MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArcaneStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 13 File information Comments

SHA256 hash:	b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d
SHA3-384 hash:	8a3bac294c42c8e231b407596d3cd796362be18d5971e445759e048b52a4e94ff500105c2d6ef37ca2e5be83c957a4b3
SHA1 hash:	758882bb629644ec5182a9892666bf5f10f772fe
MD5 hash:	2d85d5b292d86b2755f0bff206f62813
humanhash:	virginia-lactose-kansas-zebra
File name:	Fixit.exe
Download:	download sample
Signature	ArcaneStealer Create hunting rule
File size:	70'656 bytes
First seen:	2026-03-01 16:21:08 UTC
Last seen:	2026-03-01 17:22:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8efd347d961f811985fc96a4b4c4393f (2 x ArcaneStealer)
ssdeep	1536:CsfX0J9aO9zpnIoSs92y60bGZ57/gsFSCSOcw0RdRayNRJR:t6UkBH3IZ57whOcF7Ray9R
TLSH	T11B630282BEEE59E2DA1382727912CC5FFB39B072D35FDA64625C43E7154C2905B0B289
TrID	33.6% (.EXE) OS/2 Executable (generic) (2029/13) 33.1% (.EXE) Generic Win/DOS Executable (2002/3) 33.1% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	burger
Tags:	ArcaneStealer exe UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	70'656 bytes
File size (de-compressed) :	158'720 bytes
Format:	win64/pe
Unpacked file:	8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/e830618e-412e-4c12-8fc6-108990d84c3c/

Malware family:

n/a

ID:

File name:

Fixit.exe

Verdict:

Malicious activity

Analysis date:

2026-03-01 16:19:30 UTC

Tags:

evasion stealer arcanestealer

Link:

https://app.any.run/tasks/b14c3f35-7e15-4579-8711-a1734fe91f0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55131/

Detection(s):

SecuriteInfo.com.FileRepMalware.79313722.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a467488fffa866e3b3e05c

Tags:

phishing lien

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm crypto crypto fingerprint hacktool overlay packed packed packed upx

Link:

https://www.filescan.io/uploads/69a4677b10e80629d4f7764a/reports/5ef54fad-3c6a-4277-bb94-844195ade68a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win64.Agent.sb Trojan-PSW.Win32.Greedy.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.HashCity.sb Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.BroPass.sb Trojan-PSW.Win32.Agent.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb VHO:Trojan-Spy.Win32.Stealer.fpxq Trojan-Spy.Stealer.HTTP.C&C Trojan.Win64.Agent.sb Trojan.Win32.Udochka.sb Trojan-Spy.Win32.Stealer.fpxp Trojan-Spy.Win32.Stealer.fpxq Trojan-PSW.MSIL.Stealer.sb Trojan-Spy.Stealer.TCP.C&C

Link:

https://opentip.kaspersky.com/b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b1ce163c-1d23-45b7-9e66-76d710459940

Result

Threat name:

XORIndex

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1876531

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Leaks process information

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected XORIndex

Behaviour

Behavior Graph:

Download SVG

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/2d85d5b292d86b2755f0bff206f62813

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d/

Verdict:

Malicious

Threat:

VHO:Trojan-Spy.Win32.Stealer

Link:

https://tip.neiki.dev/file/b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-01 16:20:34 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wu4ug327or2a7lfzwsittnvmm4xfth23c2o7zky7xxldgq3praoq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

upx

Link:

https://tria.ge/reports/260301-ttrs8act9a/

Behaviour

Checks for VirtualBox DLLs, possible anti-VM trick

UPX packed file

Unpacked files

SH256 hash:

b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

MD5 hash:

2d85d5b292d86b2755f0bff206f62813

SHA1 hash:

758882bb629644ec5182a9892666bf5f10f772fe

Link:

https://www.unpac.me/results/76260e32-9925-4208-a994-893af5b813a4/

SH256 hash:

8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

MD5 hash:

bdbc76829359f2f304c944099575dea5

SHA1 hash:

03946d5837bfab1b99d41d924f7e309335aa90a3

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/76260e32-9925-4208-a994-893af5b813a4/

Parent samples :

b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d
8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b539436f5f74/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArcaneStealer

exe b539436f5f74740facb9b49139b6ac672e599f5b169dfcab1fbdd633436f881d

(this sample)

ArcaneStealer

exe 8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Cape

https://www.capesandbox.com/analysis/55131/

Dropping

SHA256 8011996692048501c1eccb66a2771546ade084806f48994104d199e28af82a4c

Dropping

MD5 bdbc76829359f2f304c944099575dea5

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample