File name:	SLAGGGLX.msi
Full analysis:	https://app.any.run/tasks/4f78cf3a-6368-4997-8104-96523634bbc1
Verdict:	Malicious activity
Threats:	The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 07, 2025, 12:23:45
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc auto generic stealer xor-url arechclient2 rat backdoor
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Tue Mar 4 17:47:31 2025, Create Time/Date: Tue Mar 4 17:47:31 2025, Last Printed: Tue Mar 4 17:47:31 2025, Revision Number: {37699457-8E5C-4E0E-8371-E73B1258678D}, Code page: 1252, Template: Intel;1033
MD5:	E1B11AB17B672DC15339A4EEA17D3BE7
SHA1:	7DD1111C168F544929CAF7E1BA8B2D790AA5CE77
SHA256:	7A79C311F24811999C14CEF556DA34F933DFD82B1A568B064034634941314369
SSDEEP:	98304:Y4ntEaeydvJVS5HB0dJV0c+Z0Sk6GWyW3/QXm7NR01qVKDdga/++dhImYbEhuGsK:cdC

.mst	\|	Windows SDK Setup Transform Script (60.2)
.msi	\|	Microsoft Installer (100)

Characters:	-
LastModifiedBy:	InstallShield
Words:	-
Title:	Installation Database
Comments:	Contact: Your local administrator
Keywords:	Installer,MSI,Database
Subject:	Blank Project Template
Author:	InstallShield
Security:	Password protected
Pages:	200
Software:	InstallShield? 2021 - Premier Edition with Virtualization Pack 27
ModifyDate:	2025:03:04 17:47:31
CreateDate:	2025:03:04 17:47:31
LastPrinted:	2025:03:04 17:47:31
RevisionNumber:	{37699457-8E5C-4E0E-8371-E73B1258678D}
CodePage:	Windows Latin 1 (Western European)
Template:	Intel;1033

PID	Process	Filename		Type
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\msvcp140.dll		executable
		MD5:E9F00DD8746712610706CBEFFD8DF0BD	SHA256:4CB882621A3D1C6283570447F842801B396DB1B3DCD2E01C2F7002EFD66A0A97
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\diorama.json		binary
		MD5:61947293ABC79F5E003AC42D9B7489F4	SHA256:57414BDA77D468F6573672AAA7B1B68E38AE511AB5BE187C227232A054C257BB
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\DuiLib_u.dll		executable
		MD5:83495E5DB2654BCEC3948EE486424599	SHA256:C1443C6CEA1D5FD8C3064D00F12C87FAE4B6670FB62D28F1969FB25C6DEDF6A6
4688	cmd.exe	C:\Users\admin\AppData\Local\Temp\ijbfjwbyh		—
		MD5:—	SHA256:—
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe		executable
		MD5:4D20B83562EEC3660E45027AD56FB444	SHA256:C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\vcruntime140.dll		executable
		MD5:A554E4F1ADDC0C2C4EBB93D66B790796	SHA256:E610CDAC0A37147919032D0D723B967276C217FF06EA402F098696AB4112512A
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{F1611B99-BF50-4F2B-BB7E-720F113622F3}\setup.inx		binary
		MD5:03628D8AF0094F0B6573CDCFCDDBE971	SHA256:8EA0A646E6036DA1612E5D6BB7F841D473BBD212D4F417BC8646D697EFBA5A87
2152	SplashWin.exe	C:\Users\admin\AppData\Roaming\Protectchrome_beta\msvcp140.dll		executable
		MD5:E9F00DD8746712610706CBEFFD8DF0BD	SHA256:4CB882621A3D1C6283570447F842801B396DB1B3DCD2E01C2F7002EFD66A0A97
7872	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{F1611B99-BF50-4F2B-BB7E-720F113622F3}\_isres_0x0409.dll		executable
		MD5:7DE024BC275F9CDEAF66A865E6FD8E58	SHA256:BD32468EE7E8885323F22EABBFF9763A0F6FFEF3CC151E0BD0481DF5888F4152
2152	SplashWin.exe	C:\Users\admin\AppData\Roaming\Protectchrome_beta\SplashWin.exe		executable
		MD5:4D20B83562EEC3660E45027AD56FB444	SHA256:C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.29:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.29:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3812	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
7652	MSBuild.exe	92.255.85.23:15847	—	Chang Way Technologies Co. Limited	HK	malicious
7456	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.216.77.29 23.216.77.37 23.216.77.30 23.216.77.19 23.216.77.25 23.216.77.39 23.216.77.41 23.216.77.13 23.216.77.21	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

SLAGGGLX.msi

E1B11AB17B672DC15339A4EEA17D3BE7

7DD1111C168F544929CAF7E1BA8B2D790AA5CE77

7A79C311F24811999C14CEF556DA34F933DFD82B1A568B064034634941314369

98304:Y4ntEaeydvJVS5HB0dJV0c+Z0Sk6GWyW3/QXm7NR01qVKDdga/++dhImYbEhuGsK:cdC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

Executing a file with an untrusted certificate

ARECHCLIENT2 has been detected (YARA)

XORed URL has been found (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Starts itself from another location

Connects to unusual port

INFO

Reads the computer name

An automatically generated document

Checks supported languages

Executable content was dropped or overwritten

The sample compiled with english language support

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

xor-url

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings