MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
SHA3-384 hash: aea8e19466b0ca24c794ae764a7507154b27a688614d592bdf50f7a96b097bcd8a905e62ea7abb15b6557335d60f610d
SHA1 hash: cac2af505148ef38e6ef4f983f5788a118fbba00
MD5 hash: b855df8b71cd81605bd45e4058cc9b64
humanhash: magnesium-uranus-maine-washington
File name:GVJXQUQR.msi
Download: download sample
Signature ACRStealer
Create hunting rule
File size:5'705'728 bytes
First seen:2026-03-05 10:09:35 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:0h7gdMRmOUzm4pDJuOZV15R/DlbkTw1zV7Vpz3BnRjzgoeB1HJWN15NN:0WMRmD3ptdZRblbkTy7j3BRjzgxBpJEP
Threatray 196 similar samples on MalwareBazaar
TLSH T198463394EBC85A36E4A2013898CA46FC1A712CB843F5C42BB5AF79F0DEF2F6E1055750
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter zhuzhu0009
Tags:ACRStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
SG SG
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
embedded components, an injection process, and filepaths
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/7f58ff28-50c3-4cb3-b6f9-2ad88bc30127/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55662/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a9569ae1f958bf6683d66c
Tags:
virus
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
HEUR:Trojan.Win32.Loader.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e/results?tab=lookup
Score:
5%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2026-03-05 05:20:02 UTC
File Type:
Binary (Archive)
Extracted files:
891
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fec4tseu4p6sof5tu2ryumxhc2bn7jki5trrokid3zh5fgu5zb7a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
03d82d139e426e0681491151774ecb233deadc70851328a3ce623dcf8988baa8
ACRStealer
10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
ACRStealer
2abf4ca98976439943823a76f42f414b3f0ae27a0f0b2f31324d0ad6b6d76711
ACRStealer
6bf7598a309929bc1c45b0079696bdfe7c7701540794e464ad6d4868f86f8c32
ACRStealer
92bf8858f323d9d335729cfde6cad182d3f6285b59b31ef11e15448813890a4e
ACRStealer
9c43cb90796f6336ee5a50e316f11d79ba1798ade41e5ffffb3a8fe38bb81830
ACRStealer
bbec376bc531a18adb2d4edc8e1bd781d7936bb9df29753e033cb2d423da2655
ACRStealer
d6963c17bc9dde332e827a313e697f9fdc6de7af58859b4c364c2fffa5b3f909
ACRStealer
error
ACRStealer
+ 186 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260305-l7lkcsbv3x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Drops file in Drivers directory
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2905c9c894e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/55662/

Comments