MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
SHA3-384 hash: 6b51ad6760cc31a08c2e7b8bbb981e36e540b5dc614a844884541307d37f951a739f56fcb585beb427aeaf1fff29677b
SHA1 hash: 1c0f9e610b7a043928956dc36cf513ff7a02168f
MD5 hash: 3ac0c1b445c10d5af928c0c3ed8ea409
humanhash: moon-apart-uncle-five
File name:SecuriteInfo.com.FileRepMalware.76928771
Download: download sample
Signature ACRStealer
Create hunting rule
File size:12'192'080 bytes
First seen:2026-03-04 01:03:11 UTC
Last seen:2026-03-04 01:22:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 16d3dcda6fe34199f57bb11fc5930901 (1 x ACRStealer)
ssdeep 196608:iilaNrKUYAu40C5u7alCFr7nQInJ45/9iD54+V11bFv4zws:iilaN8J9s
Threatray 1 similar samples on MalwareBazaar
TLSH T129C6A22CD905A366E2B2C170859D4A17F161892AF63D5F8B31C75F193242AC33EA1FDE
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:ACRStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.FileRepMalware.76928771
Verdict:
Malicious activity
Analysis date:
2026-03-04 01:05:04 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/89661e5a-ddea-41b4-80e3-909bd7c9d203

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55486/
Detection(s):
SecuriteInfo.com.FileRepMalware.76928771.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70.0%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a784f9e1f958bf668360ae
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive fingerprint hacktool installer-heuristic invalid-signature microsoft_visual_cc packed signed
Link:
https://www.filescan.io/uploads/69a784d910e80629d4fafe36/reports/8c13bb44-f399-415a-814b-c708cf134697/overview
Verdict:
Suspicious
Labled as:
Trojan.GenHeur
Link:
https://www.hybrid-analysis.com/sample/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Shelma.choy Trojan-PSW.Win32.Amatera.sb Trojan.Win32.Shelma.sb
Link:
https://opentip.kaspersky.com/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/70920148-0afc-45e5-817d-83d5b4c68eb6
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95/
Verdict:
Malicious
Threat:
Trojan.Win32.Shelma
Link:
https://tip.neiki.dev/file/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emplx7libtxgfuoeulvbwrdinqyrx7euuh7fplz2ihxuwcdzpskq._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
ACRStealer
error
ACRStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260304-behb5abs71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Unpacked files
SH256 hash:
231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
MD5 hash:
3ac0c1b445c10d5af928c0c3ed8ea409
SHA1 hash:
1c0f9e610b7a043928956dc36cf513ff7a02168f
Link:
https://www.unpac.me/results/57c38a35-3aac-484c-ae0f-0fb260b80d91/
SH256 hash:
7de18a8f94737b8f630267eae34c9ab54da54c2db3354d9203a951e0bcacef08
MD5 hash:
e4c790d3af41620dc5ad513ae7fcadac
SHA1 hash:
4b878ba9652e806225dbcb3995a5bb55cb3456ba
Link:
https://www.unpac.me/results/57c38a35-3aac-484c-ae0f-0fb260b80d91/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/231ebbfd680c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3788869/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55486/

Comments