MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArcaneStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c
SHA3-384 hash:	88e99511a0029dac4707931a45c1df55fb19ca973622bde34e264784cb7d6ee5979543714cfa65328040d3ba1b72d284
SHA1 hash:	03946d5837bfab1b99d41d924f7e309335aa90a3
MD5 hash:	bdbc76829359f2f304c944099575dea5
humanhash:	london-apart-queen-robert
File name:	Fixit.exe
Download:	download sample
Signature	ArcaneStealer Create hunting rule
File size:	158'720 bytes
First seen:	2026-03-01 16:21:22 UTC
Last seen:	2026-03-01 17:22:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b239b2e24f947e6eb7cac795d0de7ba (2 x ArcaneStealer)
ssdeep	3072:umfu6RT6Crpqs7MMiI4SnSbBe8lnSkz7nbBBh3vpbkJNdEtGZtEKkxDRlS:/u6RpqHMixdpljxpbgNdEtGZtE1M
TLSH	T1BFF31903E68660FCD466C57856969132F673BC620B22A9EF17905B352E71FC0BB3CB46
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	ArcaneStealer exe upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	70'656 bytes
File size (de-compressed) :	158'720 bytes
Format:	win64/pe
Packed file:	b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Fixit.exe

Verdict:

Malicious activity

Analysis date:

2026-03-01 16:23:53 UTC

Tags:

evasion stealer

Link:

https://app.any.run/tasks/cd5a007c-fe4c-451a-9b16-f15225d61fd4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55132/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.85186974.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a467b78fffa866e3b3e178

Tags:

infosteal vmdetect lien

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm crypto evasive expand explorer fingerprint fingerprint hacktool lolbin soft-404

Link:

https://www.filescan.io/uploads/69a467b691ad9169e5350745/reports/8a9f072d-2700-426e-8d07-89a2263be5c7/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win64.Agent.sb Trojan.Win64.Agent.sb Trojan.Win32.Udochka.sb Trojan-Spy.Win32.Stealer.fpyf Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.BroPass.sb Trojan-PSW.Win32.Agent.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-Spy.Stealer.HTTP.C&C Trojan-PSW.Win32.Greedy.sb PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Stealer.sb

Link:

https://opentip.kaspersky.com/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/40fc7499-325d-473e-97cb-eed1add4482c

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1876530

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/bdbc76829359f2f304c944099575dea5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Threat name:

Win64.Infostealer.Generic

Status:

Suspicious

First seen:

2026-03-01 16:22:22 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qaizszusascqdqpmzntke5yvi2w6bbean5ejsqie2gm6fcxyfjga._file

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/260301-tvbhmacv5e/

Behaviour

Checks for VirtualBox DLLs, possible anti-VM trick

Unpacked files

SH256 hash:

8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

MD5 hash:

bdbc76829359f2f304c944099575dea5

SHA1 hash:

03946d5837bfab1b99d41d924f7e309335aa90a3

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/fec9eda6-a0af-4920-aaae-f6469e8175e3/

Parent samples :

b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d
8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/801199669204/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArcaneStealer

exe b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

ArcaneStealer

exe 8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

(this sample)

Dropped by

SHA256 b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

Cape

https://www.capesandbox.com/analysis/55132/

Dropped by

MD5 2d85d5b292d86b2755f0bff206f62813

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample