MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ec3f20c3aa488962b546566c3e5c76d3c50ba60951c658c0bc473e564a9f74b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Arechclient2
Vendor detections: 16
| SHA256 hash: | ec3f20c3aa488962b546566c3e5c76d3c50ba60951c658c0bc473e564a9f74b4 |
|---|---|
| SHA3-384 hash: | a02e0c42e58e6bc8e5abd1f809bc9bc98740c162052dea0bebe51ef744c656b361dc2f078f2842db3212b0066b363d39 |
| SHA1 hash: | f298207976215752f4be34f5c72faf175c8720fb |
| MD5 hash: | 919de860366c87f163acdb8545b4e5dc |
| humanhash: | echo-autumn-jupiter-massachusetts |
| File name: | SecuriteInfo.com.Win32.Malware-gen.86262565 |
| Download: | download sample |
| Signature | Arechclient2 |
| File size: | 6'017'990 bytes |
| First seen: | 2025-08-22 13:20:20 UTC |
| Last seen: | 2025-08-22 14:19:09 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader) |
| ssdeep | 49152:UwREDM1xl2TWpeRNCblC0EfRrQ+dNeNG8tJZ:UwREw1TxpeRNChJsRk+dNEGKJ |
| Threatray | 1 similar samples on MalwareBazaar |
| TLSH | T1CE56D01A7B8FAC39F059AB3E15E2901494F369A264D2AD7256ECD46CCE30C501DFEE07 |
| TrID | 62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| Magika | pebin |
| dhash icon | 7cf4e2ccccc2c4dc (1 x AveMariaRAT, 1 x CobaltStrike, 1 x Arechclient2) |
| Reporter |  SecuriteInfoCom |
| Tags: | Arechclient2 exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
49
Origin country :
FRVendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
c53514d91103ebe68fed9cda4b6a05cf8a5c21e32b8a368d528fedebffdf278d.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 10:33:43 UTC
Tags:
gcleaner loader lumma stealer telegram auto autoit redline amadey botnet arch-exec auto-reg themida evasion
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Arechclient2
Verdict:
Malicious
Score:
99.9%
Tags:
vmdetect dropper extens virus
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Moving a recently created file
Launching a process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T21:04:00Z UTC
Last seen:
2025-08-21T21:04:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan-PSW.Stealerc.HTTP.ServerRequest Trojan-PSW.MSIL.Reline.c Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Delf.sb Trojan-PSW.Win32.Stealerc.qzl Trojan-PSW.Reline.HTTP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.MSIL.Reline.sb
Verdict:
Malicious
Score:
55%
Verdict:
Susipicious
File Type:
PE
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Threat name:
Win32.Dropper.Malgent
Status:
Malicious
First seen:
2025-08-22 01:49:31 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 38 (44.74%)
Threat level:
3/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
sectoprat
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
ec3f20c3aa488962b546566c3e5c76d3c50ba60951c658c0bc473e564a9f74b4
MD5 hash:
919de860366c87f163acdb8545b4e5dc
SHA1 hash:
f298207976215752f4be34f5c72faf175c8720fb
SH256 hash:
793e616d2e279a103a56ecf33275b1b50e2836fa799791e8737a7a5141b77ac6
MD5 hash:
d4cee922bd29aabfa3599605c452026b
SHA1 hash:
52fa3625ecef7d619216c209e79e480738344c18
Malware family:
SectopRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Borland |
|---|---|
| Author: | malware-lu |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | grakate_stealer_nov_2021 |
|---|
| Rule name: | MALWARE_Win_Arechclient2 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Arechclient2 RAT |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | SUSP_XORed_URL_In_EXE |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | SUSP_XORed_URL_in_EXE_RID2E46 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | vmdetect |
|---|---|
| Author: | nex |
| Description: | Possibly employs anti-virtualization techniques |
| Rule name: | Windows_Trojan_Arechclient2_b6ea1c83 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_RedLineStealer_15ee6903 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_redline_stealer_generic |
|---|---|
| Author: | dubfib |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid |
| SECURITY_BASE_API | Uses Security Base API | advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW |
| WIN_BASE_USER_API | Retrieves Account Information | advapi32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW |
| WIN_USER_API | Performs GUI Actions | user32.dll::PeekMessageW user32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.