MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkanixStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6
SHA3-384 hash: ee9d987e128f0f37fe89651667eb62e163ee274de9c2ae0f4c4b1f009298054299d1adfdb8927b3c3141f5ff09bc45ec
SHA1 hash: 330998a64b78a3bc9c970a37363364701de5f2c8
MD5 hash: 0a2eed56079b90d3abc653b846e0b20e
humanhash: tango-florida-johnny-summer
File name:MskRaider.exe
Download: download sample
Signature ArkanixStealer
Create hunting rule
File size:36'230'024 bytes
First seen:2025-11-19 08:17:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f89fcc81a8c8aca2e05ddab1c622a0c (6 x ArkanixStealer)
ssdeep 393216:2Oi5lhyyN7IgV3geofoFnsIgAlqHy0KJvOb+iQftLCGpp1moc715zkKltstw3ozJ:2HKgVOfo5sIaS0KJmytrbsh5zDzT3qIa
Threatray 86 similar samples on MalwareBazaar
TLSH T16F8723AA55D5B2D4DBC30540638F43DE21D1A47D81EA5C3C3AC72C029A34EEB668DEB7
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:ArkanixStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MskRaider.exe
Verdict:
No threats detected
Analysis date:
2025-11-13 21:43:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc4a67c0-9138-42a1-ba61-3eeb949e5547

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691650ffbdb0ec3a9dc10e89
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto hacktool overlay packed
Link:
https://www.filescan.io/uploads/691d7d7414feed3357adfe83/reports/73941854-de4a-4edc-a800-7b3dab108784/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-13T19:04:00Z UTC
Last seen:
2025-11-19T09:54:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6/results?tab=lookup
Result
Threat name:
Arkanix Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1816742
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses WMIC command to query system information (often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Arkanix Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1816742 Sample: MskRaider.exe Startdate: 19/11/2025 Architecture: WINDOWS Score: 100 49 arkanix.pw 2->49 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 9 MskRaider.exe 26 2->9         started        signatures3 process4 dnsIp5 51 arkanix.pw 104.21.44.157, 443, 49692 CLOUDFLARENETUS United States 9->51 45 C:\Users\user\AppData\...\cl_frAQBc8W.exe, PE32+ 9->45 dropped 47 C:\Users\user\AppData\...\cl_JcrgRYwT.exe, PE32+ 9->47 dropped 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->61 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->63 65 Tries to harvest and steal browser information (history, passwords, etc) 9->65 67 3 other signatures 9->67 14 cl_frAQBc8W.exe 13 9->14         started        17 cl_JcrgRYwT.exe 13 9->17         started        19 cmd.exe 1 9->19         started        21 3 other processes 9->21 file6 signatures7 process8 signatures9 69 Antivirus detection for dropped file 14->69 71 Multi AV Scanner detection for dropped file 14->71 73 Writes to foreign memory regions 14->73 75 Injects a PE file into a foreign processes 14->75 23 chrome.exe 14->23         started        25 conhost.exe 14->25         started        77 Allocates memory in foreign processes 17->77 79 Tries to detect virtualization through RDTSC time measurements 17->79 81 Creates a thread in another existing process (thread injection) 17->81 27 msedge.exe 17->27         started        29 conhost.exe 17->29         started        83 Uses WMIC command to query system information (often done to detect virtual machines) 19->83 37 2 other processes 19->37 31 WMIC.exe 1 21->31         started        33 WMIC.exe 1 21->33         started        35 WMIC.exe 1 21->35         started        39 3 other processes 21->39 process10 process11 41 WerFault.exe 2 23->41         started        43 WerFault.exe 2 27->43         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Coins
Link:
https://tip.neiki.dev/file/38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6
Threat name:
Win64.Trojan.Hack
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 21:44:37 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=haljwpqbbnabqr2gvxqzi3olgvog2t2xxqiutjr7uio7hoftbcta._file
Verdict:
malicious
Label(s):
arkanixstealer
Create hunting rule
Similar samples:
0222a80c806a1f5746c17090f1379779245dd7d86b70b1c5dc5d0e75a13e5a3f
ArkanixStealer
08c9e700f5f0b357868ab209e4533bb67d0539b20e639357b6e9854ed8d56415
ArkanixStealer
099f1c2b33089a9e0160dacdead3c63bb3d18430aec5c4c280de62a93334e62b
ArkanixStealer
2375a6489fc38cf4cc71cd4c8b4765a8e9a13c63f16116827ca6ef6b554b3ec3
ArkanixStealer
872a2c277097fc101cd9350bd6a7abfca0f001e3893a676e2b684cc1d2d3630c
ArkanixStealer
885e224fb1485b2bb4610fb44bf9f288018f69e66627bddad7f6a30210dbd7df
ArkanixStealer
9986ab3e10c7e0f163335976d3646f2239800793e9de4b183af03c2c55d99555
ArkanixStealer
b35455cad92986d46a0122a606d621c856af5cfe16a755163c38ab24a62938a2
ArkanixStealer
error
ArkanixStealer
f5f977688fe5ab1c569958d0ccb27d8c35ffde7d03b6b175bf47990eae18c747
ArkanixStealer
feb9d5e9402bd4b4108a5cb53196d5b5511509cf4dbf68c9a1194d63475c4633
ArkanixStealer
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/251119-j7pkxa1pbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Looks for VMWare Tools registry key
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e12d541-8b45-465f-acea-f8b3900d8bcc
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38169b3e010b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/38169b3e010b40184746ade1946dcb355c6d4f57bc1149a63fa21df3b8b308a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments