MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3855f94e68b2b0353b8e318a2864b959631ecff88e90fddde4e5a77c69acac72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash: 3855f94e68b2b0353b8e318a2864b959631ecff88e90fddde4e5a77c69acac72
SHA3-384 hash: e59b2ccf37f6ebab4987ae4ce53b87f2c1e438f28e8ed8cb5b4cf05574fc997f2111c88b6aa9b0d8c705f3c2f6bbee92
SHA1 hash: e3abc5b9332579b9b99f490616d33ef7142e223a
MD5 hash: a23a1b44ccc709bcbbc23ee3cd6fb342
humanhash: maryland-ohio-lactose-september
File name:set-up.exe
Download: download sample
Signature ACRStealer
File size:1'863'680 bytes
First seen:2026-07-04 03:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (103 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 49152:6uZjf8vFf0Btbti2Qqz0X+c2ddIp6GUCDiW:vj0YKqz0u7du6qd
TLSH T1F485231592F050D7E3B147B0889E925242B1BC311F2551AF22C4DEBE2F63AD8E539BE7
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 006286010b130c8c (1 x ACRStealer)
Reporter aachum
Tags:ACRStealer AsgardProtector exe stream-pawpalace-cc


Avatar
iamaachum
https://macinfosoft.org/ => https://mega.nz/file/naxxmKCJ#8DbemjdsRUKrAxZ_IkmrjkWQNK8upoLgYuFqoq-hiYQ

