MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6
SHA3-384 hash:	bf4ed742e44d01c9cdc056845ecd18e9c742598f4d96d56fcc9e653b321ff13b879edf39455193e796fb8a48e6aa4cf8
SHA1 hash:	0caa6ade52a9c1bfd194b00465f183fab365f27e
MD5 hash:	7759bfefbe1fabc4b15e01f42dde615e
humanhash:	lion-beer-jig-johnny
File name:	Slackens.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	3'315'848 bytes
First seen:	2023-12-18 06:38:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:Lu0BplM5tL6htjbtje6zBMpAMWb0ci9z+ptR1tHw8A1pnszV60LAFJ14/DwKBxqP:LHvjAe0t94R1t414JAO/+P
TLSH	T114E533E6576D8370F51E5DB363E0CA9DB3A8E30F4E6D1797A807CB360B052450AA58F8
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e4c40102901294d0 (1 x Arechclient2)
Reporter	adm1n_usa32
Tags:	Arechclient2 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/468238/

Detection(s):

Win.Packed.Generickdz-9816506-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for analyzing tools

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/657fe907b855eb3693e364b1/reports/f6ffc2ed-31bd-49f6-accd-346d6f87cd2e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6050d4b-0d1e-442a-83b4-97f90538c2d8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1363797

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-15 20:37:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wglyexsotytxpzmpafrnscqy2huyykkn6wz3fh23yyro33ave3ta._file

Verdict:

malicious

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat evasion rat trojan

Link:

https://tria.ge/reports/231218-hel4msage7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

SectopRAT

SectopRAT payload

Unpacked files

SH256 hash:

b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6

MD5 hash:

7759bfefbe1fabc4b15e01f42dde615e

SHA1 hash:

0caa6ade52a9c1bfd194b00465f183fab365f27e

Link:

https://www.unpac.me/results/48f7d709-19a8-4b35-abf3-bb301eba5d35/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b197825e4e9e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b197825e4e9e2777e58f0162d90a18d1e98c294df5b3b29f5bc622edec1526e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/6377721f-33b6-435d-bc4c-081f23a849d8

Cape

https://www.capesandbox.com/analysis/468238/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample