MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Arechclient2

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0
SHA3-384 hash:	1e10ff43935cabdacd373066bea03e8d77a4f761b1dcbe947267cf699fbba46124d2e717853f97e5d34b7e9026bf88fd
SHA1 hash:	99385943dbbd4f5c2f5d4e6cbc8c05e122b2d040
MD5 hash:	a2d4a5c8752f1a0e2810cef3a4cc5d55
humanhash:	hawaii-bakerloo-ten-fruit
File name:	a2d4a5c8752f1a0e2810cef3a4cc5d55.exe
Download:	download sample
Signature	Arechclient2 Create hunting rule
File size:	1'230'568 bytes
First seen:	2023-01-03 21:20:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:Bk70Trc+LCYd77tkbLebtHfb+3Bm/sg9VjI8ID+uKY/SzNLt3Q2RFMRDdmlwCKK:BkQTA+pPOabdz+k/sYjI8IKJY/MNQqQS
Threatray	1'445 similar samples on MalwareBazaar
TLSH	T15F45232034D1D277C0BBA13548E9C7359A7036350B65E2DB7AE85A7A6F102F2D7362CE
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	Arechclient2 exe signed

Code Signing Certificate

Organisation:	www.proof-reader.com
Issuer:	www.proof-reader.com
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-12-30T21:32:55Z
Valid to:	2023-12-30T21:52:55Z
Serial number:	72afd650c1f2168d4f7e2df51e0f3675
Thumbprint Algorithm:	SHA256
Thumbprint:	2075a97c3e74e3fce17dd75c669aef1fcd06200ac2d5b379c96d4878ab968040
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Arechclient2 C2:
65.108.101.156:15647

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Bllfgyszs.zip

Verdict:

Malicious activity

Analysis date:

2022-12-31 22:52:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/45a71395-e2e9-4773-ad55-a681fbf7e107

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349248/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Creating a window

Forced shutdown of a system process

Enabling autorun

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed redline

Link:

https://www.filescan.io/uploads/63b49c40dde391056ac0f9d7/reports/6c7760a9-610f-4c12-8442-355bb27fbcdc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8db3662c-4e33-4983-8655-8303eaec5cee

Result

Threat name:

RedLine, SectopRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1144789

Signature

Antivirus detection for URL or domain

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected RedLine Stealer

Yara detected SectopRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-12-31 02:35:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=66rpb5yonznte4xhzk67nmbrqt7qq3uiup6hdzohgwpwbvpetxya._file

Verdict:

malicious

Arechclient2

33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0

Arechclient2

5795e1e656eef516e884bcf0b57dfdccd24863893a5804532125242df09dc07b

Arechclient2

603529b388e236d8e83f550e3bea45ecb9664c7e8a6137bb1ee7981f13ee72fa

Arechclient2

6b102d3201a020b3661abae52a8f7fe5c64606d6867fec17a7ebdde69d038e7e

Arechclient2

7c248c54bac1db4abfb0e0151b4e89bd105a7c1202593477bbc9f795de78010f

Arechclient2

a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e

Arechclient2

d57f75cf079c4ec8c81e51751b3332ef5ce7dc8eba41b9a5b17dbb4277c20e5c

Arechclient2

+ 1'435 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence spyware trojan

Link:

https://tria.ge/reports/230103-z7bbaach83/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

.NET Reactor proctector

Modifies WinLogon for persistence

UAC bypass

Unpacked files

SH256 hash:

ad313baf55b55cd37d1d7dc6db9a8d60783b77d187430c043b1e2fcf4ae6b064

MD5 hash:

bcf49744ba4944dc810f4185ab8a9d50

SHA1 hash:

cf32e495575bee1e9382f7e4ac34674b9aec47b4

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

SH256 hash:

87e33a27066d4638c3aede2ef053462b8c48395de0dd8fc4087299628ff8e0fa

MD5 hash:

b4bb8d5ebcafb7cc2681e17e3596649a

SHA1 hash:

cd7c93d59b53b54e8a3e24e065c9cc93c7101b79

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

SH256 hash:

65636ea1c72537832fa53e51f0c98943454409f349eb11396db163e4d695ceae

MD5 hash:

4eb8c9c2ea0323685b7b93ac0f44063a

SHA1 hash:

b338760c42bef5af1830562cdc61e52bfa8ee335

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

SH256 hash:

5abb6f4e060df768a22f3649cef5c47cd45a558bb55a636dc3353a8f5d24a5be

MD5 hash:

f140daa3ab9de6b0df86790e72c753fa

SHA1 hash:

2e348396051370bd91c5a7d78f5ddbdd489f8729

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

SH256 hash:

106d7e1b314a57d4b60e314ebd3199dca05036321e50e404de61c462e32edf25

MD5 hash:

e611dc79ff40ca2af1e3c7148a435a1a

SHA1 hash:

ac3a425c02d565cb2d6e07dd741da00750f678d8

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

SH256 hash:

f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0

MD5 hash:

a2d4a5c8752f1a0e2810cef3a4cc5d55

SHA1 hash:

99385943dbbd4f5c2f5d4e6cbc8c05e122b2d040

Link:

https://www.unpac.me/results/5b15b67a-84f4-449f-8b9e-a250d6e47731/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f7a2f0f70e6e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/349248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample