MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5
SHA3-384 hash: 2bda9fd9bcead694b917dac366c6dd82de405252cf1f40de5882e579ed33c549aa4ea8a753b904f8570e2d25049f8f16
SHA1 hash: 399172596c01fffe297de86bca8ff788d6b87f98
MD5 hash: 38e62f0120fbf9bfd3cedb099899d774
humanhash: virginia-blossom-fix-fish
File name:acr-mix-639160906185480235.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:824'832 bytes
First seen:2026-06-09 15:04:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:8dyFn+6jp5ZgK/nO3yYPCKQryzOEFbVjl8Y:4yF+wIK/QySVQ5spp8
Threatray 19 similar samples on MalwareBazaar
TLSH T11D052A19E59358F1EB050C31E176255F7F247A18B894EED1C7F20A0ABAA3DE1221F4F9
TrID 34.1% (.EXE) Win64 Executable (generic) (6522/11/2)
23.5% (.EXE) Win32 Executable (generic) (4504/4/1)
10.7% (.ICL) Windows Icons Library (generic) (2059/9)
10.6% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:ACRStealer exe globe-cachefoundry-cc neuralcoreflux10-lol


Avatar
iamaachum
https://neuralcoreflux10.lol/download/acr-mix-639160906185480235.exe

ACRStealer C2: globe.cachefoundry.cc

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5.exe
Verdict:
Malicious activity
Analysis date:
2026-06-09 15:04:51 UTC
Tags:
stealer vidar exploit
Link:
https://app.any.run/tasks/c5f39589-e5b4-49f4-8a58-849270bbebe8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70328/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a282b8e34eaf30d8ce450bc
Tags:
phishing spoof
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Query of malicious DNS domain
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6a282b891f652d686572b36f/reports/e696bbe0-ce9f-4c70-a502-fbadabbee466/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5
Verdict:
Clean
File Type:
exe x32
First seen:
2026-06-09T13:52:00Z UTC
Last seen:
2026-06-09T14:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4310d8a4-d3ee-4d0e-abc3-890dc6c1d1f9
Result
Threat name:
ACR Stealer, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1925249
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1925249 Sample: acr-mix-639160906185480235.exe Startdate: 09/06/2026 Architecture: WINDOWS Score: 100 52 poxzxin.cyou 2->52 54 decrnoj.club 2->54 56 5 other IPs or domains 2->56 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 15 other signatures 2->82 10 acr-mix-639160906185480235.exe 2 2->10         started        14 powershell.exe 12 2->14         started        16 taskkill.exe 1 2->16         started        signatures3 process4 dnsIp5 64 vdsina.vg 104.248.198.130, 443, 49709, 49711 DIGITALOCEAN-ASN-DigitalOceanLLCUS Netherlands 10->64 66 globe.cachefoundry.cc 104.21.10.63, 443, 49693 CLOUDFLARENET-CloudflareIncUS Canada 10->66 84 Suspicious powershell command line found 10->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 10->86 88 Encrypted powershell cmdline option found 10->88 90 8 other signatures 10->90 18 powershell.exe 18 10->18         started        21 chrome.exe 10->21         started        23 mshta.exe 14->23         started        25 conhost.exe 16->25         started        signatures6 process7 signatures8 70 Suspicious execution chain found 18->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 18->72 27 mshta.exe 16 18->27         started        30 conhost.exe 18->30         started        32 chrome.exe 21->32         started        74 Tries to access browser extension known for cryptocurrency wallets 23->74 34 package.exe 23->34         started        37 curl.exe 23->37         started        process9 dnsIp10 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->92 94 Tries to access browser extension known for cryptocurrency wallets 27->94 96 Creates processes via WMI 27->96 106 2 other signatures 27->106 40 conhost.exe 32->40         started        58 google.com 142.251.211.174, 443, 49720 GOOGLE-GoogleLLCUS United States 34->58 98 Multi AV Scanner detection for dropped file 34->98 100 Early bird code injection technique detected 34->100 102 Writes to foreign memory regions 34->102 108 2 other signatures 34->108 42 Dism.exe 34->42         started        60 immortal-service.cc 45.153.34.55, 443, 49719 PFCLOUDPfcloudUGDE Netherlands 37->60 62 127.0.0.1 unknown unknown 37->62 50 C:\Users\user\package.exe, PE32 37->50 dropped 104 Drops PE files to the user root directory 37->104 46 conhost.exe 37->46         started        file11 signatures12 process13 dnsIp14 68 pomflgf.vu 2.26.74.89, 80 GREATFLOWERIL Finland 42->68 110 Unusual module load detection (module proxying) 42->110 48 conhost.exe 42->48         started        signatures15 process16
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-06-09 15:04:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czwui7vkdwz3lkkubxw6kvawvwx7oknu7knbt5d5yaqjlffvzksq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
2762f3e0a56d62e70157c398626856befead49f0926ba921f478bb599f10e2f6
ACRStealer
4b0c97b77fa4fcca148b808dd1461ec6b0966280d34da074f494cf9b3aa7d798
ACRStealer
94189e4d1e03f3afac858be576cc0c1b0ab000dbccb8dcf988fb58059b5a12ff
ACRStealer
9d176e2a1d21e4b368cd06adfb0f38629781d4b7ca6ed7b738efb0745e77fa22
ACRStealer
aa95b0b984dce56dcf8d9e9fabaa6a251b4a80cd7e344b3740d5934596f2e0fa
ACRStealer
error
ACRStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260609-sfytyacx4y/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
Dropper Extraction:
https://vdsina.vg
Unpacked files
SH256 hash:
166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5
MD5 hash:
38e62f0120fbf9bfd3cedb099899d774
SHA1 hash:
399172596c01fffe297de86bca8ff788d6b87f98
Link:
https://www.unpac.me/results/0ebfa328-5542-404a-a079-3386ca280216/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 166d447eaa1db3b5a9540dede55416adaff729b4fa9a19f47dc0209594b5caa5

(this sample)

  
Link
https://tria.ge/260609-r23jkscx6k/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70328/

Comments