MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72
SHA3-384 hash: 158d2b3bf7fc7a6ab6c564ffd93cc552ba247d70c4c5025d941e4d8ae82bce65b86adf32f2f3ea63e969cfcebac6bfac
SHA1 hash: 6a0be933f20e17b6feebd709c05d8024d4b9261b
MD5 hash: 262eb122dbae0c4bd212ccebfd88561f
humanhash: kitten-juliet-zulu-idaho
File name:Setup.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:355'328 bytes
First seen:2025-05-19 06:36:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (20 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 6144:PvlAkAsY5JDR2+Mq9zntr0qs2AwjPakjLZr4J1LT/34UGUqK9tQdmid:ik5K2FqP4/Eta1H3KUtbHi
TLSH T15874CE3333D98472C0AC11FE440BAE40D8AB5A249E58C5077B894F27CF79AB9A71B3D5
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon cac47aaaa4a4a4a4 (4 x ACRStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:ACRStealer de-pumped exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
516
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-05-19 06:49:20 UTC
Tags:
stealer loader delphi
Link:
https://app.any.run/tasks/e556c5d3-6d0e-4f79-ba91-10c02cbf3a24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ad2d0375681df7c1aa22b
Tags:
spawn hype sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Adding an access-denied ACE
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/682ad19fc609634bd7c8713e/reports/964dbec6-a7da-4d59-b272-bc2f98cc733e/overview
Verdict:
Malicious
Labled as:
Malware_48.9
Link:
https://www.hybrid-analysis.com/sample/0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fcdf211a-467d-42e9-8406-9ffd313fc320
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1693764
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1693764 Sample: Setup.exe Startdate: 19/05/2025 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 2 other signatures 2->60 7 Setup.exe 2 2->7         started        12 elevation_service.exe 2->12         started        process3 dnsIp4 52 172.67.221.174, 443, 49686, 49687 CLOUDFLARENETUS United States 7->52 40 C:\Users\user\hjksfws.exe, PE32 7->40 dropped 42 C:\Users\user\hjksfsv.exe, PE32 7->42 dropped 62 Found many strings related to Crypto-Wallets (likely being stolen) 7->62 64 Drops PE files to the user root directory 7->64 66 Tries to harvest and steal ftp login credentials 7->66 68 9 other signatures 7->68 14 hjksfws.exe 7->14         started        18 msedge.exe 7->18         started        20 msedge.exe 7->20         started        22 7 other processes 7->22 file5 signatures6 process7 file8 44 C:\Users\user\dx0.dll, PE32 14->44 dropped 46 C:\Users\user\IconX.dll, PE32 14->46 dropped 48 C:\Users\user\DistriCompiler89.exe, PE32 14->48 dropped 50 C:\Users\user\DirectGUI.dll, PE32 14->50 dropped 70 Multi AV Scanner detection for dropped file 14->70 72 Drops PE files to the user root directory 14->72 24 WerFault.exe 16 18->24         started        26 WerFault.exe 16 18->26         started        28 WerFault.exe 20->28         started        30 WerFault.exe 20->30         started        32 WerFault.exe 16 22->32         started        34 WerFault.exe 16 22->34         started        36 WerFault.exe 16 22->36         started        38 5 other processes 22->38 signatures9 process10
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-19 06:37:15 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7nvclxirvy4yw6oao7hzvi56aajcmo5eeilcasd2yvkzreojjza._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250519-hdmzjsbj7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c75abf16-22f1-4374-9221-bfd24a4ace6b
Unpacked files
SH256 hash:
0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72
MD5 hash:
262eb122dbae0c4bd212ccebfd88561f
SHA1 hash:
6a0be933f20e17b6feebd709c05d8024d4b9261b
Link:
https://www.unpac.me/results/1167f1b3-d46d-45ee-b98f-3f918484aee3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

rar cdbc1565b097fa6c91f57e4361dfc76a4f124473f595d3e625dcbb6edb7738f7

ACRStealer

Executable exe 0fdb512ee88d71cc5bce03be7cd51df0009131dd2110b10243d62aacc48e4a72

(this sample)

  
Dropped by
MD5 437b3a8fd4fae59714045bd82d06fa77
  
Dropped by
SHA256 cdbc1565b097fa6c91f57e4361dfc76a4f124473f595d3e625dcbb6edb7738f7

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments