MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArcaneStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77
SHA3-384 hash:	37d43ac546a6e46d78022de1d4cecef5bcb968751f2648e179710cd8d1cfe680c269388b2d7a97877eae5aef53c51efc
SHA1 hash:	07e285e12d98d2e75588319b9ab7965ae1880d21
MD5 hash:	9a5da4e75f7788f2cec23cc87c9992f3
humanhash:	washington-colorado-high-magnesium
File name:	Cs2Loader.exe
Download:	download sample
Signature	ArcaneStealer Create hunting rule
File size:	158'720 bytes
First seen:	2026-02-27 02:47:16 UTC
Last seen:	2026-02-27 03:36:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b239b2e24f947e6eb7cac795d0de7ba (2 x ArcaneStealer)
ssdeep	3072:/F4eCASUDbioOczMiOVYi0ZTVKlXb6z+IWYR27fXszNdEtGZtEN8tkxDRd/o:meCAgoDMiFklhlPXgNdEtGZtEHm
TLSH	T120F31903E68670FCD566C5785656A132F632BC624B22A9EF07905B352E71FC0BB3CB46
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	ArcaneStealer exe upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 eaf774319a523aa423c0a1edc693f060ad108d9570495a38549efd0c16953af4

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	70'656 bytes
File size (de-compressed) :	158'720 bytes
Format:	win64/pe
Packed file:	eaf774319a523aa423c0a1edc693f060ad108d9570495a38549efd0c16953af4

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77.exe

Verdict:

Malicious activity

Analysis date:

2026-02-27 02:49:32 UTC

Tags:

evasion stealer

Link:

https://app.any.run/tasks/65090090-3f5a-4b3b-aff9-72200d74f1f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54801/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.97256766.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a105f18fffa866e3b29502

Tags:

infosteal vmdetect lien

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm crypto evasive expand explorer fingerprint fingerprint hacktool lolbin soft-404

Link:

https://www.filescan.io/uploads/69a105ee10e80629d4f498f7/reports/f44241ab-998f-43dd-9a2a-2a0881562ef9/overview

Verdict:

Malicious

Labled as:

TrojanSpy/Stealer.jh

Link:

https://www.hybrid-analysis.com/sample/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-Spy.Stealer.HTTP.C&C Trojan-PSW.Win64.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Udochka.sb Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Stealer.fpwh Trojan.Win64.Agent.sb Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.BroPass.sb Trojan-PSW.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77/results?tab=lookup

Gathering data

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1875730

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

Threat name:

Win64.Trojan.AntiSandbox

Status:

Malicious

First seen:

2026-02-27 02:48:28 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5tvav2brjnntiykdrcu2ilsd4azmhztfaqq7p7lrqrxf6hzdb53q._file

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/260227-daj19sgx3b/

Behaviour

Checks for VirtualBox DLLs, possible anti-VM trick

Unpacked files

SH256 hash:

ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

MD5 hash:

9a5da4e75f7788f2cec23cc87c9992f3

SHA1 hash:

07e285e12d98d2e75588319b9ab7965ae1880d21

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/59387381-cc99-4b60-a103-63e2f5f9d2ff/

Parent samples :

eaf774319a523aa423c0a1edc693f060ad108d9570495a38549efd0c16953af4
ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ecea0ae8314b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArcaneStealer

exe eaf774319a523aa423c0a1edc693f060ad108d9570495a38549efd0c16953af4

ArcaneStealer

exe ecea0ae8314b5b34614388a9a42e43e032c3e6650421f7fd71846e5f1f230f77

(this sample)

Dropped by

SHA256 eaf774319a523aa423c0a1edc693f060ad108d9570495a38549efd0c16953af4

Cape

https://www.capesandbox.com/analysis/54801/

Dropped by

MD5 8958ad7b3a8f31b9fa07836d45db562d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample