Home  ›  Malware  ›  Malware Analysis  ›  News and Indicators - Latest topics

Arechclient2 Malware Analysis (sectopRAT)

on Post a Comment

Overview

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Arechclient2, also known as sectopRAT, is a Remote Access Trojan (RAT) written in .NET. This malware is highly obfuscated using the calli obfuscator, making its analysis challenging. Despite attempting deobfuscation using calliFixer, the code remained obfuscated but was still somewhat readable using dnSpy.

The sample analyzed has the following characteristics:

File Hash: EED3542190002FFB5AE2764B3BA7393B
File Size: 768KB
Original File Name: Bluefin.exe
File Type: .Net
Obfuscation Technique: calli obfuscator
Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473
VT Detection: 61/72
File Download: any.run

Static Analysis

Obfuscation Technique

The malware is obfuscated using the calli obfuscator, as identified using Detect It Easy (DIE).

Attempts to deobfuscate the code using CalliFixer were unsuccessful, as shown below:

Extracted Strings

Extracting strings from the executable revealed significant indicators of the malware’s capabilities. Some of the key strings found include:

  • Browser Data Extraction: URL, User, Password0, AccountT, BrowserExtension, AutofillT, Logins, Cookies7, os_crypt, LocalState, encrypted_key
  • System and Hardware Information: HardwareType, OSVersion, Machine, ReleaseID, Language, ScreenSize, TimeZone, IPv4, Monitor
  • Installed Software and Processes: AvailableLanguages, Softwares, Processes, SystemHardwares
  • Targeted Applications and Services: Nord, Open, Proton (VPNs), Steam, Discord, Telegram, FTP, ScanBrowsers, ScanFiles, ScanFTP, ScanWallets, ScanScreen
  • Data Exfiltration and Storage: FileLocation, SeenBefore3, FileScannerArgT, OfApplication, Directory, Pattern, Recoursive7

Observed Functionalities

Upon analyzing the decompiled code, several key functionalities were observed:

  • Scanning and gathering information about installed web browsers, including browser extensions and stored credentials.
  • Extracting cookies, usernames, passwords, and autofill data.
  • Scanning the system for installed VPN services such as NordVPN and ProtonVPN.
  • Collecting system information, including hardware details and OS specifications.
  • Looking for installed game launchers, Telegram, and Discord configurations.
  • Scanning for FTP connections and stored credentials.
  • Searching for wallet configurations, indicating potential interest in cryptocurrency theft.

Dynamic Analysis

Upon execution in a controlled environment, the malware exhibited network-based behaviors, connecting to a remote Command and Control (C2) server:

  • C2 Server IP: 91.202.233.18
  • Port: 9000
  • Port:15647
  • Downloaded Files:
    • manifest.json (Defines the extension’s name, permissions, and scripts)
    • content.js (Core malicious script for keylogging and data theft)
    • background.js (Bypasses security restrictions and transmits stolen data)

Malicious Chrome Extension Disguised as “Google Docs”

The downloaded files are part of a Google Chrome extension masquerading as “Google Docs.” This extension is a stealthy data-stealing tool designed to exfiltrate user input across all websites. The files were retrieved from the following URL:

  • Download URL: http://91.202.233[.]18:9000/wbinjget?q=9A7A4DFA51C1DFA51C1DFC689A43860F0BECA70

Its functionality is split across three key files:

  • manifest.json
    • Declares the extension’s name and description (misleading claim of Google Docs offline editing)
    • Grants broad permissions, including , allowing script injection across all web pages
  • content.js
    • Injects event listeners into every webpage
    • Monitors and captures all user input fields (textboxes, checkboxes, dropdowns, buttons, text areas)
    • Sends recorded data, including usernames, passwords, credit card details, and form data, along with the URL to the attacker’s server
  • background.js
    • Acts as a middleman to bypass browser security policies
    • Uses browser permissions to make unauthorized HTTP requests to an external attacker-controlled server
    • Relays stolen data from content.js to the remote server
Installed Google Chrome Extension
Dropped JavaScript code and Json file.

Additionally, during debugging, it was observed that the malware connects to an external URL:

  • URL: https://pastebin.com/raw/wikwTRQc
  • Sandbox Analysis: The webpage at this URL contains the same IP (91.202.233.18)

Further Payload Analysis

During analysis, no additional payloads were observed being dropped or executed. However, given the RAT’s capabilities and network behavior, it is possible that further payloads may be delivered dynamically by the C2 server depending on the victim’s environment.

Indicators of Compromise (IoCs)

File Hashes

  • EED3542190002FFB5AE2764B3BA7393B

C2 Servers

  • 91.202.233.18:9000
  • 91.202.233.18:15647

Malicious URLs

Mutex

  • 49c5e6d7577e447ba2f4d6747f56c473

Security Implications

This malicious extension operates as a coordinated data-harvesting tool, capturing nearly all user input and exfiltrating it to a remote C2 server. The misleading name, broad web access, and ability to evade browser security make it a severe threat.

Recommendations:

  • Block network traffic to 91.202.233.18:9000 and 91.202.233.18:15647.
  • Monitor %AppData%/Local/llg for suspicious file creations.
  • Remove any unknown Chrome extensions, particularly those masquerading as Google Docs.
  • Use behavioral-based threat detection to identify suspicious activities.
  • Restrict execution of untrusted .NET applications.

This analysis highlights the evolving threats posed by obfuscated RATs and malicious browser extensions, emphasizing the need for enhanced security monitoring and strict browser extension controls.

If you found this analysis helpful, consider following my blog for more in-depth malware research and cybersecurity insights!

Article Link: Arechclient2 Malware Analysis (sectopRAT) – Malware Analysis, Phishing, and Email Scams

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Malware Malware Analysis News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment

Post a Comment