MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 15

Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash:	dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635
SHA3-384 hash:	72d960948b710a325c69d94ee5cbd72b714f9720e41335ff318bb2ab8c5125a432e591824780b67e8d2356269438da41
SHA1 hash:	fe5973e43f7893728851510e528e45b2b41d6a8e
MD5 hash:	07513e388a3c97fa87c50685692e00e4
humanhash:	fruit-golf-moon-alanine
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.JCM.gen.Eldorado.6151.23926
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	4'434'072 bytes
First seen:	2023-11-22 10:15:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	49152:UwgRVqZ2IcULFVAtK7jI8ELv1hdyOSQ14lh5jM9d+d2s9PPfTc+RJywV1Hfx8p5s:qRUih4OSQ+5g9dc19PnTc+XywCBYM2
Threatray	82 similar samples on MalwareBazaar
TLSH	T16A26BE0237E3E829E15D0A31C3F1815893BB9EB18B54EB8B32E47A1E3DB17D90D71659
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b4cc9c8c8cace4a4 (1 x Arechclient2)
Reporter	SecuriteInfoCom
Tags:	Arechclient2 exe signed

Code Signing Certificate

Organisation:	Hewlett-Packard Company /silver/
Issuer:	Hewlett-Packard Company /silver/
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-11-18T19:43:35Z
Valid to:	2033-11-19T19:43:35Z
Serial number:	6d3e119942e0fab0485241acc6d39032
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	f491a585dca2f54e8fae3512e0bcbf23c3d119c0bf1a2395554ce9250328383e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

http://185.172.128.154/ama.exe

Verdict:

Malicious activity

Analysis date:

2023-11-22 15:47:29 UTC

Tags:

amadey botnet stealer arechclient2 backdoor loader

Link:

https://app.any.run/tasks/3f606794-52e6-46a5-8217-52d735772fe4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Arechclient2

Link:

https://www.capesandbox.com/analysis/459687/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.JCM.gen.Eldorado.6151.23926.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Labled as:

TrojanDownloader/MSIL.Small

Link:

https://www.hybrid-analysis.com/sample/dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11c4cd9d-85f7-49fd-9c3c-e7be9449b159

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1346353

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

60%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-11-22 09:25:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3otlppaljy6v7q2e4ho4ta2374nbs6ns6mqg3znfoa2dc672my2q._file

Verdict:

malicious

Arechclient2

2bb23cbf3fed1df1b057ea1370acb14402ad6ecff905ca7727ebf0d2d91095f2

Arechclient2

4ecddc16e5b3e808518b5ba17950c04427f9de389259b4027ad76ac5289e0d8a

Arechclient2

8c3a544deed6af86417f4cc0e31d214dd56641c1f18c267d9eb19bfd82c8848e

Arechclient2

8cdab8eb3259b1b70b20f670156493bd0c2f4dbe6991a69b35e3108078134146

Arechclient2

b4554cf0100d5a04cfc2a3090419ff1f4fdc1d8f6264d24442cd39274aaa37e7

Arechclient2

ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

Arechclient2

+ 72 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat rat trojan

Link:

https://tria.ge/reports/231122-masg3sbf94/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

.NET Reactor proctector

Drops startup file

Loads dropped DLL

SectopRAT

SectopRAT payload

Unpacked files

SH256 hash:

6afc1ce81d1a4e0ded03c87774119f7362d8f28194ef6da0195f35dd4107f0c6

MD5 hash:

821e96b1ef17386c1a6436bca168141e

SHA1 hash:

c2e8798a56382f601a0a486dc76288e56a49ddc1

Detections:

SUSP_XORed_URL_In_EXE

MALWARE_Win_Arechclient2

Link:

https://www.unpac.me/results/a5b2cc07-a17a-41df-be04-c4c15fee171c/

Parent samples :

2bb23cbf3fed1df1b057ea1370acb14402ad6ecff905ca7727ebf0d2d91095f2
dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635
5e057872fbbd900706c93471529d122d558c0d49836dca41ed296ed3fe67566c
107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
b20090678b857d6b8638ed5db42de49a8be60f8169e6affb12e1a40b1d295f87
b8a0f9eb3dbf5e78c15777915fdb57b44748c1ece2d1c0e89cc2da8706ef7e16
3e6fc1760a323c057791b3d684ceef9b65f9f0acc9fe218f72df84f99eccb341
3a70800b1c037d9e97d97d79a394b5b8192135836b0abb3226479b3cd5d07ab8
ecde3ad92330ee31991c576ea937aee9ebba39fa9eada3e5c36e3ab245ce4fab
c5cffc9807fa1747df3b91a8f12354f8f907bd062ed925c4368973e69dcb55ba
97ed97990a5fc17836ab908c41eed254598630f6cff2d6de93046e03336a14c3

SH256 hash:

dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

MD5 hash:

07513e388a3c97fa87c50685692e00e4

SHA1 hash:

fe5973e43f7893728851510e528e45b2b41d6a8e

Detections:

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/a5b2cc07-a17a-41df-be04-c4c15fee171c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dba6b7bc0b4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/dba6b7bc0b4e3d5fc344e1ddc9835bff1a1979b2f3206de5a57034317bfa6635

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834