MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d
SHA3-384 hash: 7d004e256118f28bf843dff0008766d138b8ac6c130a551dcfe5df4fea7695bc8440dbd030b6a1335defbdd603613157
SHA1 hash: b5c7f15349244598cae27917ad8d517efa3a1e5e
MD5 hash: 5d79e3c7e41afb4471a61f10da60f18b
humanhash: carbon-snake-bluebird-alabama
File name:09.msi
Download: download sample
Signature Arechclient2
Create hunting rule
File size:4'784'128 bytes
First seen:2025-03-04 20:48:40 UTC
Last seen:2025-04-07 12:19:44 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:DXsHk+AsV98uAiqCRav7Nvsdo7tmdUin3XsAB5xorTO93upzdZk:DkkjgVA/fvZvsyJmyin38ZrTO93upz
TLSH T16626331C5D92FE73CE23E97528CE6AC069E2ED5DB61BFEA2DB9739056CF87110842410
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter 1ZRR4H
Tags:92-255-85-23 Arechclient2 msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c76892c668b65489bf0222
Tags:
shellcode spawn micro
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/67c7674625afd13301322110/reports/11e378eb-28c7-4216-b051-34be54786399/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1629575
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629575 Sample: 09.msi Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 110 undermymindops.com 2->110 112 tse1.mm.bing.net 2->112 114 4 other IPs or domains 2->114 132 Suricata IDS alerts for network traffic 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for URL or domain 2->136 138 5 other signatures 2->138 12 msiexec.exe 80 40 2->12         started        15 SplashWin.exe 1 2->15         started        18 msedge.exe 2->18         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 102 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 12->102 dropped 104 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->104 dropped 106 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 12->106 dropped 108 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 12->108 dropped 23 SplashWin.exe 7 12->23         started        27 msiexec.exe 12->27         started        170 Maps a DLL or memory area into another process 15->170 29 cmd.exe 2 15->29         started        116 192.168.2.4, 138, 15847, 443 unknown unknown 18->116 118 192.168.2.17 unknown unknown 18->118 120 239.255.255.250 unknown Reserved 18->120 31 msedge.exe 18->31         started        34 msedge.exe 18->34         started        36 msedge.exe 18->36         started        38 2 other processes 18->38 file6 signatures7 process8 dnsIp9 80 C:\Users\user\AppData\...\SplashWin.exe, PE32 23->80 dropped 82 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->82 dropped 84 C:\Users\user\AppData\...\msvcp140.dll, PE32 23->84 dropped 86 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 23->86 dropped 140 Switches to a custom stack to bypass stack traces 23->140 142 Found direct / indirect Syscall (likely to bypass EDR) 23->142 40 SplashWin.exe 1 23->40         started        88 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 27->88 dropped 90 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->90 dropped 92 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 27->92 dropped 94 4 other files (none is malicious) 27->94 dropped 43 SplashWin.exe 27->43         started        45 ISBEW64.exe 27->45         started        47 ISBEW64.exe 27->47         started        53 8 other processes 27->53 144 Writes to foreign memory regions 29->144 146 Maps a DLL or memory area into another process 29->146 49 IV_Ultra.exe 29->49         started        51 conhost.exe 29->51         started        126 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->126 128 20.125.209.212, 443, 49859 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->128 130 27 other IPs or domains 31->130 file10 signatures11 process12 signatures13 148 Maps a DLL or memory area into another process 40->148 150 Switches to a custom stack to bypass stack traces 40->150 152 Found direct / indirect Syscall (likely to bypass EDR) 40->152 55 cmd.exe 5 40->55         started        59 cmd.exe 43->59         started        process14 file15 96 C:\Users\user\AppData\Local\...\IV_Ultra.exe, PE32+ 55->96 dropped 98 C:\Users\user\AppData\Local\...\jlabmrfvefbf, PE32+ 55->98 dropped 154 Writes to foreign memory regions 55->154 156 Found hidden mapped module (file has been removed from disk) 55->156 158 Maps a DLL or memory area into another process 55->158 160 Switches to a custom stack to bypass stack traces 55->160 61 IV_Ultra.exe 2 55->61         started        65 conhost.exe 55->65         started        100 C:\Users\user\AppData\Local\Temp\pnhcfuktry, PE32 59->100 dropped 67 conhost.exe 59->67         started        signatures16 process17 dnsIp18 122 undermymindops.com 104.21.58.202, 443, 49741 CLOUDFLARENETUS United States 61->122 124 piaktrip.online 172.67.137.87, 443, 49738, 49739 CLOUDFLARENETUS United States 61->124 162 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 61->162 164 Found strings related to Crypto-Mining 61->164 166 Tries to harvest and steal browser information (history, passwords, etc) 61->166 168 2 other signatures 61->168 69 msiexec.exe 61->69         started        72 msedge.exe 16 61->72         started        signatures19 process20 file21 76 C:\Users\user\AppData\Local\...\MSI2D36.tmp, PE32 69->76 dropped 78 C:\Users\user\AppData\Local\...\MSI2AD3.tmp, PE32 69->78 dropped 74 msedge.exe 72->74         started        process22
Score:
71%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpabx3zpadtic5twca2rmvj5sddvt6suyyv74ou5qg4lhxco3foq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250304-zl3teazydy/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Enumerates connected drives
Reads WinSCP keys stored on the system
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb3b5c6d-7acf-466b-9a91-f8d0eb4629d6
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63c01bef2f00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63c01bef2f00e6817676103516553d90c759fa54c62bfe3a9d81b8b3dc4ed95d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments