MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Arechclient2


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd
SHA3-384 hash: f4a5c57f834911d9e62779194b9a1cea754020fec40cd6f6ae62863c7463d4522e01eb87c1016f1035a1350ffa3b8c0e
SHA1 hash: e31f9ca68bd950d4183f0bd5e0c00fca6aeca9df
MD5 hash: a9959568e30c249e3712a40a1a3bdb96
humanhash: winner-river-georgia-lima
File name:amd_ags_x64.dll
Download: download sample
Signature Arechclient2
Create hunting rule
File size:107'520 bytes
First seen:2026-03-27 21:42:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c1a10a1396dbcbaebcbf840a6c50361 (1 x Vidar, 1 x Arechclient2)
ssdeep 3072:SgGChyNQF5B4HLifFlJgTJvQpGGUyZq5VDf0XYOar:SgxyNNrueTiNUCq5VDfaar
TLSH T141B35B47B7A400BBE0B793388AA38A16D77278521731ABDF465441AA5F377D14E3CB32
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:5-8-248-245 Arechclient2 dll dropped-by-ACRStealer HIjackLoader IDATLoader SectopRAT


Avatar
iamaachum
http://185.121.233.94/first.zip

SectopRAT/Arechclient2: 5.8.248.245

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
dwstoeaws.exe.zip
Verdict:
Malicious activity
Analysis date:
2026-03-27 12:20:44 UTC
Tags:
stealer golang
Link:
https://app.any.run/tasks/2c16604c-64d7-4867-b39a-4107415100ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59567/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c6f9bfaacb4c376b14d97f
Tags:
injection obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Labled as:
Win64/TrojanDownloader.Rugmi
Link:
https://www.hybrid-analysis.com/sample/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd
Verdict:
Clean
File Type:
dll x64
First seen:
2026-03-27T14:46:00Z UTC
Last seen:
2026-03-29T14:28:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd/results?tab=lookup
Malware family:
AMD Technologies Inc.
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5c144e39-5b3f-43cb-ba5b-3af2a6c54a70
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1890470
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1890470 Sample: amd_ags_x64.dll.exe Startdate: 27/03/2026 Architecture: WINDOWS Score: 48 28 Multi AV Scanner detection for submitted file 2->28 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 2 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 20 16 12->20         started        22 WerFault.exe 16 14->22         started        24 WerFault.exe 16 16->24         started        process6 26 WerFault.exe 16 18->26         started       
Score:
2%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a9959568e30c249e3712a40a1a3bdb96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4witxvrntgwhps7zdu4kbeu3a7pfhu3oto6nlekrfvao4pniyp6q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260327-1k1s4ahv7l/
Unpacked files
SH256 hash:
e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd
MD5 hash:
a9959568e30c249e3712a40a1a3bdb96
SHA1 hash:
e31f9ca68bd950d4183f0bd5e0c00fca6aeca9df
Link:
https://www.unpac.me/results/894b379b-b2c6-4f8f-8c52-2c94d3e49df3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

zip 43cf0deb28a692d9a5458c6cd9c71148e02cf1b375fc50ab1ae04a6b7cf9938d

Arechclient2

Executable exe e5913bd62d99ac77cbf91d38a0929b07de53d36e9bbcd591512d40ee3da8c3fd

(this sample)

  
Link
https://tria.ge/260327-1dm9esht9m/behavioral1
  
Dropped by
SHA256 43cf0deb28a692d9a5458c6cd9c71148e02cf1b375fc50ab1ae04a6b7cf9938d
  
Delivery method
Distributed via web download
  
Dropped by
MD5 f32dd17a62b50ad4b92e4bdde18d92aa
Cape
Cape
https://www.capesandbox.com/analysis/59567/

Comments