MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 10

Intelligence 10 IOCs YARA 13 File information Comments

SHA256 hash:	e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2
SHA3-384 hash:	a437ba5e32168e2fab9c6576633288a0bc1f283bdc6c45fdc38763c7eac9b60f5eaf685bea0a900508e9e51567d9c9d0
SHA1 hash:	f699f9fdae2ab8d81dccfce3a484e083331e2690
MD5 hash:	6308a0d77643804268e46e9a1f3fe6fb
humanhash:	quebec-speaker-utah-kitten
File name:	IALMKAFJ.msi
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	12'156'380 bytes
First seen:	2025-08-11 05:57:44 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:R7u5sHx2dsj2Q8K3eWTpGq9vDFLOpoCMYa5dASmFLFLu/1Lo6V8IqO:85sHxeTQ8epGq9vDFgLgL
TLSH	T1FEC6CF127BAC4071E09B8135C95B8F5AD7F3BD612930D34F12A6735E6F733626A1A322
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	skocherhan
Tags:	Arechclient2 cloudverifsecure-com msi

skocherhan

https://cloudverifsecure.com/IALMKAFJ.msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20026/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68998682c633abe3908db879

Tags:

shellcode vmdetect

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2/

Verdict:

Malicious

Threat:

Trojan.Win32.Reline

Link:

https://tip.neiki.dev/file/e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

Threat name:

Win64.Adware.RedCap

Status:

Malicious

First seen:

2025-06-26 19:59:24 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

15 of 36 (41.67%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4sfeawifxl5ymny4u56hfyk35gor2yvziho5d72q6m5wsrf4xdba._file

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:hijackloader family:sectoprat discovery loader persistence privilege_escalation rat spyware stealer trojan

Link:

https://tria.ge/reports/250811-gpcsaagj4t/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Event Triggered Execution: Installer Packages

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

SectopRAT

SectopRAT payload

Sectoprat family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a8664665-eabd-46a9-9dfb-0363d17e04d1

Malware family:

GHOSTPULSE

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e48a405905ba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_GhostPulse_caea316b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Arechclient2

msi e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

(this sample)

69105452663c1341a4a773c0e0a81d0e

Dropping

MD5 69105452663c1341a4a773c0e0a81d0e

Cape

https://www.capesandbox.com/analysis/20026/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample