MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611
SHA3-384 hash: 24d73d08a0cf77e1f9852670f2efbc297f4ab2c7d2432a1beaaebe3e366d321d1ddedc6a4c4c5d193791091755a82804
SHA1 hash: e4c39f040f3de10fe313841c5ac1299efc744cf9
MD5 hash: d0e480c875d38349b1c00861db70a34e
humanhash: illinois-solar-black-alaska
File name:5yhg.ps1
Download: download sample
Signature Arechclient2
Create hunting rule
File size:12'552 bytes
First seen:2025-05-09 11:48:44 UTC
Last seen:2025-05-09 12:11:12 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:aLn5FUghWkE2isiWp3acAL3GLw4a8O6Jh2OYgaSmy/DN/5+aArSShx:aNOQ5XiaqTL3GLQv66O/f/ZEa+3x
Threatray 37 similar samples on MalwareBazaar
TLSH T1D942BF54C4628E65ADA0934524585B3CD7807A163EBA9382F4BA3C7BDD2FF14C0EE5EC
Magika txt
Reporter JAMESWT_WT
Tags:185-125-50-140 Arechclient2 mychecksecureconnect-cloud ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.15242.26870.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681dec5d4a59e5a2ce0341ee
Tags:
spawn virus remo
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/681debb50b64e174c41f9746/reports/058aa835-ad04-4365-aae1-b642761ecb6a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685307
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1685307 Sample: 5yhg.ps1 Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 65 mychecksecureconnect.cloud 2->65 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 3 other signatures 2->83 10 msiexec.exe 79 39 2->10         started        13 CodedDi.exe 4 2->13         started        16 powershell.exe 15 27 2->16         started        signatures3 process4 dnsIp5 51 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\datastate.dll, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\CodedDi.exe, PE32 10->55 dropped 19 CodedDi.exe 6 10->19         started        57 C:\Users\user\AppData\Local\...\6478D34.tmp, PE32 13->57 dropped 91 Maps a DLL or memory area into another process 13->91 23 cmd.exe 1 13->23         started        25 ElevaInterface64.exe 1 13->25         started        63 mychecksecureconnect.cloud 104.21.38.93, 443, 49721 CLOUDFLARENETUS United States 16->63 93 Loading BitLocker PowerShell Module 16->93 27 conhost.exe 16->27         started        29 msiexec.exe 3 16->29         started        file6 signatures7 process8 file9 45 C:\ProgramData\writerControl\sqlite3.dll, PE32 19->45 dropped 47 C:\ProgramData\writerControl\datastate.dll, PE32 19->47 dropped 49 C:\ProgramData\writerControl\CodedDi.exe, PE32 19->49 dropped 85 Switches to a custom stack to bypass stack traces 19->85 31 CodedDi.exe 5 19->31         started        35 conhost.exe 23->35         started        signatures10 process11 file12 59 C:\Users\user\AppData\Local\...\4B3E7EC.tmp, PE32 31->59 dropped 61 C:\Users\user\...levaInterface64.exe, PE32 31->61 dropped 69 Found hidden mapped module (file has been removed from disk) 31->69 71 Maps a DLL or memory area into another process 31->71 73 Switches to a custom stack to bypass stack traces 31->73 75 Found direct / indirect Syscall (likely to bypass EDR) 31->75 37 ElevaInterface64.exe 2 31->37         started        41 cmd.exe 3 31->41         started        signatures13 process14 dnsIp15 67 185.125.50.140, 443, 49725, 49727 INPLATLABS-ASRU Russian Federation 37->67 87 Switches to a custom stack to bypass stack traces 37->87 89 Found direct / indirect Syscall (likely to bypass EDR) 37->89 43 conhost.exe 41->43         started        signatures16 process17
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-02 05:49:34 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeknl7prtyuna7fr3wxhwxydk5fe43xkiwdvmavwy6vmvaoukyiq._file
Verdict:
malicious
Label(s):
sectoprat
Create hunting rule
Similar samples:
002c9d6070fe8ba48e26cde3161c24c745534b732e4b2748c8198d65b3da1aa4
Arechclient2
1a4a1fc4c3ddccb8efcaaab7fa0ba3965e2244fa0733100e56122354e7bb721a
Arechclient2
55ea17a44d7a9882236b5cda25fa844e62cb1a4fe8d5cdc17b3591f4f98aa802
Arechclient2
c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d
Arechclient2
dbb8323b67e456a39df69d6de430c66654f6ca05fd104afb70be3a46def254de
Arechclient2
error
Arechclient2
+ 27 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery execution persistence privilege_escalation rat trojan
Link:
https://tria.ge/reports/250509-ny5b8avnt7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
SectopRAT
SectopRAT payload
Sectoprat family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c914d5fdf19e28d07cb1ddae7b5f03574a4e6eea45875602b6c7aaca81d45611

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments