MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4
SHA3-384 hash: 6e802b313f3defff189e454943027739593b8fd86e36e9711cc45d532f60b7450b0dfe4a671c26cf381c8c417ea9c202
SHA1 hash: 1e917156c603a0ccb08ed9e969d11b5b1ed0e47c
MD5 hash: 5851296b482aec0267f5b3590ba4c209
humanhash: snake-lake-four-muppet
File name:Setup.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:23'320'352 bytes
First seen:2026-04-29 16:45:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d548c37a2e49c7d64b1b5952e9eb3d2 (1 x ACRStealer)
ssdeep 393216:+cIQyOVYCp2vpQOmgUfS0jTkyOxfGqkqlw9ye26ibD7ZQV1UGb:jFrtgdNfGnyrpD7ZQPl
Threatray 14 similar samples on MalwareBazaar
TLSH T106370216B384503AD06F2A360867F6F2983BBA516A21BC576FE0094C4F395D4B93F74B
TrID 64.6% (.EXE) Inno Setup installer (107240/4/30)
25.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (6522/11/2)
2.7% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 70f8fcf0b0988080 (1 x ACRStealer)
Reporter aachum
Tags:ACRStealer exe lapdog-kindterra-cfd


Avatar
iamaachum
https://hostckyd3.it.com/ => https://www.mediafire.com/file/l2xbmkcgn7gp1k4/D0WNL0AD_SETUP_FILE_(KEY_1510).zip/file

ACRStealer C2: lapdog.kindterra.cfd

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2026-04-29 16:47:13 UTC
Tags:
delphi stealer
Link:
https://app.any.run/tasks/82b182e2-ddbe-4452-81cb-8cdf41b42233

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64010/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Adding an access-denied ACE
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint installer-heuristic invalid-signature keylogger overlay packed signed
Link:
https://www.filescan.io/uploads/69f235b68a82359247ba03cf/reports/74624d1c-ba36-4a98-8764-10649b0bbeeb/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-28T20:02:00Z UTC
Last seen:
2026-05-01T07:21:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Shelma.sb Trojan.Win32.Shelma.chun BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1906406
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
70%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Shelma
Link:
https://tip.neiki.dev/file/dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-29 07:33:08 UTC
File Type:
PE (Exe)
Extracted files:
586
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oskmuzwldrm2cahu4265xgqbifanfbb6tzqd47bpnzsrkldhksa._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
14340d8660d776f5b06baa94f1ebf81f97a24588f52384c003b6441f62e8f056
ACRStealer
30103ca4c75758700d2aa823221e41031d064326ba215a541b2793091bc2ec65
ACRStealer
474fbd180a26139e8013595adedc0ce2bb434677ae667093f86d4a59b11c7045
ACRStealer
59abb133c88b6fbdffcd508f5d74564df82b01c4704ea5457b1ff4440cdf2771
ACRStealer
7305daa8982d5a438feaabb78ddef96f65059be5304a69c918d04ffea99d49d8
ACRStealer
b3810ca5f17d8f617252b5460eafbed27e85722e794e394b2fbcb760ecf3d2a3
ACRStealer
dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4
ACRStealer
error
ACRStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/260429-t9sepadx6y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dba4a6533658/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CHM_File_Executes_JS_Via_PowerShell
Create hunting rule
Author:daniyyell
Description:Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe dba4a6533658e2cd0807a735eedcd00a0a069421f4f301f3e17b7328a9633aa4

(this sample)

  
Link
https://tria.ge/260429-t4391adx2v
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/64010/

Comments