MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 14

Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash:	c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba
SHA3-384 hash:	85cc8f23de8bf910771802b22d50c7e3679389a7d2c13596a1d817ccd42ad6e69992a4ec4d41829264328953e084abb2
SHA1 hash:	c8d2f4dcb005f1fff7c5f9b5a8a2ca0b62bda9ea
MD5 hash:	8c1612e86d4d9059dcf1f89d9b76881a
humanhash:	seventeen-oklahoma-georgia-moon
File name:	SecuriteInfo.com.W32.MSIL_Agent.GZN.gen.Eldorado.3915.4967
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	5'632'000 bytes
First seen:	2023-12-01 11:25:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	98304:Yfnfhrk25cX1tiPOYzQO3DQysNdlTll/eOLNmmDd:enfhr1GFoPOY0O3DVa7pYL6d
Threatray	37 similar samples on MalwareBazaar
TLSH	T130467C42BE91DF22F058613BC5DF550803B4EC246BA2F317BABC323D54517666C4AAAF
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	b0a484a4b4b4c4e4 (1 x Arechclient2)
Reporter	SecuriteInfoCom
Tags:	Arechclient2 exe

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Agent.GZN.gen.Eldorado.3915.4967

Verdict:

Malicious activity

Analysis date:

2023-12-01 11:28:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e9e47c9d-065a-45f5-8056-bfd1ec34c1f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Arechclient2

Link:

https://www.capesandbox.com/analysis/461694/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Creating a file in the %AppData% subdirectories

Creating a file

DNS request

Sending a custom TCP request

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35d765e5-11e6-4b1c-981f-8c1e634b2bea

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1351351

Behaviour

Behavior Graph:

n/a

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-12-01 11:26:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yxh7zgah7ilupxz3sgupci2u7d4qppigf3mslrbwrfz6nholkw5a._file

Verdict:

malicious

Arechclient2

3e6fc1760a323c057791b3d684ceef9b65f9f0acc9fe218f72df84f99eccb341

Arechclient2

5e057872fbbd900706c93471529d122d558c0d49836dca41ed296ed3fe67566c

Arechclient2

b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87

Arechclient2

b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16

Arechclient2

dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

Arechclient2

+ 27 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat rat trojan

Link:

https://tria.ge/reports/231201-njt8pshe2z/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Drops startup file

Loads dropped DLL

SectopRAT

SectopRAT payload

Unpacked files

SH256 hash:

6afc1ce81d1a4e0ded03c87774119f7362d8f28194ef6da0195f35dd4107f0c6

MD5 hash:

821e96b1ef17386c1a6436bca168141e

SHA1 hash:

c2e8798a56382f601a0a486dc76288e56a49ddc1

Detections:

SUSP_XORed_URL_In_EXE

MALWARE_Win_Arechclient2

Link:

https://www.unpac.me/results/8e46f04b-15a5-490d-9aa0-4351d3d3aea5/

Parent samples :

2bb23cbf3fed1df1b057ea1370acb14402ad6ecff905ca7727ebf0d2d91095f2
dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635
5e057872fbbd900706c93471529d122d558c0d49836dca41ed296ed3fe67566c
107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87
b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16
3e6fc1760a323c057791b3d684ceef9b65f9f0acc9fe218f72df84f99eccb341
3a70800b1c037d9e97d97d79a394b5b8192135836b0abb3226479b3cd5d07ab8
ecde3ad92330ee31991c576ea937aee9ebba39fa9eada3e5c36e3ab245ce4fab
c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba
97ed97990a5fc17836ab908c41eed254598630f6cff2d6de93046e03336a14c3

SH256 hash:

c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba

MD5 hash:

8c1612e86d4d9059dcf1f89d9b76881a

SHA1 hash:

c8d2f4dcb005f1fff7c5f9b5a8a2ca0b62bda9ea

Link:

https://www.unpac.me/results/8e46f04b-15a5-490d-9aa0-4351d3d3aea5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c5cffc9807fa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834