File name:

EarthTime.exe

Full analysis: https://app.any.run/tasks/153c068f-dd8e-4a19-8610-1e1d4f8aaf7e
Verdict: Malicious activity
Threats:

The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.

Malware Trends Tracker     >>>
Analysis date: September 12, 2024, 15:29:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arechclient2
backdoor
xor-url
generic
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

71F703024C3D3BFC409F66BB61F971A0

SHA1:

F24FC14F39C160B54DC3B2FBD1EBA605EC0EB04F

SHA256:

BCFF246F0739ED98F8AA615D256E7E00BC1CB24C8CABAEA609B25C3F050C7805

SSDEEP:

98304:zRA9o27HXIOsBHtEzOvRv5SJqxxt/JXrF5yHMhyluM6S9GXwBgiOCujEYmnNtU2c:LiDI7T5J1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • MSBuild.exe (PID: 1764)

    • ARECHCLIENT2 has been detected (SURICATA)

      • MSBuild.exe (PID: 1764)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 1764)

    • Connects to the CnC server

      • MSBuild.exe (PID: 1764)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 1764)

    • Connects to unusual port

      • MSBuild.exe (PID: 1764)

    • Starts CMD.EXE for commands execution

      • EarthTime.exe (PID: 5532)

  • INFO

    • Checks supported languages

      • EarthTime.exe (PID: 5532)
      • MSBuild.exe (PID: 1764)

    • Reads the computer name

      • EarthTime.exe (PID: 5532)
      • MSBuild.exe (PID: 1764)

    • Create files in a temporary directory

      • MSBuild.exe (PID: 1764)
      • EarthTime.exe (PID: 5532)

    • Disables trace logs

      • MSBuild.exe (PID: 1764)

    • Checks proxy server information

      • MSBuild.exe (PID: 1764)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 1764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1764) MSBuild.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/XK7ARdVw
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:27 15:06:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 1572352
InitializedDataSize: 10460160
UninitializedDataSize: -
EntryPoint: 0xdd593
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.24.12.0
ProductVersionNumber: 6.24.12.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
Comments: www.desksoft.com
CompanyName: DeskSoft
FileDescription: EarthTime Application
FileVersion: 6.24.12
InternalName: EarthTime
LegalCopyright: Copyright © DeskSoft
OriginalFileName: EarthTime.exe
ProductName: EarthTime
ProductVersion: 6.24.12
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start earthtime.exe no specs cmd.exe no specs conhost.exe no specs #XOR-URL msbuild.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\yqatitqxpduw
c:\windows\syswow64\mshtml.dll
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
xor-url
(PID) Process(1764) MSBuild.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/XK7ARdVw
5532"C:\Users\admin\Desktop\EarthTime.exe" C:\Users\admin\Desktop\EarthTime.exeexplorer.exe
User:
admin
Company:
DeskSoft
Integrity Level:
MEDIUM
Description:
EarthTime Application
Exit code:
1
Version:
6.24.12
Modules
Images
c:\users\admin\desktop\earthtime.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5556C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exeEarthTime.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 480
Read events
1 466
Write events
14
Delete events
0

Modification events

(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1764) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5556cmd.exeC:\Users\admin\AppData\Local\Temp\yqatitqxpduw
MD5:
SHA256:
5532EarthTime.exeC:\Users\admin\AppData\Local\Temp\54435a9binary
MD5:4B58118FC1E5532A75C7D233133400EB
SHA256:6BCC68F31A77C2F5D43C825C1BB9BFEC360B1B1464C934BF2147BEFAB0E406AD
1764MSBuild.exeC:\Users\admin\AppData\Local\Temp\tmp3908.tmpsqlite
MD5:46D41A1929939B3AD11C639CC2347541
SHA256:AD30E08D89E9460B5DF8D9CD1E9DA068FB201E06303CCD449E197C739C9EFF5B
5532EarthTime.exeC:\Users\admin\AppData\Local\Temp\52caba7image
MD5:B74BBD41A2A210E44B06BC0A3D804DC2
SHA256:762408F967AEA9E5B03D999E01F149B822FADCF30B42D75B9738C04C4F4EF1FD
1764MSBuild.exeC:\Users\admin\AppData\Local\Temp\tmp38B9.tmpsqlite
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
1764MSBuild.exeC:\Users\admin\AppData\Local\Temp\tmp38B8.tmpsqlite
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
1764MSBuild.exeC:\Users\admin\AppData\Local\Temp\tmp38A7.tmpsqlite
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
5556cmd.exeC:\Users\admin\AppData\Local\Temp\lueokikxwlnk
MD5:3C3F92488FD0FC17A66E444C5FE05C9C
SHA256:5D2E2589BF2D06C0B46E79B54F81B466664DDD0A7CAF376AAC6B8095D899BA31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
4
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6232
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
MSBuild.exe
GET
200
45.141.87.55:9000
http://45.141.87.55:9000/wbinjget?q=EF680CC9EFE0A8BCEC05D07897760CE8
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6232
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6232
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6232
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
1764
MSBuild.exe
A Network Trojan was detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity
1764
MSBuild.exe
Malware Command and Control Activity Detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init
1764
MSBuild.exe
A Network Trojan was detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EarthTime.exe