MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505
SHA3-384 hash: c07b8f06588e6bcfcc80760ef5354ce66e7fed84da53cc1f162102c00ff9d43eab63474399ceb7f3ac7e3202473d0bbc
SHA1 hash: 77a385500521862e8a3d3ed1bfcd283399f103ea
MD5 hash: 1f3fdcd4d451b9853da1c81c5d5b3f12
humanhash: oklahoma-music-hydrogen-blue
File name:01984636724734_2005_748678457834.lnk
Download: download sample
Signature Arechclient2
Create hunting rule
File size:2'533 bytes
First seen:2025-06-06 05:53:25 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8JEtt02WBPdZ0KJtKWVWAlWw5bQvqhoSGddNXuHY8ddprpqtlIGKK0m:8JOlcPddVN35bQMGdLXuHJd14XIDK0
Threatray 2 similar samples on MalwareBazaar
TLSH T10C5161231BF80618F3B74A711A77E3904B37B910ED08CA9E51504A0C28B8138D039F3B
Magika lnk
Reporter abuse_ch
Tags:Arechclient2 lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LNK.PowerShell.Download-4.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30776.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684283438bd5d68a12e5da87
Tags:
miner overt spawn
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505/results/dashboard
Payload URLs
URL
File name
https://www.messias.org.br/tmp/ll/hta/f.het;mshta
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.41
Link:
https://www.hybrid-analysis.com/sample/ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707897
Signature
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1707897 Sample: 01984636724734_2005_7486784... Startdate: 06/06/2025 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 44 www.messias.org.br 2->44 46 messias.org.br 2->46 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 76 15 other signatures 2->76 10 powershell.exe 14 21 2->10         started        15 svchost.exe 1 1 2->15         started        signatures3 74 Connects to a pastebin service (likely for C&C) 42->74 process4 dnsIp5 50 messias.org.br 186.202.153.146, 443, 49682 LocawebServicosdeInternetSABR Brazil 10->50 38 C:\Users\user\AppData\Local\Temp\f.het, exported 10->38 dropped 82 Windows shortcut file (LNK) starts blacklisted processes 10->82 84 Powershell drops PE file 10->84 17 mshta.exe 1 10->17         started        20 conhost.exe 1 10->20         started        52 127.0.0.1 unknown unknown 15->52 file6 signatures7 process8 signatures9 60 Windows shortcut file (LNK) starts blacklisted processes 17->60 62 Suspicious powershell command line found 17->62 64 Found many strings related to Crypto-Wallets (likely being stolen) 17->64 66 Bypasses PowerShell execution policy 17->66 22 powershell.exe 35 17->22         started        process10 dnsIp11 48 195.82.147.93, 49688, 80 DREAMTORRENT-CORP-ASRU Russian Federation 22->48 36 C:\Users\user\AppData\...\husbandspecific.exe, PE32 22->36 dropped 78 Found many strings related to Crypto-Wallets (likely being stolen) 22->78 80 Loading BitLocker PowerShell Module 22->80 27 husbandspecific.exe 15 11 22->27         started        32 conhost.exe 22->32         started        file12 signatures13 process14 dnsIp15 54 92.255.57.32, 15847 TELSPRU Russian Federation 27->54 56 45.141.84.229, 15847, 49697, 49698 MEDIALAND-ASRU Russian Federation 27->56 58 pastebin.com 104.22.68.199, 443, 49696 CLOUDFLARENETUS United States 27->58 40 C:\Users\user\AppData\...\Secure Preferences, JSON 27->40 dropped 86 Attempt to bypass Chrome Application-Bound Encryption 27->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->88 90 Found many strings related to Crypto-Wallets (likely being stolen) 27->90 92 3 other signatures 27->92 34 chrome.exe 27->34         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505/
Threat name:
Shortcut.Backdoor.Sectoprat
Create hunting rule
Status:
Malicious
First seen:
2025-06-05 23:10:24 UTC
File Type:
Binary
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33mdzle23ornnyb6da3d4kadop32autwgprchyoeghmnfradeucq._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
sectoprat
Create hunting rule
Similar samples:
45b5b2377b6802d5b10aba99406c47f44aa98762248e02116b7c619b8f711cd9
Arechclient2
5430f21e56324187cf6688c2dd6eedb9de703f4c72a8b8c4437154b371d2b37d
Arechclient2
error
Arechclient2
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250606-glykksdq5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
SectopRAT
SectopRAT payload
Sectoprat family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

Shortcut (lnk) lnk ded83cac9adba2d6e03e18363e280373f7a0527633e223e1c431d8d2c4032505

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558662/
  
Delivery method
Distributed via web download

Comments