MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093fc9123303ffdcd62b53d3e091bc2b0e7f2a205227825294b4f247c33f8de5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash: 093fc9123303ffdcd62b53d3e091bc2b0e7f2a205227825294b4f247c33f8de5
SHA3-384 hash: 5d00d240429ba4aaf966aa0934255716ad9fe3984f24cfa07dd54413edf84f71f1fd6567d77f2d4fbcadb661e44007a6
SHA1 hash: 2a708490610ef47392fbc48fa223e340b045a6de
MD5 hash: 302a7f1a249f60b8024bb3a9cd03f659
humanhash: zebra-nine-thirteen-alabama
File name:gc.key
Download: download sample
Signature ACRStealer
File size:4'376'576 bytes
First seen:2026-07-14 05:07:21 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 846c60b7415e38d769a8b7a0468ed919 (3 x ACRStealer, 1 x Amatera)
ssdeep 24576:uY3DJIvaIYHufWhuNSAKE8fIcbW8yavq3:
TLSH T16F1630572DF9F11EEC886C7D953A7F468479A521750CA11B8EE1FCEA0C0E5F8086A70B
TrID 34.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.7% (.EXE) Win64 Executable (generic) (6522/11/2)
10.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter monitorsg
Tags:ACRStealer ClearFake dll

Intelligence


File Origin
# of uploads :
1
# of downloads :
180
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm masquerade mingw packed
Verdict:
Unknown
File Type:
dll x32
First seen:
2026-07-14T02:02:00Z UTC
Last seen:
2026-07-14T03:23:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-14 05:09:14 UTC
File Type:
PE (Dll)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
093fc9123303ffdcd62b53d3e091bc2b0e7f2a205227825294b4f247c33f8de5
MD5 hash:
302a7f1a249f60b8024bb3a9cd03f659
SHA1 hash:
2a708490610ef47392fbc48fa223e340b045a6de
SH256 hash:
d2a07d3af27c7473c56ea7008ee7f69cf2d5ca52b92bf7959c0d1ee1da79c1d6
MD5 hash:
a742d21dece4096003b2e94f146d4c14
SHA1 hash:
5ba63580c77e5153406164a58ac3e25b9ee6b2fd
Malware family:
ACRStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:pe_detect_tls_callbacks
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026
Author:SixHands
Description:Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

DLL dll 093fc9123303ffdcd62b53d3e091bc2b0e7f2a205227825294b4f247c33f8de5

(this sample)

  
Delivery method
Distributed via web download

Comments