MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 13

Intelligence 13 IOCs YARA 14 File information Comments

SHA256 hash:	b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16
SHA3-384 hash:	68d601638df3eee894acdba0e4a0dcae653477fa407c5fff7b8b76d8c78b6c1c10d97873ee741a6671b2b6a66393585c
SHA1 hash:	5cec1de19dc29bdc5b1e8b1b407df49bcf570fa2
MD5 hash:	36bd43b2792ce1ea475f91074eb2ef61
humanhash:	pennsylvania-blossom-echo-mango
File name:	36bd43b2792ce1ea475f91074eb2ef61.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	6'129'664 bytes
First seen:	2023-11-26 18:42:00 UTC
Last seen:	2023-11-26 19:58:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	98304:HbJtyoEqHYztcfN3Ks24t5TPC3oRdZci:NVBHEtcfBKKDzZci
Threatray	130 similar samples on MalwareBazaar
TLSH	T12E56AE493DBC0B50E02C1A728CED769B4BE95C1E78B1978BA3BE3D24CC36351597187A
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	b0b0b0e0787870b8 (1 x Arechclient2)
Reporter	abuse_ch
Tags:	Arechclient2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460447/

Detection(s):

SecuriteInfo.com.Trojan-Spy.Win32.Agent.27506.7475.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Creating a file

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm cmd lolbin net net_reactor obfuscated packed packed regasm

Link:

https://www.filescan.io/uploads/656391877485e5b1ecbbde56/reports/a12b0650-c577-41a6-8a4c-c831aadf5e1b/overview

Verdict:

Suspicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/97cafc6e-bb75-4feb-8c87-816cca639972

Result

Threat name:

RedLine, SectopRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1348150

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected SectopRAT

Behaviour

Behavior Graph:

Download SVG

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16/

Threat name:

Win32.Trojan.ScarletFlash

Status:

Malicious

First seen:

2023-11-26 18:15:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

166

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcqpt2z5x5phrqkxo6iv7w2xwrdurqpm4li4b2e4ylniobxppyla._file

Verdict:

malicious

Arechclient2

5e057872fbbd900706c93471529d122d558c0d49836dca41ed296ed3fe67566c

Arechclient2

b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87

Arechclient2

b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

Arechclient2

dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

Arechclient2

+ 120 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/231126-xcbx8abb76/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

SectopRAT

SectopRAT payload

Unpacked files

SH256 hash:

63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee

MD5 hash:

a6810a5899b5a89ee483c9e94dacb015

SHA1 hash:

c787d081f7534936636b17d94ecee651fd64fdac

Link:

https://www.unpac.me/results/26105318-d1c7-47cc-90ba-65ebdbe5c475/

SH256 hash:

6afc1ce81d1a4e0ded03c87774119f7362d8f28194ef6da0195f35dd4107f0c6

MD5 hash:

821e96b1ef17386c1a6436bca168141e

SHA1 hash:

c2e8798a56382f601a0a486dc76288e56a49ddc1

Detections:

SUSP_XORed_URL_In_EXE

MALWARE_Win_Arechclient2

Link:

https://www.unpac.me/results/26105318-d1c7-47cc-90ba-65ebdbe5c475/

Parent samples :

2bb23cbf3fed1df1b057ea1370acb14402ad6ecff905ca7727ebf0d2d91095f2
dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635
5e057872fbbd900706c93471529d122d558c0d49836dca41ed296ed3fe67566c
107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87
b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16
3e6fc1760a323c057791b3d684ceef9b65f9f0acc9fe218f72df84f99eccb341
3a70800b1c037d9e97d97d79a394b5b8192135836b0abb3226479b3cd5d07ab8
ecde3ad92330ee31991c576ea937aee9ebba39fa9eada3e5c36e3ab245ce4fab
c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba
97ed97990a5fc17836ab908c41eed254598630f6cff2d6de93046e03336a14c3

SH256 hash:

6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33

MD5 hash:

f45c1512d5a47375e6e396b4d1111e58

SHA1 hash:

8af036b8c60d10e85cf82212930bb04bc0553f36

Link:

https://www.unpac.me/results/26105318-d1c7-47cc-90ba-65ebdbe5c475/

SH256 hash:

dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

MD5 hash:

544cd51a596619b78e9b54b70088307d

SHA1 hash:

4769ddd2dbc1dc44b758964ed0bd231b85880b65

Link:

https://www.unpac.me/results/26105318-d1c7-47cc-90ba-65ebdbe5c475/

SH256 hash:

b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

MD5 hash:

36bd43b2792ce1ea475f91074eb2ef61

SHA1 hash:

5cec1de19dc29bdc5b1e8b1b407df49bcf570fa2

Detections:

SUSP_NET_Msil_Suspicious_Use_StrReverse

Link:

https://www.unpac.me/results/26105318-d1c7-47cc-90ba-65ebdbe5c475/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b8a0f9eb3dbf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	msil_suspicious_use_of_strreverse Create hunting rule
Author:	dr4k0nia
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_NET_Msil_Suspicious_Use_StrReverse Create hunting rule
Author:	dr4k0nia, modified by Florian Roth
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834