Suspicious
Unsigned 7z archive with process-injection + direct-IP C2 behaviour and 4 tier-2 detections, but 15 tier-1 engines silent and no external corroboration.
3822081b8f1990a93c…6b22d8e7c6The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This unsigned 7z archive triggered two high-confidence heuristic rules: process injection (rundll32 loading DLLs from temp) and direct-IP C2 (contacted 162.159.36.2 with zero DNS queries). Four tier-2 engines detected it with generic labels. The file is packed with VMProtect and exhibits evasion tags (debug-environment detection, long-sleeps). However, tier-1 engines (Kaspersky, Microsoft, BitDefender, Avast, Avira, ESET, Fortinet, GData, Emsisoft, DrWeb, F-Secure) all reported clean, and no external researchers have published YARA rules or MalwareBazaar signatures. The absence of tier-1 consensus and external corroboration, combined with the strong behavioural signals, places this in suspicious territory rather than definitive malicious.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 4/62 tier-2 malicious (Google, Malwarebytes, Sangfor, Varist) with generic labels; tier1Malicious=0; no tier-1 consensus
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (high) + MalwareTips.Synth.DirectIpC2 (medium) — T1055 + direct-IP C2 without DNS
behaviour: rundll32 chains injecting ARChandler.dll, ARCinjector.dll, PatchLB3.dll; contacted 162.159.36.2 (direct IP, no domains)
file tags: detect-debug-environment, long-sleeps, checks-user-input, contains-pe; popularThreatName=vmprotect (packing)
prevalence: medium (4 submitters, 5 days); unsigned, no signer history
- 15 tier-1 antivirus engines (Kaspersky, Microsoft, BitDefender, ESET, Fortinet, Avast, Avira, Emsisoft, DrWeb, F-Secure, GData, Avira, AVG, Avast, Emsisoft) reported clean
- No malicious dropped children identified (7 inspected, all unknown verdict)
- No malicious contacted hosts in our URL cache
- No external-intelligence hits (CIRCL, YARAify, MalwareBazaar negative)
- Process injection (T1055) via rundll32 loading DLLs from temp directory
- Direct-IP C2 contact (162.159.36.2) without DNS queries — bypasses reputation systems
- VMProtect packing and anti-analysis tags (debug-environment detection, long-sleeps)
- Unsigned archive with no publisher identity
- Multi-stage loader architecture (7 dropped children, 4 rundll32 chains)
Treat this file as suspicious and avoid execution in production environments. The mixed detection profile (tier-2 flagging vs. tier-1 silence) and absence of external corroboration warrant caution but do not yet constitute definitive malware confirmation. Monitor for vendor updates and consider submitting to your security team for manual analysis if the source is trusted.
vmprotect corroborated by 2 sources
- VT (75 engines)vmprotect
- MT AI Enginevmprotect
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\ProgramData\Microsoft\Windows\WER\Temp
- C:\ProgramData\Microsoft\Windows\WER\Temp\dff2c86a-f8d8-491b-ac92-ea03430f7f93
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue
- C:\ProgramData\Microsoft\Windows\WER\Temp\d9765631-780f-4308-9def-96c684d18429
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive
Files this sample writes at runtime
This file drops 7 children at runtime. None are currently flagged malicious in our cache.
- d8cd5b515c8e8edc88e5…21b177Never scannednever seen before
- 6192d654fd0a13afd803…0229f1Never scannednever seen before
- b68409c9d8b81321c3b7…c11ac9Never scannednever seen before
- 528837e2522323c54013…641a7aNever scannednever seen before
- bc93ac9a0fe6b7d60c68…0d3127Never scannednever seen before
- 469c9a32ffc0b7224086…2730ebNever scannednever seen before
- 81d125b27784f59226d0…8c0c96Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\ARChandler.dll",#1Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
8 detections across 75 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- ARCLoader.7z
- Size
- 11.00 MB
- MIME type
- (unknown)
- Detected type
- 7ZIP
- SHA-256
- 3822081b8f1990a93cd887e590611131208613df661c436edc09926b22d8e7c6
- MD5
- 5752b2223b3c49deea0d6df6233719ce
- SHA-1
- 6ab786da601d5d417d07c4f12d052c7dab415efe
- First seen (VT)
- 6/10/2026, 5:13:23 AM
- Last analysis (VT)
- 6/14/2026, 10:27:21 PM
- First scan (MalwareTips)
- 6/15/2026, 3:27:16 PM
- Last scan (MalwareTips)
- 6/15/2026, 3:27:16 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.