{
	"id": "1042598b-a880-446c-8e41-be06cec57bb4",
	"created_at": "2026-04-06T00:19:09.98483Z",
	"updated_at": "2026-04-10T03:20:33.464188Z",
	"deleted_at": null,
	"sha1_hash": "653926890595d969503090831239a8756b8326d4",
	"title": "Arechclient2 -",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71169,
	"plain_text": "Arechclient2 -\r\nPublished: 2022-11-30 · Archived: 2026-04-05 22:00:25 UTC\r\nI. Targeted Entities\r\nOpportunistic organizations\r\nII. Introduction\r\nArechclient2 is a .NET remote access trojan (RAT) that has numerous capabilities. The RAT can profile victim\r\nsystems, steal information like browser and crypto-wallet data, and launch a hidden secondary desktop to control\r\nbrowser sessions.\r\nIII. Cyber Florida SOC Observations\r\nCyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be\r\na command control server. The command and control server appears to be utilizing Google cloud services\r\n(googleusercontent.com). Within the Base64 data, exfiltrated usernames and passwords were observed. Based on\r\nobservations, the exfiltrated data appears to be from cached browser credentials (Google Chrome profiles, Firefox\r\nprofiles, Microsoft Edge profiles, etc.) In reviewing logs and network traffic there were parameters of interest\r\nwithin the data payload that would aid in identifying this activity. The following payload parameters were\r\nobserved the network traffic: ConnectionType, Client, SessionID, BotName, Computer, BuildID, BotOS, URLData,\r\nUIP.\r\nBased on observing network traffic for the command control communication, there may be similarities associated\r\nto the Redline Stealer malware. See CERT Italy article. https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/\r\nScreenshot samples of log and network traffic have been provided in the appendix of this report.\r\nSome of the interesting evasion tactics Cyber Florida observed were the utilization of “sleep” functions and the\r\nusage of .NET Framework’s InstallUtil.exe binary to communicate with the command and control server. The\r\n“sleep” functionality appeared to delay the usage of InstallUtil.exe. In testing, the Installutil.exe appeared to run in\r\nperpetuity regularly communicating with the command and control server. In reviewing a few of the automated\r\nsandboxes, the Installutil.exe activity was not identified. This may be due to the “sleep” activity being utilized.\r\nAnother evasion tactic appears to be attempting to modify Windows Defender settings via the second observed\r\nPowerShell instance. The cmdlet Set-MpPreference with the options –ExclusionPath ‘C:’ was employed. This\r\ncommand appears to create a malware scan exclusion, which would prevent Windows Defender from scanning the\r\nentire C: volume.\r\nThe following links provide examples and context of InstallUtil.exe malware usage and abuse.\r\nhttps://tampabay.tech/2022/11/30/arechclient2/\r\nPage 1 of 4\n\nhttps://gbhackers.com/hiding-malware-legitimate-tool/ (not directly related to observed activity)\r\nhttps://www.ired.team/offensive-security/code-execution/t1118-installutil (not directly related to observed\r\nactivity)\r\nhttps://attack.mitre.org/techniques/T1218/004/\r\nDuring initial malicious binary execution, a persistence mechanism was observed via the common\r\nHKCUSoftwareMicrosoftWindowsCurrentVersionRun location.\r\nIV. Additional Background Information\r\nBlackpoint Cyber discovered an ISO file that contained a malicious Windows executable that was downloaded to\r\na victim’s computer and was not detected by an antivirus program. A malicious executable, named Setup.exe, was\r\nobserved using various defense evasion techniques including obfuscation, injection, and uncommon automation\r\ntools. These tools were used to drop a RAT named Arechclient2 (Blackpoint Cyber). The size of Setup.exe is over\r\n300 megabytes (Blackpoint Cyber).\r\nThe initial attack vector that was used to send Setup.exe to the victim is unknown. This is the execution step.\r\nWhen Setup.iso is double-clicked, the ISO file can be mounted like a CD and, oftentimes, the contents of the file\r\nare automatically executed (Blackpoint Cyber). Running Setup.exe will start the extraction of three files and\r\nexecute multiple child processes (Blackpoint Cyber). A new folder, IXP000.TMP, is made in the victim’s\r\nAppDataLocalTemp directory and three files are created into the newly created directory: Funding.mpeg,\r\nMali.mpeg, and Dns.mpeg (Blackpoint Cyber).\r\nThe Dns.mpeg script is heavily obfuscated. The script searches for AvastUI.exe and AVGUI.exe running on the\r\nvictim’s computer. The two executables are found in the Avast antivirus product line (Blackpoint Cyber). If those\r\ntwo executables are not found, Dns.mpeg sets Hole.exe.pif to the name AutoIT3.exe. In the script .au3 (or d.au3)\r\nthere are over 3,000 references to a function named Xspci(). This function takes a string as its first argument and a\r\nnumber as its second argument. The function is responsible for decoding strings (Blackpoint Cyber).\r\nThe .au3 script accomplishes three things through injection: 1. establishing persistence using a URL file in the\r\nvictim’s startup folder. 2. copying the ntdll.dll file from the C:WindowsSysWOW64 folder to avoid antivirus\r\nhooks. 3. injecting the embedded payload into jsc.exe (Blackpoint Cyber). The function that is responsible for the\r\nabove tasks is KXsObHGILZNaOurxqSUainCYU() which takes a pointer to the binary to be injected, a string\r\nargument, and a string argument with the path to the binary that would be executed and injected into as arguments\r\n(Blackpoint Cyber). The script establishes persistence by adding a URL file to the victim’s startup folder that will\r\nexecute a Microsoft Visual Basic Script (VBS) on every login (Blackpoint Cyber).