| File name: | decrypted.exe |
| Full analysis: | https://app.any.run/tasks/74e8337b-3e44-4ba7-a30c-39b9cdecc58b |
| Verdict: | Malicious activity |
| Threats: | The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. |
| Analysis date: | October 05, 2024, 15:13:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 53CE8EA949F61A9B11651C8EAFECFF76 |
| SHA1: | 5CB51086968929125D0615739C380FF142E6FF55 |
| SHA256: | 58E38DB883597286180F4A5BB97386C6B8C5C400A8B1CA7254F3DA7EF40ACF9C |
| SSDEEP: | 98304:urq3BdwGzDa09kity6ey3V97r0+d8gKk4REQ27Lnyr1yPh4Vahf2doQ73kQQh18+:Tl9z0zUtOsVL2yEjivpdHEabSiV |
MALICIOUS
Antivirus name has been found in the command line (generic signature)
- cmd.exe (PID: 1608)
- find.exe (PID: 1116)
- tasklist.exe (PID: 2056)
- tasklist.exe (PID: 5520)
- find.exe (PID: 2768)
- cmd.exe (PID: 2064)
- tasklist.exe (PID: 2384)
- cmd.exe (PID: 6920)
- cmd.exe (PID: 1008)
- find.exe (PID: 3852)
- cmd.exe (PID: 4792)
- tasklist.exe (PID: 4880)
- find.exe (PID: 4344)
- tasklist.exe (PID: 4172)
- find.exe (PID: 6028)
XORed URL has been found (YARA)
- AutoIt3.exe (PID: 3768)
- InstallUtil.exe (PID: 6708)
Starts CMD.EXE for self-deleting
- AutoIt3.exe (PID: 3768)
ARECHCLIENT2 has been detected (SURICATA)
- InstallUtil.exe (PID: 6708)
Connects to the CnC server
- InstallUtil.exe (PID: 6708)
SUSPICIOUS
Executable content was dropped or overwritten
- decrypted.exe (PID: 1692)
- decrypted.tmp (PID: 7140)
- decrypted.exe (PID: 6200)
- decrypted.tmp (PID: 5044)
- AutoIt3.exe (PID: 4540)
Reads the Windows owner or organization settings
- decrypted.tmp (PID: 7140)
- decrypted.tmp (PID: 5044)
Reads security settings of Internet Explorer
- decrypted.tmp (PID: 7140)
The process drops Mozilla's DLL files
- decrypted.tmp (PID: 5044)
The process drops C-runtime libraries
- decrypted.tmp (PID: 5044)
Process drops legitimate windows executable
- decrypted.tmp (PID: 5044)
Get information on the list of running processes
- decrypted.tmp (PID: 5044)
- cmd.exe (PID: 1608)
- cmd.exe (PID: 6464)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 6920)
- cmd.exe (PID: 4792)
- cmd.exe (PID: 1008)
Starts CMD.EXE for commands execution
- decrypted.tmp (PID: 5044)
- AutoIt3.exe (PID: 3768)
Hides command output
- cmd.exe (PID: 2436)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 2436)
The executable file from the user directory is run by the CMD process
- AutoIt3.exe (PID: 4540)
Contacting a server suspected of hosting an CnC
- InstallUtil.exe (PID: 6708)
Connects to unusual port
- InstallUtil.exe (PID: 6708)
INFO
Reads the computer name
- decrypted.tmp (PID: 7140)
- decrypted.tmp (PID: 5044)
Checks supported languages
- decrypted.tmp (PID: 7140)
- decrypted.exe (PID: 1692)
- decrypted.exe (PID: 6200)
- decrypted.tmp (PID: 5044)
- AutoIt3.exe (PID: 3768)
Create files in a temporary directory
- decrypted.exe (PID: 1692)
- decrypted.tmp (PID: 7140)
- decrypted.exe (PID: 6200)
- decrypted.tmp (PID: 5044)
The process uses the downloaded file
- decrypted.tmp (PID: 7140)
Process checks computer location settings
- decrypted.tmp (PID: 7140)
Creates files or folders in the user directory
- decrypted.tmp (PID: 5044)
Reads mouse settings
- AutoIt3.exe (PID: 3768)
Reads the machine GUID from the registry
- AutoIt3.exe (PID: 3768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
xor-url
(PID) Process(3768) AutoIt3.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/eB8bmiVA
(PID) Process(6708) InstallUtil.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/eB8bmiVA
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:07:12 07:26:53+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 685056 |
| InitializedDataSize: | 439296 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa83bc |
| OSVersion: | 6.1 |
| ImageVersion: | - |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.1420.82.9 |
| ProductVersionNumber: | 7.1420.82.9 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Computer System Information |
| FileDescription: | Weathers EZ System Repairs |
| FileVersion: | Sys Probe |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | 2.2.0.0 |
| ProductVersion: | Sys Probe |
Total processes
154
Monitored processes
34
Malicious processes
8
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 68 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1008 | "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" | C:\Windows\System32\cmd.exe | — | decrypted.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1116 | find /I "avastui.exe" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1608 | "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" | C:\Windows\System32\cmd.exe | — | decrypted.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1692 | "C:\Users\admin\Desktop\decrypted.exe" | C:\Users\admin\Desktop\decrypted.exe | explorer.exe | ||||||||||||
User: admin Company: Computer System Information Integrity Level: MEDIUM Description: Weathers EZ System Repairs Exit code: 1 Version: Sys Probe Modules
| |||||||||||||||
| 2056 | tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2064 | "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" | C:\Windows\System32\cmd.exe | — | decrypted.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2384 | tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2436 | "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\Epa3xldBD.a3x && del C:\ProgramData\\Epa3xldBD.a3x | C:\Windows\SysWOW64\cmd.exe | — | AutoIt3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2584 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 097
Read events
4 082
Write events
15
Delete events
0
Modification events
| (PID) Process: | (4540) AutoIt3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | eebbfca |
Value: "C:\kgcchef\AutoIt3.exe" C:\kgcchef\eebbfca.a3x | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6708) InstallUtil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
Executable files
47
Suspicious files
22
Text files
34
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1692 | decrypted.exe | C:\Users\admin\AppData\Local\Temp\is-69QVJ.tmp\decrypted.tmp | executable | |
MD5:EDF47D593ACF0E39438D621E8357AD34 | SHA256:5F0F2E763C33EF0D3BB30041927A39191A257B533E16F1F89BF2939D669C9412 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\AccessibleMarshal.dll | executable | |
MD5:B2564EF534DA9E2B9872B1B200AF00BC | SHA256:7513B671C147D80ABE5784DC7EBADA1D17621F235253DE4AB3172F6F11BFA7A0 | |||
| 7140 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-HUKCQ.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 7140 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-HUKCQ.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\is-1M3H4.tmp | executable | |
MD5:B2564EF534DA9E2B9872B1B200AF00BC | SHA256:7513B671C147D80ABE5784DC7EBADA1D17621F235253DE4AB3172F6F11BFA7A0 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\is-0KVOK.tmp | executable | |
MD5:A7CE13A6C69FEE0300BBC134F1CDC1D8 | SHA256:05EBFC184043BAB2F219F133D2AFD16F916C6E6478DBE366BBA9294F65FB3400 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\application.ini | text | |
MD5:E30F651CD4B7032F0F268D7A668CBF74 | SHA256:073E59D3BFC57C5FA95673B5F55341368C4F156924A93E42A5E1D14359ACE422 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\is-GIT60.tmp | text | |
MD5:E30F651CD4B7032F0F268D7A668CBF74 | SHA256:073E59D3BFC57C5FA95673B5F55341368C4F156924A93E42A5E1D14359ACE422 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\crashreporter | executable | |
MD5:A7CE13A6C69FEE0300BBC134F1CDC1D8 | SHA256:05EBFC184043BAB2F219F133D2AFD16F916C6E6478DBE366BBA9294F65FB3400 | |||
| 5044 | decrypted.tmp | C:\Users\admin\AppData\Local\Temp\is-71QAP.tmp\is-TC092.tmp | executable | |
MD5:D13EA999D4BD97989B051879578274B6 | SHA256:F7C1F554012796054E7B54A41FF434B945BDC767620BCB101CC77909A3F63CC8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
6
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6708 | InstallUtil.exe | GET | 200 | 45.141.87.50:9000 | http://45.141.87.50:9000/wbinjget?q=EF680CC9EFE0A8BCEC05D07897760CE8 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6536 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6536 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4324 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6708 | InstallUtil.exe | 45.141.87.50:15647 | — | Media Land LLC | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6708 | InstallUtil.exe | A Network Trojan was detected | ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity |
6708 | InstallUtil.exe | Malware Command and Control Activity Detected | ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init |
6708 | InstallUtil.exe | A Network Trojan was detected | ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) |