MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d
SHA3-384 hash: f4dcc1ba6464c135b07ff8e8a376b6163aa413ed4995b37d80d2b38338619ad97c7603c6f7276671c441ea10c07c0388
SHA1 hash: bb0614af7e04c2de289bcce81b792a2438da8f9a
MD5 hash: 0998a098dfc8eb0c1aa8c2065469c75d
humanhash: hot-batman-carpet-may
File name:0998a098dfc8eb0c1aa8c2065469c75d.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:3'117'320 bytes
First seen:2023-01-28 16:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c119c0b545be0f5d03be66ae71633b8 (2 x Arechclient2, 2 x RedLineStealer)
ssdeep 49152:9Zhfr5JxKAVgcJnxsgmqVsQVv/VuLin5zNwh1TKdVxx/XuKYE:jlrxKwjrfm9EvECzNMTQ9/eKV
Threatray 11 similar samples on MalwareBazaar
TLSH T155E502D8DC47C947E02751331A97B32BB1A41D4F4C26A78D835ADE83DC255BBB30BA86
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f0c0a0e2ccd4f071 (1 x AgentTesla, 1 x Arechclient2)
Reporter abuse_ch
Tags:Arechclient2 exe signed

Code Signing Certificate

Organisation:www.staircase.com
Issuer:www.staircase.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-28T12:50:26Z
Valid to:2024-01-28T13:10:26Z
Serial number: 4ecc27af6c0c86b84710509e8f963568
Thumbprint Algorithm:SHA256
Thumbprint: c397cc03c7e120a46cd7ae94184589912808bb47c70dbb6e4655125ee86f5d5a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Arechclient2 C2:
5.75.149.1:15645

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0998a098dfc8eb0c1aa8c2065469c75d.exe
Verdict:
No threats detected
Analysis date:
2023-01-28 16:12:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/873bc00d-d4e3-49ab-9dc5-16e3cf2ba6c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Arechclient2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357765/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65221760.21681.7497.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63d54917447edb203a01aaf9/reports/4e8fd4a4-7b2f-4d3d-9377-61d147d6e627/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stantinko
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ada1a23b-2ab4-4329-8ed0-c5cef55667d3
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160813
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793550 Sample: uvg0M74yP1.exe Startdate: 28/01/2023 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 5 other signatures 2->37 6 uvg0M74yP1.exe 1 2->6         started        9 uvg0M74yP1.exe 2->9         started        11 uvg0M74yP1.exe 2->11         started        process3 signatures4 39 Detected unpacking (changes PE section rights) 6->39 41 Writes to foreign memory regions 6->41 43 Injects a PE file into a foreign processes 6->43 13 InstallUtil.exe 6->13         started        16 InstallUtil.exe 15 4 6->16         started        19 InstallUtil.exe 6->19         started        21 InstallUtil.exe 2 9->21         started        23 InstallUtil.exe 9->23         started        process5 dnsIp6 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->47 25 5.75.149.1, 15645, 49699, 49701 HETZNER-ASDE Germany 16->25 27 eth0.me 5.132.162.27, 49700, 80 INTERNEX-ASAT Austria 16->27 29 192.168.2.1 unknown unknown 16->29 49 Tries to harvest and steal browser information (history, passwords, etc) 16->49 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 15:58:19 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 37 (54.05%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=woxq5nxg3xha6lrjsnru2sz63wdlgwcmbrxwaagf7fbxt5ernggq._file
Verdict:
malicious
Similar samples:
1a7075ca044dd3be84270c4e3a281e3708e5bd6e3499d6bf664160b73c0bd1a5
Arechclient2
30f683a84cf78783dc15027459b40ed332aa7586a11f8c4fed83d924a3568080
Arechclient2
435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb
Arechclient2
4f7f83557bbf4e9eb1edac445033bc77543c1d3dbb4eb72b331bcf4ebbf11b79
Arechclient2
6f6c923920fa4eadba806374cb929c7ab5907cd74f2ad93a74bf5da1847b6cc5
Arechclient2
9554df1b2f0b16fd50093a5910776ee26fb8546fc0d0be5a43c868037a92eef9
Arechclient2
bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e
Arechclient2
c6f0ce007358fb971aca483791286fec657a8be5034ea9bf0dcdea1fa4344a97
Arechclient2
e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0
Arechclient2
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230128-tmx2nafc86/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d
MD5 hash:
0998a098dfc8eb0c1aa8c2065469c75d
SHA1 hash:
bb0614af7e04c2de289bcce81b792a2438da8f9a
Link:
https://www.unpac.me/results/02b3faec-f988-45f9-90a3-32be2332b1fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3af0eb6e6dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe b3af0eb6e6ddce0f2e2993634d4b3edd86b3584c0c6f6000c5f94379f491698d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2520886/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357765/

Comments