MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603
SHA3-384 hash: 0c3d618495e709a4bf4d505a0c776731ca940170b25f068addb4e3c2983a26a20cbb36e6617e076e3a4e00f53744ee3b
SHA1 hash: cba0cf7622966daff52676ecac5a9ac302cf6e67
MD5 hash: bbd871930b59dfab9be37076c6ee78e7
humanhash: maryland-winter-magazine-edward
File name:𝐒𝐞𝐭𝐮𝐩._patched.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:2'170'368 bytes
First seen:2025-05-24 16:37:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba24afc7f3a6d1f8a2196d28125bc0b1 (1 x ACRStealer)
ssdeep 24576:3MO4YH2UTEM6i+4UUw2EFbG374nZ0ykE7MnieTBofQI0WVzBL9H:3Mc5TEbi+Iwxw374nZ0ykEleejVB9H
TLSH T1ABA51722A1A06097E3ED65319674520CB1B23FAF9324667A7D20736D28F1B635C1EF4F
TrID 55.3% (.EXE) InstallShield setup (43053/19/16)
13.5% (.EXE) Win64 Executable (generic) (10522/11/4)
8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 64a2b88c9cb0a264 (1 x LummaStealer, 1 x ACRStealer)
Reporter aachum
Tags:ACRStealer de-pumped exe


Avatar
iamaachum
https://wfrt.one/?7GlfCdA4L0w9yUVWRPnzSuB6rOxoMZ5JEbsFj1em=XV8TeZU1Cx2vAGDmF9HohqL0fRa6wJd3OKuIciQpjPk=SJzH86gmoLQF52lGTypDK0eWn1MdNXVrkRCsuwPtZbhivfY&h=85 => https://mega.nz/file/v0ZmTJJD#tF1sFSu8VhUps7ND1bmfFMrq-XbxvVrckR78AtBOrqM

Intelligence

File Origin
# of uploads :
1
# of downloads :
617
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f97d4f72-0948-452d-b2f5-5153b260217b
Verdict:
Malicious activity
Analysis date:
2025-05-24 17:00:17 UTC
Tags:
stealer auto generic loader delphi golang
Link:
https://app.any.run/tasks/f97d4f72-0948-452d-b2f5-5153b260217b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6831f77944c3881e854cdb99
Tags:
injection dropper smtp
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context base64 fingerprint lolbin microsoft_visual_cc overlay overlay packed packed packer_detected remote
Link:
https://www.filescan.io/uploads/6831f5d4fd02ed5e05862a7f/reports/38635280-10fc-49e2-91aa-a29996c26755/overview
Verdict:
Suspicious
Labled as:
Trojan.Lazzzy
Link:
https://www.hybrid-analysis.com/sample/0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/06162dc3-7268-434b-bf76-ac3a95b7e721
Result
Threat name:
ACR Stealer, CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698540
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1698540 Sample: #Ud835#Udc12#Ud835#Udc1e#Ud... Startdate: 24/05/2025 Architecture: WINDOWS Score: 100 48 Suricata IDS alerts for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 3 other signatures 2->54 7 #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29._patched.exe 2 2->7         started        12 elevation_service.exe 2->12         started        process3 dnsIp4 46 104.21.112.1, 443, 49683, 49684 CLOUDFLARENETUS United States 7->46 40 C:\Users\user\hjksfro.exe, PE32 7->40 dropped 42 C:\Users\user\hjksfhz.exe, PE32 7->42 dropped 56 Found many strings related to Crypto-Wallets (likely being stolen) 7->56 58 Drops PE files to the user root directory 7->58 60 Tries to harvest and steal ftp login credentials 7->60 62 10 other signatures 7->62 14 hjksfro.exe 7->14         started        18 msedge.exe 7->18         started        20 msedge.exe 7->20         started        22 7 other processes 7->22 file5 signatures6 process7 file8 44 C:\ProgramData\shark.exe, PE32 14->44 dropped 64 Multi AV Scanner detection for dropped file 14->64 66 Detected unpacking (changes PE section rights) 14->66 24 WerFault.exe 16 18->24         started        26 WerFault.exe 16 18->26         started        28 WerFault.exe 16 20->28         started        30 WerFault.exe 20->30         started        32 WerFault.exe 16 22->32         started        34 WerFault.exe 16 22->34         started        36 WerFault.exe 16 22->36         started        38 5 other processes 22->38 signatures9 process10
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byaz6qfw7p56gzx2j34bsunzfrwfkm7lej6rpvukscjdouzt4ybq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250524-t45g3agn7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603
MD5 hash:
bbd871930b59dfab9be37076c6ee78e7
SHA1 hash:
cba0cf7622966daff52676ecac5a9ac302cf6e67
Link:
https://www.unpac.me/results/d9b40d70-5448-4ade-80be-e3d583d25902/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e019f40b6fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

7z a3893ffeb9cbe7a90befabb31d04cf786f51a977f08d17f3f61dfb24af52dccb

ACRStealer

Executable exe 0e019f40b6fbfbe366fa4ef81951b92c6c5533eb227d17d68a9092375333e603

(this sample)

  
Link
https://tria.ge/250524-s8jkqayrz8/behavioral1
  
Dropped by
SHA256 a3893ffeb9cbe7a90befabb31d04cf786f51a977f08d17f3f61dfb24af52dccb
  
Delivery method
Distributed via web download
  
Dropped by
MD5 6a024ea0be03ed249862bd3fd319d3b6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateToken
ADVAPI32.dll::ImpersonateLoggedOnUser
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::FindExecutableA
SHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
SS_APIUses SS APISecur32.dll::AcquireCredentialsHandleA
Secur32.dll::DeleteSecurityContext
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::DeleteFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
KERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LogonUserA
ADVAPI32.dll::LookupAccountNameA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertOpenSystemStoreA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2A
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::QueryServiceStatus
ADVAPI32.dll::StartServiceA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA
USER32.dll::CreateWindowExA

Comments