Arechclient2
Arechclient2 is a .NET-based Remote Access Trojan (RAT) designed to steal sensitive data, such as browser credentials, from infected computers. It uses stealth techniques like Base64 encoding to hide its code, pauses its activities to avoid automated security tools, adjusts Windows Defender settings, and performs code injection to run within legitimate processes.
Let’s take a closer look at the stages of Arechclient2 infection by analyzing its sample inside ANY.RUN’s cloud sandbox for malware analysis.
ANY.RUN identifies malicious processes and lists all the actions performed by the malware
The infection starts with a malicious payload, often delivered as an LNK file or an ISO file containing a harmful executable. These are typically spread via social engineering or phishing tactics. When an LNK file is double-clicked, it uses the system utility forfiles.exe to execute PowerShell commands indirectly. If it’s an ISO file, mounting it like a CD can lead to automatic execution of the malicious executable, triggering the infection. The payload may then extract files into the victim's temporary directory and spawn child processes to support the RAT's operations. AutoIT scripts are often used in the chain, making detection harder.
ANY.RUN uses Suricata IDS to spot malicious network activities
Arechclient2 injects its payload into legitimate processes, such as InstallUtil.exe, by copying system files and avoiding antivirus hooks. This ensures it remains hidden and in control of the infected machine. It connects to its command and control (C2) server on port 15647, exchanging encrypted data. If encryption is disabled during interception, the data switches to plaintext, allowing attackers to issue commands remotely and extract sensitive data.
After analysis in ANY.RUN, you can collect a detailed threat report and IOCs
The RAT can extensively profile victim systems, stealing browser data, cryptocurrency wallet details, and more. It can even start hidden sessions to monitor user activity without being detected.