MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArcaneStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f
SHA3-384 hash: 4cd3fbafe136d1368e3d6902aa253c2bf9c0a00a753bf0fd8ec0f5f819ef01ac9008a8fe9a36dd239e62c43c31ab5201
SHA1 hash: d6df751205f8efc41fe5d609725ace491a2f381d
MD5 hash: 310e4b0bc728f38f0d177c811fc57527
humanhash: idaho-colorado-september-washington
File name:SecuriteInfo.com.PossibleThreat.31868.23078
Download: download sample
Signature ArcaneStealer
Create hunting rule
File size:166'912 bytes
First seen:2025-06-01 13:23:08 UTC
Last seen:2025-06-01 14:22:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:kLumj9z0NWsLA9Utolso80ghVtJj7yx1wAV/bcrMDeIO+26IyF08pPwSz3VR:0b4M016I0Jw43
TLSH T193F35C453B79CC0CC8A055F9AA737F900FF9997C5B0A9B2387D6BE21D119AD11E1F206
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon becaccdcdaf2c282 (1 x ArcaneStealer)
Reporter SecuriteInfoCom
Tags:ArcaneStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
502
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.PossibleThreat.31868.23078
Verdict:
No threats detected
Analysis date:
2025-06-01 13:24:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a299688d-0c5e-4a9d-992a-8044319fa778

