\...53ewfts.exe, PE32 15->53 dropped 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->59 61 Contains functionality to behave differently if execute on a Russian/Kazak computer 15->61 63 Switches to a custom stack to bypass stack traces 15->63 65 Found direct / indirect Syscall (likely to bypass EDR) 15->65 21 Newfts.exe 1 15->21         started        55 C:\Users\user\AppData\Local\Temp\frjyvitpv, PE32 19->55 dropped 67 Writes to foreign memory regions 19->67 69 Maps a DLL or memory area into another process 19->69 24 MSBuild.exe 1 19->24         started        26 conhost.exe 19->26         started        signatures8 process9 signatures10 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->87 89 Maps a DLL or memory area into another process 21->89 91 Switches to a custom stack to bypass stack traces 21->91 93 Found direct / indirect Syscall (likely to bypass EDR) 21->93 28 cmd.exe 4 21->28         started        process11 file12 47 C:\Users\user\AppData\Local\Temp\pawnunv, PE32 28->47 dropped 101 Writes to foreign memory regions 28->101 103 Found hidden mapped module (file has been removed from disk) 28->103 105 Maps a DLL or memory area into another process 28->105 107 Switches to a custom stack to bypass stack traces 28->107 32 MSBuild.exe 15 15 28->32         started        37 conhost.exe 28->37         started        signatures13 process14 dnsIp15 57 194.26.29.100, 15647, 49739, 49740 RELIABLESITEUS unknown 32->57 39 C:\Users\user\AppData\...\Secure Preferences, JSON 32->39 dropped 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->79 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->81 83 Tries to harvest and steal browser information (history, passwords, etc) 32->83 85 Tries to steal Crypto Currency Wallets 32->85 file16 signatures17
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35/
Threat name:
Win32.Backdoor.Sectoprat
Create hunting rule
Status:
Malicious
First seen:
2024-08-20 12:58:00 UTC
File Type:
PE (Exe)
Extracted files:
110
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnuq3aietrgwn7jfmurqnb2jqfv4iesmp52gckba2sfvgd6hxi2q._file
Verdict:
suspicious
Similar samples:
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
Arechclient2
9dedbdff239c9e7568eda8582263914dce77bcf052c1c6668d01c284af911d61
Arechclient2
e8b4c61975523018667cb160e89bbf3e0fedd24025818765a572cf2aa6bd9ce4
Arechclient2
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat credential_access discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/240823-r5amzazglb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
SectopRAT
SectopRAT payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e10e8260-ab65-47fd-9d38-e35b05e09ecb
Unpacked files
SH256 hash:
f401951bfb1ff8b37acc50713b91622e44d9261255f6c566e6e9091c5b3541de
MD5 hash:
db1095cc08c2b778b071e30f3f113f3b
SHA1 hash:
71743187e88630664540f605970acf0e6719b5ed
Link:
https://www.unpac.me/results/974a8214-0e17-486d-b946-9091e65cb539/
SH256 hash:
b8757262a95809c3df30d7c83be2cd174158b88e9857524934e5d7b26c860dc7
MD5 hash:
fe3ce002c27a60a5db0feee9f975bb05
SHA1 hash:
0fb800095d9afc03f01fe694115328acccae21c8
Link:
https://www.unpac.me/results/974a8214-0e17-486d-b946-9091e65cb539/
SH256 hash:
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35
MD5 hash:
5d8015f50eea4c4dc4e99aa83da9fdf4
SHA1 hash:
6949d89a9357e01bd620e54683e68d50757a9985
Link:
https://www.unpac.me/results/974a8214-0e17-486d-b946-9091e65cb539/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33690d81049c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments