MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e2159ef433bf588b91a5eacb035140705be391123c76430447a81fa8efe14e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ACRStealer

Vendor detections: 5

Intelligence 5 IOCs YARA 38 File information Comments

SHA256 hash:	2e2159ef433bf588b91a5eacb035140705be391123c76430447a81fa8efe14e4
SHA3-384 hash:	f905e5b2bac75c91ca4b6b9d6ed330756401aa3030faf2ee00f31c0db9800b547c4272171dd630c03826e4a6a8ab6f44
SHA1 hash:	0cc06117bdc3db46c212246940cd7848cae0d279
MD5 hash:	fb8068e198819ad4eec3a501af0ffd4a
humanhash:	romeo-sink-cat-sierra
File name:	#SatUp-Full.zipx
Download:	download sample
Signature	ACRStealer Create hunting rule
File size:	9'598'080 bytes
First seen:	2025-08-08 23:25:35 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	196608:MQxilWjSWLxJ4Yk5phEWxCC+qBZaJ7WYYmAG+Tm61U7Q2vLzw6GGDGkNm:MzUSKJ4DleCzZE7WIUykU3DGim
TLSH	T144A63306CB08D43CB99583788D3D2EA6A2F7D63D01253FFCA6434A9B0A31579E5075FA
Magika	zip
Reporter	aachum
Tags:	80-253-251-138 ACRStealer HIjackLoader IDATLoader zipx

iamaachum

https://cloudferry.cfd/view/WFX5TFUE => https://mega.nz/file/rNlhBAjI#0tr7R9x2dISp-vhkMhmQO7D1xP8OXLiocQn9xWmiYO4

ACRStealer C2: 80.253.251.138

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 28 file(s), sorted by their relevance:

File name:	SsCustom.dll
File size:	554'504 bytes
SHA256 hash:	7f7addef00195b936618e5033be9094859ce409b56a41ef8673fe5df20106940
MD5 hash:	15079bf8ad1db2437d52d861d9fc91c6
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-synch-l1-2-0.dll
File size:	18'384 bytes
SHA256 hash:	9ac63682e03d55a5d18405d336634af080dd0003b565d12a39d6d71aaa989f48
MD5 hash:	659e4febc208545a2e23c0c8b881a30d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-timezone-l1-1-0.dll
File size:	18'384 bytes
SHA256 hash:	a108a8f20ded00e742a1f818ef00eb425990b6b24a2bcd060dea4d7f06d3f165
MD5 hash:	69df2cce4528c9e38d04a461ba1f992b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-profile-l1-1-0.dll
File size:	17'360 bytes
SHA256 hash:	d00a0edace14715bf79dbd17b715d8a74a2300f0adb1f3fc137edfb7074c9b0a
MD5 hash:	6ee66dca31c5cce57740d677c85b4ce7
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-process-l1-1-0.dll
File size:	18'896 bytes
SHA256 hash:	542a22540cdb7df46d957a0208d50507916f7c737bea833931239d56ebe8d68c
MD5 hash:	66f4e530a19ed2f6862b5ce946437875
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	NvStWiz.prx
File size:	442'680 bytes
SHA256 hash:	c2ad5bd189df04b39be18dec5cd251cf79b066010706ad26d99df7e49fd07762
MD5 hash:	9e82e3b658393bed3f7e4f090df1fbe7
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	tradingnetworkingsockets.dll
File size:	4'249'928 bytes
SHA256 hash:	fc4a65ff603bf1f4bfe323de1866145ae1e006aa656799fd134dfa63d92d47c1
MD5 hash:	3cf26ce759c5e261fe3ecc6451b8b08e
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-private-l1-1-0.dll
File size:	70'608 bytes
SHA256 hash:	696c10112d8b86a46e5057cbd0bf40728e79c6bb49cda1f2c67fe45d0fc1258d
MD5 hash:	ad8d9a6ea592a6c8a78c67a805cec952
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-heap-l1-1-0.dll
File size:	18'896 bytes
SHA256 hash:	0166edfb23cfc77519c97862a538a69b5d805d6a17d6e235f46927af5c04b3c9
MD5 hash:	9c373c00ac3138233bdf1655c7be8e86
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-util-l1-1-0.dll
File size:	17'872 bytes
SHA256 hash:	68bd9c086d210eb14e78f00988ba88ceaf9056c8f10746ab024990f8512a2296
MD5 hash:	c6553959aecd5bac01c0673cfdf86b68
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	opengl64.dll
File size:	18'578'896 bytes
SHA256 hash:	dd575f3c64382193610815909bd2c52490244ecbbb9bba6eef5fe4f0bb43bb4d
MD5 hash:	0a84667145e7efef026c888d4b768126
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-synch-l1-1-0.dll
File size:	19'920 bytes
SHA256 hash:	8bb38a7a59fbaa792b3d5f34f94580429588c8c592929cbd307afd5579762abc
MD5 hash:	979c67ba244e5328a1a2e588ff748e86
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Installer.exe
File size:	6'151'608 bytes
SHA256 hash:	fadec4f29e544ee21c83003422e757f56c94876ca54141a33e7fef39b6e39fe1
MD5 hash:	89f65812fd4bfa46db7bbe897d766f1c
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	OmgbkupRes_ENU.dll
File size:	104'376 bytes
SHA256 hash:	1a82d7a8a7e62c2217886d0e1b420dcba4a613eb5ef5dc6a336421e357973df1
MD5 hash:	e7b7e1f41e4ab20fa414b99de87896c5
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-math-l1-1-0.dll
File size:	27'088 bytes
SHA256 hash:	c7115159babdaa1f52e478e67b4e612da2332fda4e4036999b29425fe303b6e8
MD5 hash:	bc418a3461c5fdfa1a0d75f7e03d08a7
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-rtlsupport-l1-1-0.dll
File size:	18'384 bytes
SHA256 hash:	d11093fdc1d5c9213b9b2886ce91db3ded17ef8dae1615a8c7ffbc55b8e3f79b
MD5 hash:	0069fd29263c0dd90314c48bbce852ef
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-filesystem-l1-1-0.dll
File size:	19'920 bytes
SHA256 hash:	85b1b189ce9e3c6f4d2efdd4cd82b0807f681bea2d28851caaf545990de99000
MD5 hash:	14f407d94c77b1b0039ae2c89b07a2ff
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-conio-l1-1-0.dll
File size:	18'896 bytes
SHA256 hash:	4aeeae0ac9f6c1b0b8835067ea3b7fc429f353565f18de7858f4ea5d6f72072e
MD5 hash:	7190cbfad2d7773d3b88ccc25533a651
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-processthreads-l1-1-1.dll
File size:	18'384 bytes
SHA256 hash:	e5ea2c21fb225090f7d0db6c6990d67b1558d8e834e86513bc8ba7a43c4e7b36
MD5 hash:	29001f316ccfc800e2246743df9b15b3
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	trading_api64.dll
File size:	289'568 bytes
SHA256 hash:	f1eb582e607a1e43cdb1654bfb7cb29ad46f6728b3fb89a14f7727e0e8daab69
MD5 hash:	2bca4e2c047ec969cb3cff277e7fc184
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-sysinfo-l1-1-0.dll
File size:	18'896 bytes
SHA256 hash:	1fe918979f1653d63bb713d4716910d192cd09f50017a6ecb4ce026ed6285df9
MD5 hash:	cef4b9f680faae322170b961a3421c5b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-convert-l1-1-0.dll
File size:	21'968 bytes
SHA256 hash:	77b69e829bdc26c7b2474be6b8a2382345b2957e23046897e40992a8157a7ba1
MD5 hash:	3e415147ccd7c712618868bdd7a200cd
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	ks_tyres.ini
File size:	10'077 bytes
SHA256 hash:	894d3c57598ecb22c769cc3ea8219859a95e22740e72394a474012ea2119b3d9
MD5 hash:	47f6571c7884da6c743551ac724186d4
MIME type:	text/plain
Signature	ACRStealer

