MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 14

Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash:	95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861
SHA3-384 hash:	5b3458565531ca41c46f2c27e00df0935bdc631a754bd6e27fca3f289f4f8875b7cb0735afca38ea3a7d1f5262251e44
SHA1 hash:	cfc06589738b485fb3cf4fa5d381fa097bf6764f
MD5 hash:	ee2ed8135a09d3af5737b39de0340ce4
humanhash:	salami-october-glucose-uncle
File name:	hv.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	5'810'888 bytes
First seen:	2024-01-07 04:25:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	49152:m2VHI+ppPcxjztZe7GYKL1m3tk+KqEwtfTV2tVr9MxKo8Zd/VSllaimiljraq/t2:mSdKpm392ryxK149BljraSQxyx
Threatray	349 similar samples on MalwareBazaar
TLSH	T1E046AE0276DADD01E06D7673CBD794248376E9929337D70F3ACA1366024339A1D4ABEB
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	f4c4c8c8d8dcf0d4 (1 x Arechclient2)
Reporter	adm1n_usa32
Tags:	Arechclient2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Detection:

Arechclient2

Link:

https://www.capesandbox.com/analysis/469773/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a file

Forced shutdown of a system process

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd installutil lolbin overlay packed packed

Link:

https://www.filescan.io/uploads/659a27da784d3498d738d38f/reports/6c8c56f9-dcb4-4322-8a71-554770c4c805/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c7565b6d-da7d-4acc-8bb8-a612d9d767f6

Result

Threat name:

RedLine, SectopRAT, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1370878

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2024-01-07 04:26:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 23 (56.52%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sxqvwuhb5dpbpictoujopwcni6nlrcfloxbrj5z33igkozeshbqq._file

Verdict:

malicious

Arechclient2

88fc7a22979f23640d55e18fd516d6c46e7bfcea1c4e563fe3d51821675ea450

Arechclient2

952e0e0ade47380a9bddfc173746aafb755a3a5f7739150f73f6f7fab26b2305

Arechclient2

b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

Arechclient2

dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

Arechclient2

f04ec349c272ef8dd201d0f22202c81c893f63281215233d28325f7149055300

Arechclient2

+ 339 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:sectoprat family:zgrat rat trojan

Link:

https://tria.ge/reports/240107-e2hsysecfr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

.NET Reactor proctector

Drops startup file

Loads dropped DLL

Detect ZGRat V1

SectopRAT

SectopRAT payload

ZGRat

Unpacked files

SH256 hash:

63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee

MD5 hash:

a6810a5899b5a89ee483c9e94dacb015

SHA1 hash:

c787d081f7534936636b17d94ecee651fd64fdac

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

SH256 hash:

5218dfd50bce7347e05c1d692c895805003d76980a8e1a2e215de1686c03d14b

MD5 hash:

4c0d725b3b4c743588ed3a2871e8a052

SHA1 hash:

bb582ab00ea6b555a8bc48f890a5b8f8c1c0dc90

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

SH256 hash:

6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33

MD5 hash:

f45c1512d5a47375e6e396b4d1111e58

SHA1 hash:

8af036b8c60d10e85cf82212930bb04bc0553f36

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

SH256 hash:

4c6fdf3dc9980dd3481f2576a56c749bdf9a25044848a6b26be0ca0a200706a0

MD5 hash:

5ebce480b49e6a413b0abe853847d0c0

SHA1 hash:

6016ffa64e05a485cba501254a1c172d4e51ae7b

Detections:

SUSP_XORed_URL_In_EXE

MALWARE_Win_Arechclient2

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

Parent samples :

230332ce89437c1a16c4c6829a715a31ed16186bc8845374512a822a16287344
224e524958bb45d638403cc92f1f165ff8af5d8eff004663a542eddf25c03ddf
ccf9b6883d9d9e834a8ab8a466ab2f8ff954ef4f5c6c3987b40cda8762462fe3
6a546d75556d9fec84c5a82dcafe0dbca854020ff13e3292c0e9b1efc5cca2a4
6716e245598aa6ca23203f7fdeb0f94fb411570d98bcd11b946839b67bdb5f37
493807123c2e449d0dcfdbd3443d083aef30a6aaea42381290572bab06090c0b
95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861

SH256 hash:

dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

MD5 hash:

544cd51a596619b78e9b54b70088307d

SHA1 hash:

4769ddd2dbc1dc44b758964ed0bd231b85880b65

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

SH256 hash:

95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861

MD5 hash:

ee2ed8135a09d3af5737b39de0340ce4

SHA1 hash:

cfc06589738b485fb3cf4fa5d381fa097bf6764f

Detections:

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/537fedca-1f4a-4d83-9929-03cdae10b932/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/95e15b50e1e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/95e15b50e1e8de17a0537512e7d84d479ab888ab75c314f73bda0ca764923861

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834