FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Arechclient2 Malware Analysis sectopRAT

Securonix
Arechclient2 Malware Analysis sectopRAT
Arechclient2, also known as sectopRAT, is an advanced Remote Access Trojan (RAT) developed in .NET, characterized by its heavy obfuscation using the calli obfuscator. Despite efforts to deobfuscate the malware, significant capabilities such as browser data extraction, system information gathering, and targeted application scanning have been identified. The RAT connects to a remote Command and Control (C2) server, facilitating data exfiltration through a disguised Chrome extension. This highlights a pressing security risk for users across various online platforms. Affected: Users of Google Chrome, potentially victims of data exfiltration

Keypoints :

  • Arechclient2, also known as sectopRAT, is a .NET-based Remote Access Trojan (RAT).
  • The malware is obfuscated using the calli obfuscator, complicating analysis.
  • Key functionalities include gathering credentials, cookies, and configuration data from installed applications.
  • It connects to a remote Command and Control (C2) server for data exfiltration.
  • The malware masquerades as a benign Google Chrome extension named “Google Docs.”
  • Security implications include severe data theft risks due to its data-harvesting capabilities.
  • Recommendations include blocking specific IP addresses and monitoring for suspicious activity.

MITRE Techniques :

  • T1086: PowerShell – Utilizes PowerShell for the execution of commands without user interaction.
  • T1121: System Owner/User Discovery – Gathers information about the user accounts on the system.
  • T1089: Disabling Security Tools – It may evade detection by interfacing directly with browser security policies.
  • T1048: Exfiltration Over Command and Control Channel – Exfiltrates data to C2 over established channels.
  • T1573: Unencrypted Non-C2 Traffic – Data exfiltration occurs through unsecured channels.

Indicator of Compromise :

  • [File Hash] EED3542190002FFB5AE2764B3BA7393B
  • [C2 Server] 91.202.233.18:9000
  • [C2 Server] 91.202.233.18:15647
  • [Malicious URL] http://91.202.233[.]18:9000/wbinjget?q=9A7A4DFA51C1DFA51C1DFC689A43860F0BECA70
  • [Mutex] 49c5e6d7577e447ba2f4d6747f56c473

Full Story: https://malwr-analysis.com/2025/02/18/arechclient2-malware-analysis-sectoprat/

Views: 20

Tags: BROWSER, DISCOVERY, EXFILTRATION, PAYLOAD, VPN, MONITOR, TOOL, TROJAN