MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec
SHA3-384 hash: e67ec5cf71b2557135b708f80fb0b1f96f94103f83097bbc6b6ed55e0f39de2298a133005fa38d3e3861dd389b0b0285
SHA1 hash: dc9936697678ea0ab1ab9313f02e60ebb9789a7f
MD5 hash: d7c8605a63f8f65eca9833f926d69ca1
humanhash: massachusetts-snake-october-fourteen
File name:hfix.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:999'648 bytes
First seen:2021-01-09 08:00:56 UTC
Last seen:2021-01-10 13:11:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f25fb96b6fd81b4bb5d3c9f918e98b8 (1 x NanoCore, 1 x QuasarRAT, 1 x Arechclient2)
ssdeep 12288:CW31n5ciQdHRNHufTCK+JeLdYrypLRMlqzoqL0ds66teGyfc7beOTIvPLX2:F3HciQdxlufTzS8ROGL9HteG9rUvPL2
Threatray 33 similar samples on MalwareBazaar
TLSH C72522139AF84821F47A07B01DF601930636BBD42F7857AB635E66E414762F4A33A72F
Reporter JAMESWT_WT
Tags:Arechclient2

Code Signing Certificate

Organisation:NTWind Software
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Mar 31 00:00:00 2020 GMT
Valid to:Jun 29 23:59:59 2023 GMT
Serial number: C20D42F4F000C62506CBB00D86EBA50B
Thumbprint Algorithm:SHA256
Thumbprint: 047EF2FD0D7DDB2744812709F5ADDF55CA2E6FFD10ACAED884EF49FCF83909E3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hfix.exe
Verdict:
Malicious activity
Analysis date:
2021-01-09 08:02:10 UTC
Tags:
autoit trojan
Link:
https://app.any.run/tasks/43b082e7-1170-4564-b73d-b64d68703ac9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111095/
Detection(s):
SecuriteInfo.com.PE.Heur.InvalidSig.23272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Launching cmd.exe command interpreter
DNS request
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577223
Signature
Connects to many ports of the same IP (likely port scanning)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337663 Sample: hfix.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Sigma detected: Drops script at startup location 2->74 76 6 other signatures 2->76 10 hfix.exe 1 6 2->10         started        12 wscript.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        signatures5 21 cmd.exe 2 16->21         started        24 conhost.exe 16->24         started        26 certutil.exe 2 16->26         started        78 Submitted sample is a known malware sample 18->78 28 conhost.exe 18->28         started        process6 signatures7 80 Obfuscated command line found 21->80 82 Uses ping.exe to sleep 21->82 30 smss.com 21->30         started        33 PING.EXE 1 21->33         started        36 findstr.exe 1 21->36         started        39 2 other processes 21->39 process8 dnsIp9 88 Drops PE files with a suspicious file extension 30->88 41 smss.com 7 30->41         started        58 127.0.0.1 unknown unknown 33->58 60 192.168.2.1 unknown unknown 33->60 50 C:\Users\user\AppData\Local\Temp\...\smss.com, Targa 36->50 dropped 62 sRmI.sRmI 39->62 file10 signatures11 process12 dnsIp13 64 TjnuXZtAGcUwwuGywC.TjnuXZtAGcUwwuGywC 41->64 52 C:\Users\user\AppData\...\meAPqxlTjq.com, PE32 41->52 dropped 54 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 41->54 dropped 56 C:\Users\user\AppData\...\meAPqxlTjq.url, MS 41->56 dropped 84 Writes to foreign memory regions 41->84 86 Injects a PE file into a foreign processes 41->86 46 RegAsm.exe 15 2 41->46         started        file14 signatures15 process16 dnsIp17 66 34.253.207.79, 15647, 49734 AMAZON-02US United States 46->66 68 eth0.me 5.132.162.27, 49736, 80 INTERNEX-ASAT Austria 46->68 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->90 92 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 46->92 94 Tries to harvest and steal browser information (history, passwords, etc) 46->94 96 Queries memory information (via WMI often done to detect virtual machines) 46->96 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 07:58:14 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hv2mg6w6ljyieyl2zmglc2l6wggjuypxbgnqjn3jm4ka6ounapwa._file
Verdict:
unknown
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
Arechclient2
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
Arechclient2
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
Arechclient2
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
Arechclient2
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
Arechclient2
890640a258f6876bf27452acbb0e0eaf4a3286f1bca30bc02822d30052a0eeaa
Arechclient2
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
Arechclient2
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
Arechclient2
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
Arechclient2
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
Arechclient2
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/210109-a4yhh7pmkj/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
98c1ad23dfc0b288a267eef1082bd7d8edee2f50621dc882b89c18dfd175ab38
MD5 hash:
577c82759261fb4e47d1c24f39eea7c4
SHA1 hash:
4f6e051380626b6ec264768e19faaa833c2774b2
Link:
https://www.unpac.me/results/9b1403b8-b1f5-453d-a084-d09dd745137c/
SH256 hash:
3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec
MD5 hash:
d7c8605a63f8f65eca9833f926d69ca1
SHA1 hash:
dc9936697678ea0ab1ab9313f02e60ebb9789a7f
Link:
https://www.unpac.me/results/9b1403b8-b1f5-453d-a084-d09dd745137c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a paste
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe 3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/951391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111095/

Comments


Avatar
Karsten Hahn commented on 2021-02-01 15:12:27 UTC

This is SectopRAT. "Arech" (in ArechClient) stems from this version's module name. This name changes with every version.
References: https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers
https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html
First SectopRAT sample: https://bazaar.abuse.ch/sample/4409d2170aa9989c6a8dd32b617c51a7c3e328b3c86410813c016691b2bd7774