MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886
SHA3-384 hash: 91cc856924eaccfbb30a83d22664f404db665bb8bec4827d72e67fbc8d46f3b18f14b30da38312c1fe7bc2136c7856f3
SHA1 hash: 5a85dc4aad7894eb1d2e522c17ec6cf489b36dec
MD5 hash: 3e2c3e5f1519583f450f2c658720de0f
humanhash: winner-cardinal-sweet-victor
File name:3e2c3e5f1519583f450f2c658720de0f.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:13'036'984 bytes
First seen:2023-02-07 10:10:06 UTC
Last seen:2023-02-07 11:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7c88a9f12777d4c1f156ccc8f276fa1 (3 x Arechclient2, 2 x RaccoonStealer, 2 x Amadey)
ssdeep 393216:yLF7hgdtdOT0y62yqgJDt1gn/2CuuegmdBXpEXjGD6ApgMyx708OK:yZF+tnDKght8x
Threatray 206 similar samples on MalwareBazaar
TLSH T13FD6BE1182E31955F0F0867891BEE0B09AEB5D63CD878D1935DC3D9B3B390DA98BDA13
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b2ac98f68cf0c69a (2 x Arechclient2, 1 x RustyStealer, 1 x njrat)
Reporter abuse_ch
Tags:Arechclient2 exe


Avatar
abuse_ch
Arechclient2 C2:
162.55.188.246:15647

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e2c3e5f1519583f450f2c658720de0f.exe
Verdict:
No threats detected
Analysis date:
2023-02-07 10:12:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7625b71f-c3ae-4d5c-bc55-50a19971da8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361324/
Detection(s):
SecuriteInfo.com.FileRepMalware.1346.16205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66079/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware keylogger overlay packed redline virus
Link:
https://www.filescan.io/uploads/63e223b8528134caf043ba81/reports/359e61e6-d9b1-4cd9-bc40-8be449e3feec/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/754df961-e798-4d78-8cf4-95fc1c000b1f
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167552
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800332 Sample: D34tl48TpG.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 7 other signatures 2->50 7 D34tl48TpG.exe 5 2->7         started        11 yetoboc.exe 2->11         started        process3 file4 34 C:\ProgramData\sedalivibog\yetoboc.exe, PE32 7->34 dropped 36 C:\...\yetoboc.exe:Zone.Identifier, ASCII 7->36 dropped 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->52 54 Query firmware table information (likely to detect VMs) 7->54 56 Self deletion via cmd or bat file 7->56 66 2 other signatures 7->66 13 yetoboc.exe 7->13         started        16 cmd.exe 1 7->16         started        58 Writes to foreign memory regions 11->58 60 Allocates memory in foreign processes 11->60 62 Hides threads from debuggers 11->62 64 Injects a PE file into a foreign processes 11->64 18 InstallUtil.exe 2 11->18         started        20 InstallUtil.exe 11->20         started        22 InstallUtil.exe 11->22         started        24 InstallUtil.exe 11->24         started        signatures5 process6 signatures7 76 Antivirus detection for dropped file 13->76 78 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->78 80 Query firmware table information (likely to detect VMs) 13->80 86 8 other signatures 13->86 26 InstallUtil.exe 15 4 13->26         started        82 Uses ping.exe to sleep 16->82 84 Uses ping.exe to check the status of other devices and networks 16->84 30 PING.EXE 1 16->30         started        32 conhost.exe 16->32         started        process8 dnsIp9 38 162.55.188.246, 15647, 49702, 49703 ACPCA United States 26->38 40 eth0.me 5.132.162.27, 49704, 80 INTERNEX-ASAT Austria 26->40 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->70 72 Tries to harvest and steal browser information (history, passwords, etc) 26->72 74 Tries to steal Crypto Currency Wallets 26->74 42 127.0.0.1 unknown unknown 30->42 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-07 04:50:35 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mub27ccpq4rvzawdnnd72qh4btdb3sbkur44b4yznq5axfzatcda._file
Verdict:
malicious
Similar samples:
13c51a33b44195c29f97d14decf56c3d6a0b9af2db57f157a872c165376a39f8
Arechclient2
435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb
Arechclient2
47514e0e0e65c0d9c143b077dbf243be3068ece155b45ad4b48c07a7614920a3
Arechclient2
6f6c923920fa4eadba806374cb929c7ab5907cd74f2ad93a74bf5da1847b6cc5
Arechclient2
9554df1b2f0b16fd50093a5910776ee26fb8546fc0d0be5a43c868037a92eef9
Arechclient2
b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d
Arechclient2
bdf90b098efdd7bbc7054924355f5da1a82d49ea1ed31b762e92e2fe7aa12245
Arechclient2
c6f0ce007358fb971aca483791286fec657a8be5034ea9bf0dcdea1fa4344a97
Arechclient2
e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0
Arechclient2
+ 196 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat evasion rat trojan
Link:
https://tria.ge/reports/230207-l7x86aeb7z/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
SectopRAT
SectopRAT payload
UAC bypass
Unpacked files
SH256 hash:
0e95c5e178aad201886b8193adba079b6c3ce58691428d045e663434e29ce266
MD5 hash:
370fb5ff96f06ff85a0005bad1af4873
SHA1 hash:
2a1be04ec718de5b349a540fa5666e6160d4b117
Link:
https://www.unpac.me/results/f54af66a-cb92-4f96-8413-7157f9e1082a/
SH256 hash:
6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886
MD5 hash:
3e2c3e5f1519583f450f2c658720de0f
SHA1 hash:
5a85dc4aad7894eb1d2e522c17ec6cf489b36dec
Link:
https://www.unpac.me/results/f54af66a-cb92-4f96-8413-7157f9e1082a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6503af884f87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe 6503af884f87235c82c36b47fd40fc0cc61dc82aa479c0f3196c3a0b97209886

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361324/

Comments