MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060
SHA3-384 hash: 4b9cef52e086c95594ef534f8a3c86d2880d1ee71c3fee36ec1746b931efc4bb83ec4d9598fe8a7bef5cbfafbe608bf4
SHA1 hash: 270d7d2c73c287e7c14bfb0be95e99d1365200e8
MD5 hash: 08fddb3395aa1c8c194e73b47ceef47c
humanhash: xray-potato-carolina-thirteen
File name:PMLQRJIN.msi
Download: download sample
Signature Arechclient2
Create hunting rule
File size:6'225'920 bytes
First seen:2025-02-26 12:38:08 UTC
Last seen:2025-04-09 13:14:50 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:f9Ik7EfkqEogGJOB34C6iFuv0XAI2q5zE/lNQuyCVSfh:SReofOBoC6is08q5zE/guOf
TLSH T1E95633C1B4B01B23D295A93D72FA89B167B1ECE5DB1B68033016391F6833A815E91FD7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:92-255-85-23 Arechclient2 msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
42
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bf0b8fa0fd713c335cf1bc
Tags:
spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/67bf0b3d3afc3763bec7bb19/reports/cec8c9d2-3ca3-4592-8de8-6402aa50eef1/overview
Verdict:
Suspicious
Labled as:
Generik.BPOYESN trojan
Link:
https://www.hybrid-analysis.com/sample/dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624701
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1624701 Sample: PMLQRJIN.msi Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 6 other signatures 2->67 9 msiexec.exe 79 39 2->9         started        12 RoboTaskLite.exe 1 2->12         started        15 msiexec.exe 3 2->15         started        process3 file4 51 C:\Users\user\AppData\Local\...\vcl280.bpl, PE32 9->51 dropped 53 C:\Users\user\AppData\Local\...\rtl280.bpl, PE32 9->53 dropped 55 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 9->55 dropped 17 RoboTaskLite.exe 6 9->17         started        91 Maps a DLL or memory area into another process 12->91 93 Found direct / indirect Syscall (likely to bypass EDR) 12->93 21 cmd.exe 12->21         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\vcl280.bpl, PE32 17->41 dropped 43 C:\Users\user\AppData\Roaming\...\rtl280.bpl, PE32 17->43 dropped 45 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 17->45 dropped 69 Switches to a custom stack to bypass stack traces 17->69 71 Found direct / indirect Syscall (likely to bypass EDR) 17->71 23 RoboTaskLite.exe 1 17->23         started        47 C:\Users\user\AppData\Local\Temp\olu, PE32 21->47 dropped 73 Writes to foreign memory regions 21->73 75 Maps a DLL or memory area into another process 21->75 26 MSBuild.exe 1 21->26         started        28 conhost.exe 21->28         started        signatures8 process9 signatures10 85 Maps a DLL or memory area into another process 23->85 87 Switches to a custom stack to bypass stack traces 23->87 89 Found direct / indirect Syscall (likely to bypass EDR) 23->89 30 cmd.exe 4 23->30         started        process11 file12 57 C:\Users\user\AppData\Local\Temp\orpfyhuan, PE32 30->57 dropped 95 Writes to foreign memory regions 30->95 97 Found hidden mapped module (file has been removed from disk) 30->97 99 Maps a DLL or memory area into another process 30->99 101 Switches to a custom stack to bypass stack traces 30->101 34 MSBuild.exe 15 40 30->34         started        39 conhost.exe 30->39         started        signatures13 process14 dnsIp15 59 92.255.85.23, 15847, 62067, 62086 SOVTEL-ASRU Russian Federation 34->59 49 C:\Users\user\AppData\...\Secure Preferences, JSON 34->49 dropped 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->77 79 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->79 81 Tries to harvest and steal browser information (history, passwords, etc) 34->81 83 Tries to steal Crypto Currency Wallets 34->83 file16 signatures17
Score:
13%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qfpgjjtjg6d23h7qs4zorw6cmbbc66s7oruzd7s6szsewvd2bqa._file
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery persistence privilege_escalation rat spyware trojan
Link:
https://tria.ge/reports/250226-pxewlsznz9/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
SectopRAT
SectopRAT payload
Sectoprat family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b85245a-07e1-442e-870d-34362f6c8e9a
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc0af3253349/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc0af3253349bc3d6cff84b99746de1302117bd2fba34c8ff2f4b3225aa3d060

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments