MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 12


Intelligence 12 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc
SHA3-384 hash: 6a309c81039d7550c06c800e082b2baaaf27a6cf1ef6d956bd95640c9aaf4fc3f6a0425e5ec1801f835acc0cc328be31
SHA1 hash: 5ceb7a7b149251ed38a69d767a4ca184849c5128
MD5 hash: e788430c67bf3185af8eeef64af83696
humanhash: beryllium-dakota-colorado-kilo
File name:e788430c67bf3185af8eeef64af83696.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:388'736 bytes
First seen:2024-04-22 21:40:54 UTC
Last seen:2024-04-22 22:30:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:5YHV7BNK/QMtNCAiIVzpiQwHp/DrTRvLyysB3YGwizUOn6OUzvcxX1T:GHFBriZSDDhLVsdYZizh6ZQxlT
TLSH T159842322AD5C5352CFB75BBA2D5709D31F7A73030A30C646A9B4BC59EE833C8910A776
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:Arechclient2 exe


Avatar
abuse_ch
Arechclient2 C2:
http://185.172.128.76/3cd2b41cbde8fc9c.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-04-22 22:08:51 UTC
Tags:
loader hausbomber amadey botnet stealer redline meta metastealer stealc opendir gcleaner exfiltration telnet phorpiex rat asyncrat remote rhadamanthys evasion njrat bladabindi xworm vodkagats djvu ransomware stop risepro raccoonclipper worm purplefox backdoor dcrat vidar nitol nemucod
Link:
https://app.any.run/tasks/ded2ad0c-88ea-4467-9dca-b731d34e92cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6626d97054bafb7d21d93fa9/reports/0eb53f5d-0cbb-4dff-8193-28dbaeb7637b/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik.ALLG trojan
Link:
https://www.hybrid-analysis.com/sample/d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/649107bc-7f4b-4af2-89f3-9f958a06572e
Result
Threat name:
Glupteba, Mars Stealer, Phorpiex, PureLo
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429962
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Phorpiex
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429962 Sample: c3nBx2HQG2.exe Startdate: 22/04/2024 Architecture: WINDOWS Score: 100 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 Multi AV Scanner detection for dropped file 2->162 164 16 other signatures 2->164 8 c3nBx2HQG2.exe 1 4 2->8         started        11 svchost.exe 2->11         started        13 cmd.exe 2->13         started        process3 signatures4 166 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->166 168 Writes to foreign memory regions 8->168 170 Allocates memory in foreign processes 8->170 172 4 other signatures 8->172 15 RegSvcs.exe 15 306 8->15         started        20 powershell.exe 24 8->20         started        22 WerFault.exe 8->22         started        28 4 other processes 8->28 24 WerFault.exe 11->24         started        26 conhost.exe 13->26         started        process5 dnsIp6 124 107.167.110.211 OPERASOFTWAREUS United States 15->124 126 107.167.110.216 OPERASOFTWAREUS United States 15->126 130 10 other IPs or domains 15->130 64 C:\Users\...\zEhSWDVUomZ6TEl15fw1fYWX.exe, PE32 15->64 dropped 66 C:\Users\...\xU8RbnWO3V3Dl96TyIhjmVlp.exe, PE32+ 15->66 dropped 68 C:\Users\...\x69SPm2axrJXOqYvcStpHRhk.exe, PE32 15->68 dropped 70 193 other files (185 malicious) 15->70 dropped 152 Drops script or batch files to the startup folder 15->152 154 Creates HTML files with .exe extension (expired dropper behavior) 15->154 30 DDaZc3rnQb5VP0fWQaRC5inu.exe 15->30         started        35 ixp80HqDMkGtaN0bukW3btjF.exe 15->35         started        37 8AkFYhKuQbhiGv5wt17Rwb8l.exe 15->37         started        43 17 other processes 15->43 156 Loading BitLocker PowerShell Module 20->156 39 conhost.exe 20->39         started        41 WmiPrvSE.exe 20->41         started        128 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->128 file7 signatures8 process9 dnsIp10 110 185.215.113.66 WHOLESALECONNECTIONSNL Portugal 30->110 112 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 30->112 118 22 other IPs or domains 30->118 90 C:\Users\...\zNo1gyOtv8mYAn8492SAdBml.exe, MS-DOS 30->90 dropped 92 C:\Users\...\zAOv7O6DhNEFRnZqY1kmPeEC.exe, PE32 30->92 dropped 94 C:\Users\...\yzwGsHGaV_hLfPnXE6QTRl1q.exe, MS-DOS 30->94 dropped 100 29 other malicious files 30->100 dropped 132 Query firmware table information (likely to detect VMs) 30->132 134 Drops PE files to the document folder of the user 30->134 136 Creates HTML files with .exe extension (expired dropper behavior) 30->136 150 9 other signatures 30->150 120 3 other IPs or domains 35->120 102 6 other malicious files 35->102 dropped 138 Detected unpacking (changes PE section rights) 35->138 140 Detected unpacking (overwrites its own PE header) 35->140 142 Writes many files with high entropy 35->142 45 u670.0.exe 35->45         started        50 run.exe 35->50         started        104 6 other malicious files 37->104 dropped 52 u5p8.0.exe 37->52         started        54 run.exe 37->54         started        114 107.167.110.217 OPERASOFTWAREUS United States 43->114 116 107.167.125.189 OPERASOFTWAREUS United States 43->116 122 3 other IPs or domains 43->122 96 C:\Users\user\AppData\Local\Temp\uvk.3.exe, PE32 43->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 43->98 dropped 106 26 other malicious files 43->106 dropped 144 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 43->146 148 Hides threads from debuggers 43->148 56 KW4sSNFCJ2SxqVUhYMCjbirS.exe 43->56         started        58 5J1rzJde35rt0pajk3TvGgV7.exe 43->58         started        60 KW4sSNFCJ2SxqVUhYMCjbirS.exe 43->60         started        62 2 other processes 43->62 file11 signatures12 process13 dnsIp14 108 185.172.128.76 NADYMSS-ASRU Russian Federation 45->108 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 45->72 dropped 74 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 45->74 dropped 76 C:\Users\user\AppData\...\mozglue[1].dll, PE32 45->76 dropped 88 9 other files (2 malicious) 45->88 dropped 174 Detected unpacking (changes PE section rights) 45->174 176 Detected unpacking (overwrites its own PE header) 45->176 178 Tries to steal Mail credentials (via file / registry access) 45->178 180 5 other signatures 45->180 78 Opera_installer_2404222142105247520.dll, PE32 56->78 dropped 80 Opera_installer_2404222142269124476.dll, PE32 58->80 dropped 82 Opera_installer_2404222142150407984.dll, PE32 60->82 dropped 84 Opera_installer_2404222142336398448.dll, PE32 62->84 dropped 86 C:\Users\user\AppData\Local\...\wOEsWSt.exe, PE32 62->86 dropped file15 signatures16
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc/
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-04-22 22:45:45 UTC
AV detection:
10 of 24 (41.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2oj4g2p4zznzmeaybaonnmkraxxndtbkot7sgw7lkq434bidspoa._file
Verdict:
unknown
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer themida trojan
Link:
https://tria.ge/reports/240422-1jq79sgg5z/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba payload
Modifies firewall policy service
Stealc
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc
MD5 hash:
e788430c67bf3185af8eeef64af83696
SHA1 hash:
5ceb7a7b149251ed38a69d767a4ca184849c5128
Link:
https://www.unpac.me/results/12754dec-ae5f-4b45-ad92-5159f4918e77/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d393c369fcce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Windows_Trojan_RedLineStealer_15ee6903
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2819427/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments