MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkanixStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
SHA3-384 hash: 0675dac9078cf3f42c2d7d221ca7de6516a8c38a7590262d122283a46075e43ee565944ee1df63dcd83e19c6e16684f2
SHA1 hash: 4d100f5fbd4492331cb8794d319d341d8a688ec9
MD5 hash: a4b5cf2714cc91fef43b7fdab154b1fd
humanhash: mexico-pizza-speaker-beer
File name:file
Download: download sample
Signature ArkanixStealer
Create hunting rule
File size:2'506'240 bytes
First seen:2025-12-09 21:02:27 UTC
Last seen:2025-12-09 21:04:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 919350504531202eeca84154d8bfdf0e (4 x ArkanixStealer)
ssdeep 49152:V/onnd5+yqHm/6xc6F6/bRcqYWXB8Y8UbesLfE/Pv:VAnd50G/YcIEnXB865q
Threatray 12 similar samples on MalwareBazaar
TLSH T1A9C5E11AA3A401FCD1A7C2B5CD565907DBB2B84A0670A79F06E04F9A2F237715E7E313
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:ArkanixStealer dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.55.189/files/7799503374/WroFzGB.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-09 21:04:39 UTC
Tags:
anti-evasion
Link:
https://app.any.run/tasks/6c90073d-566e-4786-8daf-d4fb460f78f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44037/
Detection(s):
Win.Tool.Generickdz-10057837-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69388e98a675b653bd0f7743
Tags:
vmdetect
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm base64 crypto evasive expand fingerprint lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69388e9364bd958a520f3c25/reports/c01b592c-4051-49df-9040-36e84fd38b99/overview
Verdict:
Malicious
Labled as:
Trojan.Recon.Marte.A.Generic
Link:
https://www.hybrid-analysis.com/sample/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-09T18:18:00Z UTC
Last seen:
2025-12-10T05:34:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Alkhaser.d Trojan-PSW.Win64.Rabbit.sb Trojan.Win32.Khalesi.rbsz
Link:
https://opentip.kaspersky.com/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c35639e2-35a0-430b-a180-68f6e1c72d50
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a4b5cf2714cc91fef43b7fdab154b1fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13/
Verdict:
Malicious
Threat:
Trojan.Win32.Alkhaser
Link:
https://tip.neiki.dev/file/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
Threat name:
Win64.Trojan.ReconMarte
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 21:03:19 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5npgconrkotsazlhj2twa6hvwyxuvc5s7efdospoomfbwsdovijq._file
Verdict:
malicious
Label(s):
arkanixstealer
Create hunting rule
Similar samples:
206f479dfc4fb3e3e15f571ed1bb1fad65575a017753724fd578ac4f2d4dfe83
ArkanixStealer
4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
ArkanixStealer
8f5aa6325ae84727f4fac778f10af10be1918d675c32d79229af1078bb8aa220
ArkanixStealer
9986ab3e10c7e0f163335976d3646f2239800793e9de4b183af03c2c55d99555
ArkanixStealer
ad75caddf17f24472c753f1d5fff7fa8ed8a95ce7aad82e6bca8d6bc1ff813d0
ArkanixStealer
c896595965acfb25fd953291b465f383b9322cbf074f8f97cf1337f54c1c552e
ArkanixStealer
eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
ArkanixStealer
error
ArkanixStealer
fec7c49137a5bc09195c3fc3a4dd79a9d6d97a401df8c32f34b335b3fe89a18b
ArkanixStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/251209-zv4gasbs6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks system information in the registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Looks for Xen service registry key.
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Verdict:
Malicious
Tags:
Win.Tool.Generickdz-10057837-0 External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/3c72b661-3800-4834-8919-30b2872f5999
Unpacked files
SH256 hash:
eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13
MD5 hash:
a4b5cf2714cc91fef43b7fdab154b1fd
SHA1 hash:
4d100f5fbd4492331cb8794d319d341d8a688ec9
Link:
https://www.unpac.me/results/ecd142e1-16ab-4633-a5a8-706f0a645ec7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb5e6139b153/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:Check_Qemu_Description
Create hunting rule
Rule name:Check_VBox_Description
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing combination of virtualization drivers
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkanixStealer

Executable exe eb5e6139b153a72065674ea76078f5b62f4a8bb2f90a3749ee730a1b486eaa13

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3730096/
Cape
Cape
https://www.capesandbox.com/analysis/44037/

Comments