\r\nArechclient2 has a decompilation phase. Test.exe, a C# binary, can be loaded into tools that statically and\r\ndynamically analyze code. One such tool is DnSpy (Blackpoint Cyber). The class names in Test.exe were\r\nminimized to single and double characters to add an additional layer of confusion for reverse engineers\r\n(Blackpoint Cyber). The actual name of Test.exe is 2qbarx12tqm.exe (Blackpoint Cyber). Arechclient2 also\r\ncontains a command and control (C2) phase. When Arechclient2 is executed, it connects to\r\nhttps[:]//pastebin.com/raw/nJqnWX3u to collect C2 information (Blackpoint Cyber). The requested file,\r\nhttps://tampabay.tech/2022/11/30/arechclient2/\r\nPage 2 of 4\n\nnJqnWX3u, contains the IP address 34[.]141[.]198[.]105 as a string. It also connects to http[:]//eth0.me to get its\r\npublic IP address (Blackpoint Cyber). Arechclient2 connects to its C2 server on port 15647 to receive commands.\r\nThe server responds with information to control the encryption status (“On” or “Off”) in JSON format (Blackpoint\r\nCyber). If the communications are intercepted and the encryption is set to “Off,” further communications will be\r\nin plaintext (Blackpoint Cyber).\r\nV. MITRE ATT\u0026CK\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nAdversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful\r\ninteractive command-line interface and scripting environment included in the Windows operating system.\r\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and\r\nexecution of code.\r\nT1555.003 – Credentials From Web Browsers\r\nAdversaries may acquire credentials from web browsers by reading files specific to the target browser. Web\r\nbrowsers commonly save credentials such as website usernames and passwords so that they do not need to\r\nbe entered manually in the future. Web browsers typically store the credentials in an encrypted format\r\nwithin a credential store; however, methods exist to extract plaintext credentials from web browsers.\r\nT1547.001 – Registry Run Keys / Startup Folder\r\nAdversaries may achieve persistence by adding a program to a startup folder or referencing it with a\r\nRegistry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program\r\nreferenced to be executed when a user logs in. These programs will be executed under the context of the\r\nuser and will have the account’s associated permissions level.\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nAdversaries may modify and/or disable security tools to avoid possible detection of their malware, tools,\r\nand activities. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security\r\ntools may make dynamic changes to system components in order to maintain visibility into specific events.\r\nT1218.004 – System Binary Proxy Execution: InstallUtil\r\nAdversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is\r\na command-line utility that allows for installation and uninstallation of resources by executing specific\r\ninstaller components specified in .NET binaries. The InstallUtil binary may also be digitally signed by\r\nMicrosoft and located in the .NET directories on a Windows system:\r\nC:WindowsMicrosoft.NETFramework vInstallUtil.exe and C:WindowsMicrosoft.NETFramework64\r\nvInstallUtil.exe.\r\nT1095 –Non-Application Layer Protocol\r\nAdversaries may use a non-application layer protocol for communication between host and C2 server or\r\namong infected hosts within a network. The list of possible protocols is extensive.\r\nT1132.001 –Standard Encoding\r\nAdversaries may encode data with a standard data encoding system to make the content of command and\r\ncontrol traffic more difficult to detect. Command and control (C2) information can be encoded using a\r\nstandard data encoding system that adheres to existing protocol specifications. Common data encoding\r\nschemes include ASCII, Unicode, hexadecimal, Base64, and MIME.\r\nhttps://tampabay.tech/2022/11/30/arechclient2/\r\nPage 3 of 4\n\nVI. Recommendations\r\nPhishing awareness training \r\nUsers should be informed and educated about new kinds of phishing scams currently being used and ones\r\nthat have been used in the past. Awareness training should instruct users to avoid suspicious emails, links,\r\nwebsites, attachments, etc. Users should also be educated about new types of attacks and schemes to\r\nmitigate risk.  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014\r\nSet antivirus programs to conduct regular scans \r\nEnsure that antivirus and antimalware programs are scanning assets using up-to-date signatures \r\nMalware monitoring\r\nContinuously monitor current and new types of malware. Stay up to date on intel and advancements to\r\nprevent, defend, and mitigate these types of threats.\r\nStrong cyber hygiene\r\nEnforce a strong password policy across all networks and subsystems. Remind users to be wary of any\r\nmessages asking for immediate attention, links, downloads, etc. All sources should be verified.\r\nRecommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nTurn on endpoint protection\r\nEnable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.\r\nNetwork Monitoring\r\nReview network logs, payload, etc. for related IP address and associated network parameters.\r\nVII. Indicators of Compromise (IOCs)\r\nThis screenshot shows the payload sent to a victim, as seen by Cyber Florida. A portion of the Base64 and UIP\r\nfields have been redacted.\r\n The following screenshot is similar from the log above but was acquired via network packet capture. \r\nX. References\r\nBlackpoint Cyber. “Ratting out arechclient2 – Blackpoint Whitepaper.” Blackpoint Cyber. Accessed November\r\n15, 2022. https://blackpointcyber.com/lp/ratting-out-arechclient2/?\r\nutm_campaign=ratting_out_arechclient2_whitepaper\u0026utm_source=resource_library.  \r\nThreat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts:\r\nDorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya. \r\nSource: https://tampabay.tech/2022/11/30/arechclient2/\r\nhttps://tampabay.tech/2022/11/30/arechclient2/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tampabay.tech/2022/11/30/arechclient2/"
	],
	"report_names": [
		"arechclient2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/653926890595d969503090831239a8756b8326d4.pdf",
		"text": "https://archive.orkl.eu/653926890595d969503090831239a8756b8326d4.txt",
		"img": "https://archive.orkl.eu/653926890595d969503090831239a8756b8326d4.jpg"
	}
}