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6691/
Detection(s):
SecuriteInfo.com.PossibleThreat.31868.23078.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c5649668438e362e9bc45
Tags:
virus overt sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
Reading critical registry keys
Searching for synchronization primitives
Sending an HTTP GET request
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Running batch commands
Launching the process to change the firewall settings
Launching the process to change network settings
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 evasive obfuscated
Link:
https://www.filescan.io/uploads/683c5459fd02ed5e05924f74/reports/3df302ac-7631-4688-9783-170ab6b561c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8790880-2f79-438d-a938-f421c0b309b3
Result
Threat name:
Arcane, SheetRat, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.troj.adwa.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703346
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Arcane Stealer
Yara detected Powershell decode and execute
Yara detected SheetRat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703346 Sample: SecuriteInfo.com.PossibleTh... Startdate: 01/06/2025 Architecture: WINDOWS Score: 100 134 z8hd74jqpxt19zq.hopto.org 2->134 136 xqpw71fnqtwe81v.hopto.org 2->136 138 22 other IPs or domains 2->138 174 Suricata IDS alerts for network traffic 2->174 176 Found malware configuration 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 22 other signatures 2->180 12 SecuriteInfo.com.PossibleThreat.31868.23078.exe 2 2->12         started        15 svunkost.exe 2->15         started        18 SystemDiagnosticsHost.exe 2->18         started        20 9 other processes 2->20 signatures3 process4 file5 120 SecuriteInfo.com.P...31868.23078.exe.log, CSV 12->120 dropped 22 cmd.exe 1 12->22         started        220 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->220 222 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->222 224 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->224 226 Multi AV Scanner detection for dropped file 18->226 228 Reads the Security eventlog 18->228 230 Reads the System eventlog 18->230 232 Tries to steal communication platform credentials (via file / registry access) 20->232 234 Queries memory information (via WMI often done to detect virtual machines) 20->234 signatures6 process7 signatures8 182 Uses schtasks.exe or at.exe to add and modify task schedules 22->182 184 Uses netsh to modify the Windows network and firewall settings 22->184 186 Tries to harvest and steal WLAN passwords 22->186 25 powershell.exe 18 42 22->25         started        30 conhost.exe 22->30         started        process9 dnsIp10 148 silentclickteam.co 104.21.20.15, 443, 49749, 49750 CLOUDFLARENETUS United States 25->148 150 0avxwqpqjtwkq21.hopto.org 25->150 108 C:\Users\user\AppData\Local\...\nmk0gofb.exe, PE32 25->108 dropped 110 C:\Users\user\AppData\Local\...\k5cnfvo2.exe, PE32 25->110 dropped 112 C:\Users\user\AppData\Local\...\3ddkrnyk.exe, PE32 25->112 dropped 114 C:\Users\user\AppData\Local\...\31laffos.exe, PE32 25->114 dropped 192 Disables Windows Defender (deletes autostart) 25->192 194 Disable Windows Defender real time protection (registry) 25->194 196 Queries memory information (via WMI often done to detect virtual machines) 25->196 198 2 other signatures 25->198 32 31laffos.exe 14 21 25->32         started        37 3ddkrnyk.exe 1 9 25->37         started        39 nmk0gofb.exe 25->39         started        41 3 other processes 25->41 file11 signatures12 process13 dnsIp14 122 icanhazip.com 104.16.184.241, 49751, 80 CLOUDFLARENETUS United States 32->122 94 C:\Users\user\AppData\Local\Temp\xaitx.exe, PE32+ 32->94 dropped 96 C:\Users\user\AppData\...\31laffos.exe.log, ASCII 32->96 dropped 152 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 32->152 154 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 32->154 156 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 32->156 172 9 other signatures 32->172 43 xaitx.exe 32->43         started        47 cmd.exe 32->47         started        58 4 other processes 32->58 98 C:\Windows\...\SystemDiagnosticsHost.exe, PE32 37->98 dropped 100 C:\Windows\Media\msldriver.dll, PE32+ 37->100 dropped 102 C:\Windows\Media\mppr.exe, PE32 37->102 dropped 106 3 other malicious files 37->106 dropped 158 Modifies the windows firewall 37->158 160 Queries memory information (via WMI often done to detect virtual machines) 37->160 49 mppr.exe 37->49         started        52 cmd.exe 37->52         started        60 7 other processes 37->60 104 C:\Users\user\AppData\Local\...\svunkost.exe, PE32 39->104 dropped 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->162 164 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->164 166 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 39->166 168 Drops large PE files 39->168 54 svunkost.exe 39->54         started        62 2 other processes 39->62 170 Tries to steal communication platform credentials (via file / registry access) 41->170 56 svunkost.exe 41->56         started        file15 signatures16 process17 dnsIp18 116 C:\Users\user\AppData\...\chrome_decrypt.dll, PE32+ 43->116 dropped 200 Contains functionality to inject threads in other processes 43->200 202 Allocates memory in foreign processes 43->202 204 Creates a thread in another existing process (thread injection) 43->204 64 chrome.exe 43->64         started        67 conhost.exe 43->67         started        206 Tries to harvest and steal WLAN passwords 47->206 76 4 other processes 47->76 126 tyqwpnfqht82qlo.hopto.org 49->126 128 pristolmag32dds.hopto.org 185.100.157.232, 443, 49766, 49771 M247GB Poland 49->128 132 2 other IPs or domains 49->132 118 C:\Windows\System32\drivers\etc\hosts, ASCII 49->118 dropped 208 Mutes Antivirus updates and installments via hosts file black listing 49->208 210 Injects code into the Windows Explorer (explorer.exe) 49->210 212 Writes to foreign memory regions 49->212 218 2 other signatures 49->218 69 explorer.exe 49->69 injected 71 schtasks.exe 52->71         started        74 conhost.exe 52->74         started        130 85.192.29.88, 49769, 54631, 54661 LINEGROUP-ASRU Russian Federation 54->130 214 Tries to steal communication platform credentials (via file / registry access) 54->214 216 Loading BitLocker PowerShell Module 58->216 78 8 other processes 58->78 80 12 other processes 60->80 82 3 other processes 62->82 file19 signatures20 process21 dnsIp22 124 192.168.11.20, 137, 138, 1900 unknown unknown 64->124 84 chrome.exe 64->84         started        87 chrome.exe 64->87         started        89 msedge.exe 69->89         started        188 Queries memory information (via WMI often done to detect virtual machines) 71->188 92 msedge.exe 78->92         started        signatures23 process24 dnsIp25 140 mqlw8tj29dlqt91.hopto.org 84->140 142 7nvweq9tqyweo91.hopto.org 84->142 146 8 other IPs or domains 84->146 144 239.255.255.250, 1900 unknown Reserved 89->144 190 Maps a DLL or memory area into another process 89->190 signatures26
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-01 05:50:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f54vqonscpcdhcpca7gsjkmzt52qqdrdp4ayuzlyx4eqn34dpixq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250601-qm4yesxpz7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d97c0a29-97f9-434f-b97d-134807ba99e1
Unpacked files
SH256 hash:
2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f
MD5 hash:
310e4b0bc728f38f0d177c811fc57527
SHA1 hash:
d6df751205f8efc41fe5d609725ace491a2f381d
Link:
https://www.unpac.me/results/cb9b5063-c45d-4a61-93a3-03ca01462208/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f795839b213/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArcaneStealer

Executable exe 2f795839b213c43389e207cd24a9999f75080e237f018a6578bf0906ef837a2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3556107/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6691/

Comments