File name:	config.prx
File size:	373'656 bytes
SHA256 hash:	7fa86147035627bae39576bcbe619d045e94a48c4db8ca131968c20bb4de4a36
MD5 hash:	14934caca84d5fe0288f27efb31dcbf8
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-locale-l1-1-0.dll
File size:	18'384 bytes
SHA256 hash:	f16447b5fc7fe6fb8a6699a3cef1b2b8ba92d408579bcc272d3dd76acd801e2a
MD5 hash:	c5d747f96237b6e9aa85c58745d30c80
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-environment-l1-1-0.dll
File size:	18'384 bytes
SHA256 hash:	6c9c0dc7b36afe07dfb07dd373fc757ff25df4793e6384d7a6021471a474f0b9
MD5 hash:	ad0cbb9978fcf60d9e9ca45de6a28d30
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-core-string-l1-1-0.dll
File size:	17'872 bytes
SHA256 hash:	3807db7acf1b40c797e4d4c14a12c3806346ae56b25e205e600be3e635c18d4f
MD5 hash:	2e5c29fc652f432b89a1afe187736c4d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	api-ms-win-crt-multibyte-l1-1-0.dll
File size:	26'064 bytes
SHA256 hash:	c6b4e1d903b3cc83bfaffbe4e82eee634cff8f97f12217caa45b464ddc4e1455
MD5 hash:	9e9c6f83a015029808f5257f7b7e39c6
MIME type:	application/x-dosexec
Signature	ACRStealer

Vendor Threat Intelligence

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6866d046c9eb97473765f341

Tags:

injection obfusc crypt

Result

Verdict:

Unknown

File Type:

ZIP File

Link:

https://app.docguard.net/2e2159ef433bf588b91a5eacb035140705be391123c76430447a81fa8efe14e4/results/dashboard

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

expired-cert fingerprint microsoft_visual_cc overlay packed signed

Link:

https://www.filescan.io/uploads/68968799397fd3ce6fa2cd63/reports/044270b2-434d-48eb-8aa6-6ded37e1ac7d/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/2e2159ef433bf588b91a5eacb035140705be391123c76430447a81fa8efe14e4

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2e2159ef433bf588b91a5eacb035140705be391123c76430447a81fa8efe14e4

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

26%

Verdict:

Benign

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang Create hunting rule

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/