MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
SHA3-384 hash: d1aa8f2c01c71a7b3d6c8e0b20c0d76de7881d7f12a6f7984d8e110c50c5e5734569f5b0e5287eac8d20443316a24073
SHA1 hash: 4a94d4412588f9933eeb600f444c7a30d96bbb54
MD5 hash: efa81ca3c664b6fc6c046f52db0e8db4
humanhash: moon-two-zebra-kilo
File name:TeachTray.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:1'899'454 bytes
First seen:2025-09-09 15:23:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 49152:upp/7+yytjDtzuD516w8NtDCqR0WYjnFfty6FKA3:upwyy1LNtmvWYjny5o
Threatray 29 similar samples on MalwareBazaar
TLSH T1719533CBBC018123F4F341F6E87677509BB3AE53A2F1A9CBC6E67E0D75645105628BA0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:5-10-250-239 Arechclient2 AutoIT CypherIT exe SectopRAT


Avatar
iamaachum
https://networkmanagement.xyz/lander/domain/TeachTray.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 14:56:32 UTC
Tags:
lumma stealer golang loader autoit auto-startup arechclient2 rat backdoor xor-url generic
Link:
https://app.any.run/tasks/c228156e-38e4-4a17-ba20-04e8db5cb395

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26519/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c0468b6e66ba602d7971de
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Сreating synchronization primitives
Connection attempt
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68c0467fcfa59bfdc7f5c776/reports/efb45e93-0314-4897-9a35-92605f84449f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T20:23:00Z UTC
Last seen:
2025-09-08T20:23:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.AUO.gen HEUR:Trojan.Win32.Autoit.gen Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb Trojan.Win32.Agent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e973d9fc-dfce-4ad8-a91e-910ce0d9341f
Result
Threat name:
Arechclient2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774086
Signature
Creates a thread in another existing process (thread injection)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Arechclient2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774086 Sample: TeachTray.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 69 aizRKWJGht.aizRKWJGht 2->69 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 7 other signatures 2->83 11 TeachTray.exe 27 2->11         started        14 NatalieShield.bat 1 2->14         started        signatures3 process4 file5 57 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\...\nse7ED7.tmp, DOS 11->59 dropped 17 cmd.exe 1 11->17         started        61 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32+ 14->61 dropped 101 Injects a PE file into a foreign processes 14->101 103 Found direct / indirect Syscall (likely to bypass EDR) 14->103 20 RegAsm.exe 14->20         started        signatures6 process7 signatures8 73 Detected CypherIt Packer 17->73 75 Drops PE files with a suspicious file extension 17->75 22 cmd.exe 4 17->22         started        25 conhost.exe 17->25         started        process9 file10 51 C:\Users\user\AppData\Local\Temp\...\Dice.pif, PE32+ 22->51 dropped 27 Dice.pif 6 22->27         started        31 extrac32.exe 18 22->31         started        33 tasklist.exe 1 22->33         started        35 3 other processes 22->35 process11 file12 63 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32+ 27->63 dropped 65 C:\Users\user\AppData\...65atalieShield.bat, PE32+ 27->65 dropped 93 Writes to foreign memory regions 27->93 95 Injects a PE file into a foreign processes 27->95 97 Found direct / indirect Syscall (likely to bypass EDR) 27->97 37 RegAsm.exe 19 24 27->37         started        42 cmd.exe 2 27->42         started        67 C:\Users\user\AppData\Local\Temp\Liable, VAX-order 31->67 dropped signatures13 process14 dnsIp15 71 5.10.250.239, 443, 49697, 49698 AZERONLINEAZ Azerbaijan 37->71 53 C:\Users\user\AppData\...\Secure Preferences, JSON 37->53 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 37->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->89 91 4 other signatures 37->91 44 chrome.exe 37->44         started        47 chrome.exe 37->47 injected 55 C:\Users\user\AppData\...55atalieShield.url, MS 42->55 dropped 49 conhost.exe 42->49         started        file16 signatures17 process18 signatures19 99 Found many strings related to Crypto-Wallets (likely being stolen) 44->99
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/efa81ca3c664b6fc6c046f52db0e8db4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872/
Verdict:
Malicious
Threat:
Family.SECTOPRAT
Link:
https://tip.neiki.dev/file/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 02:44:51 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm4walo2gs3az6zyey2wzkw3fgvlg3qz7dk3qboi5owjraxopbza._file
Verdict:
malicious
Label(s):
sectoprat
Create hunting rule
Similar samples:
272b3cd90243295da28936b5fd521480c8adfa9aefb30ddca5ecbff6c454ba2d
Arechclient2
49e86f8f81cc8dad354e988d8d8baf2f79d45d7f7c542785ce37409df92bee6c
Arechclient2
61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b
Arechclient2
b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
Arechclient2
e5105fd6fd8a6e79aeb583015741187e7eabe4ad667e8dacb4b8499d03816ff4
Arechclient2
ec3f20c3aa488962b546566c3e5c76d3c50ba60951c658c0bc473e564a9f74b4
Arechclient2
error
Arechclient2
f1865f5bcb465ab20ce262b8313b50dcba98c503a406d2c88b7af6494a044b3e
Arechclient2
+ 19 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery rat trojan
Link:
https://tria.ge/reports/250909-ssv9kscl8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
SectopRAT
SectopRAT payload
Sectoprat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d1016530-7c29-4abc-a186-e12f51ec5432
Unpacked files
SH256 hash:
b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872
MD5 hash:
efa81ca3c664b6fc6c046f52db0e8db4
SHA1 hash:
4a94d4412588f9933eeb600f444c7a30d96bbb54
Link:
https://www.unpac.me/results/afd27600-0dfe-4711-9870-c86a36fbf44b/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/afd27600-0dfe-4711-9870-c86a36fbf44b/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/afd27600-0dfe-4711-9870-c86a36fbf44b/
Malware family:
SectopRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b339602dda34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe b339602dda34b60cfb3826356caadb29aab36e19f8d5b805c8ebac9882ee7872

(this sample)

  
Link
https://tria.ge/250909-sqzh8axwdz/behavioral1
  
Dropped by
LummaStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26519/

Comments


Avatar
commented on 2025-09-09 15:26:48 UTC

Arechclient2/SectopRAT C2: http://5.10.250.239:9000/wbinjget?q=EF680CC9EFE0A8BCEC05D07897760CE8