MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846
SHA3-384 hash: ae3c1fff647b0e560066b1ccc82dd4ddb6ee37c0773f4c667aabb906d68ae7076133c71e95577ee0b999cc4762808c02
SHA1 hash: 24ce5d9552eb9a33b565cc410f3ea055a1a82d03
MD5 hash: fa0459a4f482a14fd350de21dbc55ae3
humanhash: juliet-music-georgia-hydrogen
File name:fa0459a4f482a14fd350de21dbc55ae3.exe
Download: download sample
Signature Arechclient2
Create hunting rule
File size:1'416'207 bytes
First seen:2022-02-02 08:07:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 31f703552d204daf7c2d3dbfa12d709d (3 x RedLineStealer, 1 x Arechclient2)
ssdeep 24576:z74/ZWk/9D1kUARVO+hECYwYCqhBUas2ZZPFA0CCia3ZXTVDi4aq2xsgShB51lLC:z74lD1kUAyN5Cq1RP60CCZ9TVm4P2xs6
Threatray 4'575 similar samples on MalwareBazaar
TLSH T10C652360B9844179F8D105B2D6FAFA799A39AE71073892D7E2C83D23F4742C22D3D356
File icon (PE):PE icon
dhash icon 86713e2791074db8 (1 x Arechclient2)
Reporter abuse_ch
Tags:Arechclient2 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Arechclient2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229854/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FSTT.13678.31885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Possible injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5757/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61fa3be518d1bfdde4ea3ec6/reports/6d857ef8-4f66-48b0-88b1-bb65d78bae55/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a4986f65-3a0a-4f8b-81dd-017a99131843
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.expl.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/933011
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 565487 Sample: le2yz7YfXw.exe Startdate: 03/02/2022 Architecture: WINDOWS Score: 72 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Drops script at startup location 2->61 10 le2yz7YfXw.exe 6 2->10         started        13 wscript.exe 2->13         started        15 xMnxVAiIyr.exe.pif 2->15         started        process3 dnsIp4 69 Contains functionality to register a low level keyboard hook 10->69 18 cmd.exe 1 10->18         started        21 dllhost.exe 10->21         started        71 Creates processes via WMI 13->71 53 RbWrnrhpEtrSQohallepmAoc.RbWrnrhpEtrSQohallepmAoc 15->53 signatures5 process6 signatures7 63 Obfuscated command line found 18->63 65 Drops PE files with a suspicious file extension 18->65 23 cmd.exe 3 18->23         started        27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        process8 file9 49 C:\Users\user\AppData\...\Pieghi.exe.pif, PE32 23->49 dropped 67 Obfuscated command line found 23->67 31 Pieghi.exe.pif 4 23->31         started        36 tasklist.exe 1 23->36         started        38 tasklist.exe 1 23->38         started        40 4 other processes 23->40 signatures10 process11 dnsIp12 55 RbWrnrhpEtrSQohallepmAoc.RbWrnrhpEtrSQohallepmAoc 31->55 47 C:\Users\user\AppData\...\xMnxVAiIyr.exe.pif, PE32 31->47 dropped 57 Drops PE files with a suspicious file extension 31->57 42 cmd.exe 2 31->42         started        file13 signatures14 process15 file16 51 C:\Users\user\AppData\...\xMnxVAiIyr.url, MS 42->51 dropped 45 conhost.exe 42->45         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-02 08:08:12 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0517a624e70f53121e45760f0548ac93208af6dfe3b643e1e1e74e2138a92adc
Arechclient2
43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b
Arechclient2
952277c9dfd5bc4d0ccaf19fd51f58c94bf5993705b150168e3395dab1943a41
Arechclient2
9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
Arechclient2
d6cc9b7c7d718a202a0820e4c5588e25fd90050ad1318ff41d795a5d7d90fa82
Arechclient2
ee2e455231053433cc4d8718e0fb69e0f11d9875c5d1d3b3eebba4426148fb6d
Arechclient2
f085ccac2550f9dbcd5ab7863d82b4520d97efe9233fcea4742214e80a5e2538
Arechclient2
faec9f2bb4da32ed322a8d98e634997ba23d2b28aa64a2efe7d49d6bb2f15467
Arechclient2
+ 4'565 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220202-j1j2vahge6/
Behaviour
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Sets service image path in registry
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5335f6184bc6486ffcbb5a8f0d388a82f98654c2666c3d6aff23fdf0fb2beb3c
MD5 hash:
d22ae3161402fec7c0f79851aff65dca
SHA1 hash:
dbb9135f14e0d3ccbdec6cf278b1a3e7291be6d5
Link:
https://www.unpac.me/results/a403dbf4-2557-4387-8114-c0aea464dc25/
SH256 hash:
dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846
MD5 hash:
fa0459a4f482a14fd350de21dbc55ae3
SHA1 hash:
24ce5d9552eb9a33b565cc410f3ea055a1a82d03
Link:
https://www.unpac.me/results/a403dbf4-2557-4387-8114-c0aea464dc25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Executable exe dcb28a28c1b0d809b45522bfac4dece7cc76b7f5bc504e095a262e474b700846

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/229854/
  
URLhaus
https://urlhaus.abuse.ch/url/2025084/
  
Delivery method
Distributed via web download

Comments