MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ACRStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 19 File information Comments

SHA256 hash:	2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f
SHA3-384 hash:	3295ed2d5d367397bd49767dac91313fa78aa3984fe0046e44f91071f460f17db7c82d6363091a55218a0c0533a1262e
SHA1 hash:	579194aef56567728c3f022454c5a40b5bc61d2c
MD5 hash:	ba521a29c4868e0aaeba5fe1a7ba8cca
humanhash:	sink-bakerloo-california-potato
File name:	2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f.zip
Download:	download sample
Signature	ACRStealer Create hunting rule
File size:	9'006'998 bytes
First seen:	2025-12-23 11:27:39 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	98304:I8AdF3L0VpAhlQRv1LPt+lCRXA7MOTYvqQj63u0wCZa1sJbP3dqx4Bt/:rZpA47TtcCFS67SwyVDP/
TLSH	T125966B13A692C632C0BD11B484AA9278573ABC151F508ECF77D8A93879E77E07E3135B
TrID	72.4% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3) 27.5% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	JAMESWT_WT
Tags:	ACRStealer zip

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

File Archive Information

This file archive contains 17 file(s), sorted by their relevance:

File name:	NLEService.dll
File size:	295'936 bytes
SHA256 hash:	15c4860f2e0530bc896f9b07f893b32b13cffe40c909293b6232bd5696a5f71a
MD5 hash:	77bffd6a7270bf001aaba999de8394f9
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	ExceptionHandler.dll
File size:	131'584 bytes
SHA256 hash:	6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e
MD5 hash:	7c76e3100bd67c47f176a0edde3ef79a
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	BugSplat.dll
File size:	303'568 bytes
SHA256 hash:	4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968
MD5 hash:	27d48c6c48d5259a4e2ad7be369ce906
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	WsBurn.dll
File size:	2'504'192 bytes
SHA256 hash:	8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a
MD5 hash:	c6328e8342538b7e2502b752e5cb1e28
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	DBGHelp.dll
File size:	992'208 bytes
SHA256 hash:	c1275ddf04a0942b416c1a0b2d32003a4eda732c6f97c74181c236e35d12420f
MD5 hash:	3094481f0cb0531b407d2388ecb4b85f
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Kendfendjiel.zwyy
File size:	7'528 bytes
SHA256 hash:	52a7723234873d8d51dd16370fe521101f5b80c980ef4aeaf54b83a2fccb0e6e
MD5 hash:	8afbb2b9bad3a83aefc1812364ecd92b
MIME type:	application/octet-stream
Signature	ACRStealer

File name:	DVDSetting.dll
File size:	42'496 bytes
SHA256 hash:	718cfb5195d0e43e795627c781fb3f427856f1cf29f33eedbbc6059b6f214549
MD5 hash:	05c88530d48f20ec24dbc4df3470e57d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	SlideShowEditor.ini
File size:	47 bytes
SHA256 hash:	d8da65acc79167d53decab2d59c3f6dbfba37fb20fcdbfe3e260a9a8b45597f1
MD5 hash:	bab28424af84abfe9985aa887856afcb
MIME type:	text/plain
Signature	ACRStealer

File name:	WSUtilities.dll
File size:	186'368 bytes
SHA256 hash:	30b9b877aa1112105069be6b4de794b7a7147a1d968e71fa63f2edc7397e126f
MD5 hash:	54b87d3271a4fa9b1e1fea51c2ef9c14
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	1 boleta judicial.exe
File size:	2'513'640 bytes
SHA256 hash:	44f009ca786bc541cda11c61bab7b272e96ce9e3d656c10bdac2e126f3a9cc35
MD5 hash:	a4b240cce6e3da6e959f33bd82394034
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	NLETransitionMgr.dll
File size:	127'488 bytes
SHA256 hash:	41050f6f6919a4516d481f7c9b5fe6074c447afc6e9cc28d180982eea50ae165
MD5 hash:	b27ec2286daa245ceb0688df5b7f574d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Wiekdieng.uvuy
File size:	1'213'290 bytes
SHA256 hash:	46f6654e32d83e7576a4ed7ea4f10731d72c495cf225018d1c0b36fb0f2bd42c
MD5 hash:	8d4c0c837eea77ad39e62aba3f9371e9
MIME type:	application/octet-stream
Signature	ACRStealer

File name:	WS_ImageProc.dll
File size:	227'328 bytes
SHA256 hash:	58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a
MD5 hash:	23b3a972dc6e25581b6fa9e01bafc375
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	2
File size:	346 bytes
SHA256 hash:	49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
MD5 hash:	24d3b502e1846356b0263f945ddd5529
MIME type:	text/plain
Signature	ACRStealer

File name:	WS_Log.dll
File size:	224'256 bytes
SHA256 hash:	bc527003768b535b0a7586083b36299d920b4351d0cbc2f7cf2d756197f773c2
MD5 hash:	482518d2d16c7a05bebdb957b87bed4f
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	NLEResource.dll
File size:	171'008 bytes
SHA256 hash:	7cd5072111581133c5e28b56bef060b3d3b0d8acca3396ef23c6c384eb292d25
MD5 hash:	b5b2c99fbe00ce2d3be66890a55640ae
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	COMSupport.dll
File size:	60'928 bytes
SHA256 hash:	b1038928a6da2a1b5064a27187403563f3ab7e8d4ec034dfa8d5d3f6be231191
MD5 hash:	976ef4af05e92e4dbb612756e6798a37
MIME type:	application/x-dosexec
Signature	ACRStealer

Vendor Threat Intelligence

Malware configuration found for:

HijackLoader

Details

HijackLoader

an XOR key and XOR-decrypted/LZNT1 decompressed component

Link:

https://research.acce.ciphertechsolutions.com/results/45897a08-0e3d-41fe-9f95-df1977bdd0bc/

Detection(s):

ditekSHen.MALWARE.Win.Ransomware.STOP.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e6ae0f7f305fa2545db1e9

Tags:

downloader injection dropper

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

zip

First seen:

2025-12-23T08:35:00Z UTC

Last seen:

2025-12-23T09:33:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f/results?tab=lookup

Score:

10%

Verdict:

Benign

File Type:

Result

Malware family:

xworm

Score:

10/10

Tags:

family:hijackloader family:xworm discovery rat trojan

Link:

https://tria.ge/reports/251223-npvfnavrfy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Loads dropped DLL

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

envio.dynuddns.net:1234

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/2336d0778931e72af226ca5a9ddc6470487065da61389252fd6b782ef4ff562f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Surtr Create hunting rule
Author:	Katie Kleemola
Description:	Rule for Surtr Stage One

Rule name:	SurtrStrings Create hunting rule
Author:	Katie Kleemola
Description:	Strings for Surtr

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample