MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9
SHA3-384 hash:	2cf5ceba405608581daf3c4c36eefe8b03750cac1501bb947dee81132c1fc9eb2c6b2c999ddc1a3f3691ba52a9f2f984
SHA1 hash:	378e7ab01c429590c5b2487561d3089960dcedfa
MD5 hash:	75be92e844c1fa4351132dd62adca576
humanhash:	undress-river-pennsylvania-potato
File name:	XMouseButtonControlSetup.2.20.5.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	9'492'680 bytes
First seen:	2025-10-27 19:53:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	573bb7b41bc641bd95c0f5eec13c233b (27 x GuLoader, 15 x VIPKeylogger, 11 x RemcosRAT)
ssdeep	196608:SJLpiNghX4dB+bzPz/MWWzuEzjEVkT4kwVeUiyeyE5zi/d:Sdpu262/M6EzjZGUPlnqd
TLSH	T1C2A63383C852E50EE4209370033A2555EB3DFB4EE535465963F9762F28E7C33EB865A2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SquiblydooBlog
Tags:	Arechclient2 exe signed

Code Signing Certificate

Organisation:	THROGGS NECK PETS INCORPORATED
Issuer:	Microsoft ID Verified CS EOC CA 01
Algorithm:	sha384WithRSAEncryption
Valid from:	2025-10-26T12:08:59Z
Valid to:	2025-10-29T12:08:59Z
Serial number:	3300050b6df0ae2f05df3e2d8f000000050b6d
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	fbc88513fec69cefa3df1ab4ec23b12245366978e916d6c385e7c83f433014dd
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

XMouseButtonControlSetup.2.20.5.exe

Verdict:

Malicious activity

Analysis date:

2025-10-27 19:55:17 UTC

Tags:

auto-reg auto generic

Link:

https://app.any.run/tasks/4adb299a-2767-4b5b-94c5-ccc0f6024136

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34351/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ffcdd45de5ca270752fc83

Tags:

keylog spawn madi sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Сreating synchronization primitives

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file

Creating a process from a recently created file

DNS request

Connection attempt

Creating a file in the %temp% subdirectories

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context installer microsoft_visual_cc obfuscated overlay signed threat

Link:

https://www.filescan.io/uploads/68ffcddac85c5c569737db12/reports/98bf0cfd-8a46-4f8e-8e95-9d267d0d3312/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-26T22:53:00Z UTC

Last seen:

2025-10-27T17:18:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb

Link:

https://opentip.kaspersky.com/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3bd36980-33ca-4ab8-8d16-22bba8a333df

Score:

67%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9/

Verdict:

Malicious

Threat:

Family.HIJACKLOADER

Link:

https://tip.neiki.dev/file/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=urboxb7dnakpgnrvzfyssblwlbuyb53vepjcgf2nubyzzi22uluq._file

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:hijackloader family:sectoprat defense_evasion discovery installer loader persistence privilege_escalation ransomware rat spyware stealer trojan

Link:

https://tria.ge/reports/251027-ymg3nazpew/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Windows directory

Checks computer location settings

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

SectopRAT

SectopRAT payload

Sectoprat family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f579135f-f55c-405c-89bd-53611579500a

Unpacked files

SH256 hash:

a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9

MD5 hash:

75be92e844c1fa4351132dd62adca576

SHA1 hash:

378e7ab01c429590c5b2487561d3089960dcedfa

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

979e6e15230aaefad92d141216214533ffa3b1d094a4e82f5f35803a3dd533d4

MD5 hash:

3a3450763b19e6b9103afce916fbf465

SHA1 hash:

1953d79b863fbbacf4037c7a3943643ed996d410

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

MD5 hash:

80d5f32b3fc515402b9e1fe958dedf81

SHA1 hash:

a80ffd7907e0de2ee4e13c592b888fe00551b7e0

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

MD5 hash:

b9380b0bea8854fd9f93cc1fda0dfeac

SHA1 hash:

edb8d58074e098f7b5f0d158abedc7fc53638618

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

MD5 hash:

bb632bc4c4414303c783a0153f6609f7

SHA1 hash:

eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

a256145500eec68e7af192741ff7142d8962680a29bbd9e04902b0cb3b1842ad

MD5 hash:

6520a7ff17702c03a69a2e83c51b2d8c

SHA1 hash:

0ba90f7b9a48718f943991d909d7486a1e34233e

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

MD5 hash:

f832e4279c8ff9029b94027803e10e1b

SHA1 hash:

134ff09f9c70999da35e73f57b70522dc817e681

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

MD5 hash:

d753362649aecd60ff434adf171a4e7f

SHA1 hash:

3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

MD5 hash:

86a81b9ab7de83aa01024593a03d1872

SHA1 hash:

8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

SH256 hash:

bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

MD5 hash:

56a321bd011112ec5d8a32b2f6fd3231

SHA1 hash:

df20e3a35a1636de64df5290ae5e4e7572447f78

Link:

https://www.unpac.me/results/b0d5df0d-2fee-4b2d-867f-28e63c54cff5/

Malware family:

IDATLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a442eb87e368/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/a442eb87e36814f33635c971290576586980f77523d223174da0719ca35aa2e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/34351/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample