MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910
SHA3-384 hash: 1df063c9a30e9e189917e5bb76a992a578e03aaa2e52e98fe3be3510ef88c94b7ef26b5fb6f07719c65955d7dfd377b3
SHA1 hash: 054742329f83a5d177dd1937992e6755f43c420e
MD5 hash: e10a54c88b0055b69165618590583805
humanhash: red-yankee-papa-london
File name:Test.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:653'824 bytes
First seen:2023-01-15 21:04:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+sqQ30A60bYyJxY/qOsc1TNetLiWMV4em8LPd:+sQ5P/qOvN4LexV
Threatray 41 similar samples on MalwareBazaar
TLSH T161D47C5836EC9E16EB6EC771D3FBDA199270838F9281D22F0C8298D45A53781D709F93
TrID 53.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.5% (.SCR) Windows screen saver (13097/50/3)
7.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter dr4k0nia
Tags:.NET Arechclient2 Credential Stealer exe


Avatar
dr4k0nia
Dumped child which was injected via ProcessHollowing into "C:\\Windows\\http://Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe", the injector is written in AutoIT 3 and is delivered as a3x compiled script and an interpreter executable.

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Test.exe
Verdict:
Malicious activity
Analysis date:
2023-01-15 21:05:14 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/3bd9aa75-5c11-45d0-b2db-df08af85a80c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Arechclient2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353201/
Detection(s):
Win.Trojan.MSILPacked-9942256-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive njrat obfuscated packed rat stealer
Link:
https://www.filescan.io/uploads/63c46a81a2a70cc7fd2b5ed9/reports/2b353530-47ea-47dd-90e5-c6815a87cbd3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3353ab5a-f236-452a-97a2-2538ab4329b9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152022
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-15 21:05:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=va2walnxdjbio3ikrdgeklfwaaa54sdvuxurgfw2tj2dmp2ideia._file
Verdict:
malicious
Similar samples:
28789e97db3a2be3cce780dc16cbfdd675ecf579b81a497efc042914f22cfc77
Arechclient2
603529b388e236d8e83f550e3bea45ecb9664c7e8a6137bb1ee7981f13ee72fa
Arechclient2
6b102d3201a020b3661abae52a8f7fe5c64606d6867fec17a7ebdde69d038e7e
Arechclient2
79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9
Arechclient2
7c248c54bac1db4abfb0e0151b4e89bd105a7c1202593477bbc9f795de78010f
Arechclient2
ad313baf55b55cd37d1d7dc6db9a8d60783b77d187430c043b1e2fcf4ae6b064
Arechclient2
f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0
Arechclient2
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/230115-zw6ytagc3w/
Behaviour
Suspicious use of AdjustPrivilegeToken
System policy modification
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
UAC bypass
Unpacked files
SH256 hash:
a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910
MD5 hash:
e10a54c88b0055b69165618590583805
SHA1 hash:
054742329f83a5d177dd1937992e6755f43c420e
Link:
https://www.unpac.me/results/2ec45c92-5367-4d7c-b7a0-ec102629db31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f

Arechclient2

Executable exe a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910

(this sample)

  
X
https://twitter.com/Gi7w0rm/status/1614440406405496836
  
Link
https://tria.ge/230115-by7fcscb6w
  
Dropped by
SHA256 db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/353201/

Comments