ACRStealer C2: stream.pawpalace.cc

Intelligence


File Origin
# of uploads :
1
# of downloads :
126
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Malware family:
ID:
1
File name:
set-up.exe
Verdict:
Malicious activity
Analysis date:
2026-07-04 03:31:39 UTC
Tags:
generic autoit auto-startup vidar stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
phishing autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Launching the process to create tasks for the scheduler
Unauthorized injection to a recently created process by asynchronous procedure call
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit CAB expired-cert explorer fingerprint installer installer installer-heuristic keylogger lolbin microsoft_visual_cc packed reconnaissance rundll32 runonce sfx
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-04T00:14:00Z UTC
Last seen:
2026-07-04T00:40:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb Trojan.Win32.Autoit.adenn PDM:Trojan.Win32.Generic
Result
Threat name:
ACR Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Bypasses PowerShell execution policy
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected ACR Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937371 Sample: set-up.exe Startdate: 04/07/2026 Architecture: WINDOWS Score: 100 57 stream.pawpalace.cc 2->57 59 nSrIwmKvsTCrgnThV.nSrIwmKvsTCrgnThV 2->59 61 3 other IPs or domains 2->61 81 Suricata IDS alerts for network traffic 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected ACR Stealer 2->85 87 3 other signatures 2->87 10 set-up.exe 4 2->10         started        14 wscript.exe 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\...\AutoIt3.exe, PE32 10->55 dropped 101 Uses schtasks.exe or at.exe to add and modify task schedules 10->101 16 AutoIt3.exe 6 10->16         started        20 at.exe 1 10->20         started        103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->103 22 QuantumGuard.exe 14->22         started        signatures6 process7 file8 51 C:\Users\user\AppData\...\QuantumGuard.exe, PE32 16->51 dropped 53 C:\Users\user\AppData\...\QuantumGuard.vbs, ASCII 16->53 dropped 73 Bypasses PowerShell execution policy 16->73 75 Queues an APC in another process (thread injection) 16->75 77 Injects a PE file into a foreign processes 16->77 79 2 other signatures 16->79 24 AutoIt3.exe 2 16->24         started        28 conhost.exe 20->28         started        30 QuantumGuard.exe 22->30         started        32 QuantumGuard.exe 22->32         started        signatures9 process10 dnsIp11 65 stream.pawpalace.cc 104.21.56.201, 443, 49701, 49702 CLOUDFLARENET-CloudflareIncUS Canada 24->65 67 e703cad0-1b37-4cd4-b3d6.tapscalafilepro.net 104.21.48.170, 443, 49710 CLOUDFLARENET-CloudflareIncUS Canada 24->67 69 2 other IPs or domains 24->69 91 Early bird code injection technique detected 24->91 93 Tries to harvest and steal browser information (history, passwords, etc) 24->93 95 Maps a DLL or memory area into another process 24->95 99 2 other signatures 24->99 34 dllhost.exe 24->34         started        38 chrome.exe 24->38         started        40 powershell.exe 7 24->40         started        42 powershell.exe 7 24->42         started        97 Hides threads from debuggers 30->97 signatures12 process13 dnsIp14 63 167.233.205.164, 7000 HETZNER-ASDE Germany 34->63 89 Unusual module load detection (module proxying) 34->89 44 chrome.exe 38->44         started        47 conhost.exe 40->47         started        49 conhost.exe 42->49         started        signatures15 process16 dnsIp17 71 www.google.com 142.251.154.119, 443, 49704 GOOGLE-GoogleLLCUS United States 44->71
Gathering data
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution spyware stealer
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
3855f94e68b2b0353b8e318a2864b959631ecff88e90fddde4e5a77c69acac72
MD5 hash:
a23a1b44ccc709bcbbc23ee3cd6fb342
SHA1 hash:
e3abc5b9332579b9b99f490616d33ef7142e223a
SH256 hash:
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
MD5 hash:
0adb9b817f1df7807576c2d7068dd931
SHA1 hash:
4a1b94a9a5113106f40cd8ea724703734d15f118
Parent samples :
7cdd2a796b1b8de7131deadb7a9d6b348d321ce6b7af022124b0826166f70c18
333d68c6bff4c107f9f4b95c51c5471aa56c03469d8d155bd949902ada3af5fa
db9737257fac05121420a708b7d32413086f06824152969883dbf04a23e8137d
7f5afd30f7eb7858f4d31dc758fdf58927e9547446a50125216b0486f2295e2e
a7d30ea8eb070eddffb46afd3b839c4af00021f0dd33352e36ef1173502bac11
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
4fba27b378c3aeab8e9f98899e8d13ed36c61039b023af9388fb3056ef894f59
8057475293e725d1b81a46eb5196aa468fa2d67af28ec220908ac89153381f95
e0ee7fe891f5d36b1b41e16f94c53a99e74c81ac3b721b639867fb0a5043c99b
282b43f40f8670d673e45bba045f21d498cd5a857c36a27be13acae669e90120
e8747d7ab6ce57aee41a7085c16d08e55441ae0a8a88a49d9fab903ed07ac888
62a89602c9e4fdf606690b19290c75ca012a3308e044a522fb019654a8780bd4
6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
490aa9aa3053f1eaba17713ac5f334e94271e979a56ebc4d3f9cfb61d78f66d5
a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9
aee72e1441fa3c9ea74409e5e670e10dbf86e1663f6d6a9dc11fd97e7dec6030
16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a
5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a
f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3
1e847cccbb36b7d28db70aeedede580bab5721a1da53b9296b1c4e13b344c313
c23b7950208b8f8e8a22c401cb5e9a05e560ae6119307d975ba601b4e2e99273
e5bcb2a1cdf6cab62da5b7c8e8d78c25acb5627be5028fd5499df561fd4f24df
f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7
807ccda4477aa254715390adcb32600ec28e9b601cc1c66d94d5d4a8fd72593d
5e124622c393c00a23222f7d61e5680a6572c7fe6db6412ac631b8cdfb56f339
6678bc6c477241fda05929d12aa57d80511f56bde4c16eaba2338b7ae039dd2f
4ee8706cd6bf820a75a528e933d35a306ac18d466cc989a3317be9f5be9c1e5e
e037b1be05a5def69a7692aef31446093ef7c4190215af0a6d742f4724fb1fd3
9051f50868b433bf7b8fb2c35956bd87deff78c6b3f4ce06986956aa46dc161e
ffc9154b06d3288a4e30383c92b53ac10d9f617bfebd5b6cd9bd8aef91acfd12
a625ecad0006b950b07194830e7f33e7e820ac29ab8d8d90305f7bf441c0803e
83f196de27b44807a2c4697ebe19b7995971e7dbf6d09a9dbc0c91076b47a6a1
52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
2d4a0802f338b3b4a174963bbb8e76c13ef958a42265f51af1f746736c6c8451
17b48e9aa4ea6dc0b97d9d4233806960051c384281a34fd0ec23dc4f3cb30250
7df40b776f6b6c0d3e904a5f4e459aceb74cdfaeaed506702fb3e3cebc0acde3
4cea2d681b946622831d5aabe52bea6be9a92dd70a1725f4f21c7af87bc30b8d
9e1a61c477a77c8d3429f2332c6ac7f9cbf7acc7d0f760f30067b5b2ba9c32f7
e9dd17079ef1906ec63ae75676a703731a1a0b235abf8604630d0f52b44b5088
488c6c4ea3ea6021ef5f344aa958fad9e977958533c4d48ce923b6410679ffc1
4c8de5fe1cd25f11cacfd4aae14eb69a3579cf210d9135fd5a2eed1dfc7798f3
a54764e6c1d020ee0c9b2184cc1b7697a7a86d9e9126c7cabef65a6576fc4893
3fc87dc91ea3a28c0b71dd59cfbf92ac4f27fe1d1e682dac03198fd07ad8d4c1
02aafe6e13fc993f38f7c81ca8d3560ca596d5189984550ff293f6a998c7bb40
de0ad26e3d33b27e4486440745067ba3aa765dfe8ee35d759229ae83473bd669
1dad6cb984f93799b594024aad10191ae1374d53670e132b75abffb89848ae46
bac991e38b4e9ac602cb939fdbffb4213ed6dbfa1d5b170c28cad6e5b3d5c83d
057c2a603337cc33567f32aa4e793e5b1975715b18dd71200f6785b740d95394
b062569dc998c1decbde7acc61c10c5aa751e3eeaed8abe43fc5e2d930ae68b2
e003206e4b468d128c3e9a3cced6def52784b5dd6efda81f30107eee1af2b265
6c292a1785ee86d820b7cd804efe7ae31b179cbab3a99fed8c5fccb1e2750936
4ca06ee3340b192b3ca3ff2d08ab69f3753c6a805c2db18ef81303d7beeb7d68
6962ecb3e9c43b067ef6f3e6a445d8110f24165c3dd5704b3d2cc85fc3b65ba7
dabdfe0696d886914b534e0f90d81627113409ec8b3f3cdcad0aebd2e5bc8aea
ead56795ab3c2106e9618fa6cafcece2a0bbd1ab7ad7daba386df21d45aa67dd
b9cb9cf246d2d9d8a4bff2d7758267af69bcb1f3179d104d66eb0a73e54ab524
12a45143a35ee31f3e9c92deb6377873b3aaf360aab15bd606d347bedd0a2378
da1140a4d3a9c65f836af07667be9ebe4dc54e0dfbc29143be53ef160e36c910
785b0ccf655723dd52136a60a8389adfa5445bd1cbd53d5e80e7be26124e54a3
ef32abda2c3d6013ebe526a20bc266e62311794aedd673dc58e1c60a078ef92f
5f4710bfecf96b1c4c9ef95b36543b698b2e89682f1a8524927ed860de826f8b
a2d004f78528c839119532cff09cf6f777baea9b1680d69eeb82d6a7700690db
b08379185071a9e03f72b26a72df69ebb819cb7b9994048df1ccd12449b1c357
3d1b3ea691122f9c332232b8c8e6541c431b74b783e317189e3ddaab8f864b62
e73fa583da7adc97a772826ce26e16ed0b95e4193a36382a2e69e148fbd4dea1
45dec334575199a17f733f0001e315d55e9836fdc9508f8983fbfb2d20e739c1
40003c0707a0d639b8e27d01ac0a31b73579d5e7a79077002f8005932b94e836
967486f372064f8edc8695c91660fe436dadb2cd848a251268c8002fccd4f45c
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Author:Varp0s
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 3855f94e68b2b0353b8e318a2864b959631ecff88e90fddde4e5a77c69acac72

(this sample)

  
Delivery method
Distributed via web download

Comments