MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
SHA3-384 hash: b23f3a59ee58887c0b4d7170bed40b4aa0c587d055a4609d086e8c2b906382b98e626e4a8b9087d14107ba4a9e25486a
SHA1 hash: d25d15381d94eb4281c66b8923d132ef2fd243d0
MD5 hash: a0ca49e5687a97c450f315b6fa1b6161
humanhash: winter-oregon-fix-undress
File name:TUFPCCFS.msi
Download: download sample
Signature ACRStealer
Create hunting rule
File size:4'190'208 bytes
First seen:2025-11-27 17:08:19 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:w1rTSOQJjSi/8cGsiTnTCnjdvA4IjXh1fALlQEArJQ+tC:whxMjETKjPQXHbNrJE
Threatray 59 similar samples on MalwareBazaar
TLSH T1D4163381FA86E2E2D843A5BA3C0ECD8128A17C3FDF9199E1857C7E340D32D275D65DA1
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:ACRStealer msi ShadowLadder

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41663/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692885ca6cb1dcd577819bad
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer installer keylogger packed wix
Link:
https://www.filescan.io/uploads/692885c22cd29ea630026e68/reports/b1d77587-e95d-4b96-8aed-f91fa9538534/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1821862
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1821862 Sample: TUFPCCFS.msi Startdate: 27/11/2025 Architecture: WINDOWS Score: 76 48 Found malware configuration 2->48 50 Yara detected HijackLoader 2->50 8 msiexec.exe 90 50 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 32 C:\Users\user\AppData\...\Transa_Aur.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\WsBurn.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\WS_Log.dll, PE32 8->36 dropped 38 10 other files (none is malicious) 8->38 dropped 13 Transa_Aur.exe 17 8->13         started        process5 file6 40 C:\ProgramData\...\Transa_Aur.exe, PE32 13->40 dropped 42 C:\ProgramData\...\WsBurn.dll, PE32 13->42 dropped 44 C:\ProgramData\...\WS_Log.dll, PE32 13->44 dropped 46 10 other files (none is malicious) 13->46 dropped 66 Switches to a custom stack to bypass stack traces 13->66 68 Found direct / indirect Syscall (likely to bypass EDR) 13->68 17 Transa_Aur.exe 7 13->17         started        signatures7 process8 file9 26 C:\Users\user\AppData\...\LoVerifier.exe, PE32 17->26 dropped 28 C:\ProgramData\...\Chime.exe, PE32 17->28 dropped 30 C:\Users\user\AppData\Local\...\7F357E8.tmp, PE32 17->30 dropped 52 Found hidden mapped module (file has been removed from disk) 17->52 54 Maps a DLL or memory area into another process 17->54 56 Switches to a custom stack to bypass stack traces 17->56 58 Found direct / indirect Syscall (likely to bypass EDR) 17->58 21 Chime.exe 1 17->21         started        24 LoVerifier.exe 17->24         started        signatures10 process11 signatures12 60 Unusual module load detection (module proxying) 21->60 62 Switches to a custom stack to bypass stack traces 21->62 64 Found direct / indirect Syscall (likely to bypass EDR) 21->64
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/a0ca49e5687a97c450f315b6fa1b6161
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjpqpo5hfl7g26asn6dum6wyyg3m6cdn5yl6ms6xongkmcjcv4wa._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
ACRStealer
1aae99b733ab72044e157732a6c1d917edf704851d0c4fe38578c0175121408b
ACRStealer
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
ACRStealer
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
ACRStealer
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
ACRStealer
bf91cb86e3d06ae3ac4ac6cd2252a387046c10658701ea8a11ffa706397814c2
ACRStealer
c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
ACRStealer
e64bbdb7c4ba3c2b54b6f848cc6c307ef09aec4ac1b63debc65bb0fbd7e36d76
ACRStealer
error
ACRStealer
f9040a4e04ed7681ad1fbcd20d52f0b4393652ad64ba0006cb1b3968f0d5e851
ACRStealer
+ 49 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251127-vn982szmby/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/12decc25-00cf-495b-9f67-e13f3b7c90f7
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a5f07bba72a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41663/

Comments