MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 13

Intelligence 13 IOCs YARA 15 File information Comments

SHA256 hash:	ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631
SHA3-384 hash:	5c61b66290d6c4b13c7dd9f89ff236827bf489babea40139831226b9feb023bb2d22c714ba3d56d5f19128b1f0bd1367
SHA1 hash:	533568597e054635c223161d3bb506aea6f00dfc
MD5 hash:	2b0ca4edd1b9b7c6c627798503e9805f
humanhash:	muppet-four-arkansas-montana
File name:	ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	4'450'560 bytes
First seen:	2023-11-13 17:35:16 UTC
Last seen:	2023-11-14 09:23:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	98304:s+G7hCmxd7b75pQA0LjsDJ6DAzrZmjuY0NjYa4Fydtkz0AaVO:270onmKY0N8x0tkz0VO
Threatray	65 similar samples on MalwareBazaar
TLSH	T1F526AE322A30AF56CC1DE4F56AF9AC5807BFEE152621EB5779E4316C94F1320C8528DB
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f0e0e0e0c0c4c058 (1 x Arechclient2)
Reporter	abuse_ch
Tags:	Arechclient2 exe

abuse_ch

Arechclient2 C2:
138.201.120.172:15648

Intelligence

File Origin

# of uploads :

# of downloads :

356

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

https://nafsdwas.click/

Verdict:

Malicious activity

Analysis date:

2023-11-11 12:28:50 UTC

Tags:

lumma stealer amadey botnet loader arechclient2 backdoor g0njxa

Link:

https://app.any.run/tasks/20221a9d-bcf3-4ec4-bebd-6fdd18e783e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458406/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.21968.25577.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a file

Searching for synchronization primitives

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd lolbin net_reactor obfuscated overlay packed packed regsvcs

Link:

https://www.filescan.io/uploads/65525e892546bd423f18657d/reports/c4c23edb-daa5-47ee-95d1-51ffb6db991e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0590c80-e0e2-4a95-909c-8b7ce4d0d43c

Result

Threat name:

RedLine, SectopRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1341887

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected SectopRAT

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631/

Threat name:

Win32.Trojan.Nekark

Status:

Malicious

First seen:

2023-11-11 15:11:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jaqvkxu2bw5p3lj5cxdaplq6piessvy4pdc62hnrm3mkkylcyyq._file

Verdict:

malicious

Arechclient2

1d1a2386819867a4000c1719703c8241ff404a69273f60df40aaa94c72409bfc

Arechclient2

1eed65dde4b285bdef0345ffbbaf777be7c22c34509aaec6fc4e6cfc204b233f

Arechclient2

46b454c387c2fddf9b75c3dddf419dfa328608b7662eb868a62b7c0ee98bc7e1

Arechclient2

8c3a544deed6af86417f4cc0e31d214dd56641c1f18c267d9eb19bfd82c8848e

Arechclient2

8cdab8eb3259b1b70b20f670156493bd0c2f4dbe6991a69b35e3108078134146

Arechclient2

b4554cf0100d5a04cfc2a3090419ff1f4fdc1d8f6264d24442cd39274aaa37e7

Arechclient2

d2c7f4155786a209bdf84fb13f664fb283eaaeb7607d23ff4e5edae510f1ecd8

Arechclient2

ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

Arechclient2

+ 55 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat rat spyware trojan

Link:

https://tria.ge/reports/231113-v6j5ksec3w/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops startup file

Loads dropped DLL

SectopRAT

SectopRAT payload

Unpacked files

SH256 hash:

63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee

MD5 hash:

a6810a5899b5a89ee483c9e94dacb015

SHA1 hash:

c787d081f7534936636b17d94ecee651fd64fdac

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

SH256 hash:

f2c212f543c0f788690c791bc7acb74628e15abc9dc00439b0dda9e7233c3c52

MD5 hash:

f661ab7116fbdb192a24f1a784b89c63

SHA1 hash:

95dab665a4a68b12ddce358621d265f5d01a8bb8

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

SH256 hash:

6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33

MD5 hash:

f45c1512d5a47375e6e396b4d1111e58

SHA1 hash:

8af036b8c60d10e85cf82212930bb04bc0553f36

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

SH256 hash:

be301abd5e1d4834d27d34afd9dea79ab1cf0c268fc88760bafc3e3effb4c1b9

MD5 hash:

130799f6aeab59cfc54d2bfc9c2b0c1d

SHA1 hash:

73b78bb36418cabeed1b46c0898ec446f199b423

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

SH256 hash:

dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

MD5 hash:

544cd51a596619b78e9b54b70088307d

SHA1 hash:

4769ddd2dbc1dc44b758964ed0bd231b85880b65

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

SH256 hash:

ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

MD5 hash:

2b0ca4edd1b9b7c6c627798503e9805f

SHA1 hash:

533568597e054635c223161d3bb506aea6f00dfc

Link:

https://www.unpac.me/results/4a861830-fad7-4546-b53f-ae903f40e5c4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea410aaaf4d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_RedLineStealer_15ee6903 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Arechclient2

exe ea410aaaf4d06dd7ed69e8ae303d70f3d0494ab8e3c62f68ed8b36c52b0b1631

(this sample)

Cape

https://www.capesandbox.com/analysis/458406/

URLhaus

https://urlhaus.abuse.ch/url/2730598/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample