MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b3e4f80aa2deeaf56c5181cd3fc1b2ee545d053d29934408bb17ddd7ea2096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash: 41b3e4f80aa2deeaf56c5181cd3fc1b2ee545d053d29934408bb17ddd7ea2096
SHA3-384 hash: 109856f263411ca201941a5ab5c679ca747db77565e7330d2a7a8527de479a102d3c4762ca4852e0a3230848ee5b858c
SHA1 hash: f89bc89ecd064cacbcaa495da3d07e41d1f5ae67
MD5 hash: 148e75303ebb5618ed07c98cc8ea4200
humanhash: king-six-carolina-west
File name:gc.key
Download: download sample
Signature ACRStealer
File size:4'860'928 bytes
First seen:2026-07-13 17:07:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 846c60b7415e38d769a8b7a0468ed919 (3 x ACRStealer, 1 x Amatera)
ssdeep 24576:Rf8wWiTSflSHvLZ8+BlnS2kASxaEplYZinCnNrXzdZs6D65axf6/jkPmdL2/HGwT:ZAlYJD7Dmd2hOr4PEjy9
TLSH T17A2681127C0B0DC6F5881BBD01A87376DB8E8F128A00D3D6F2E158FBE4EA556C5593DA
TrID 21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
21.2% (.EXE) Win64 Executable (generic) (6522/11/2)
16.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.6% (.EXE) Win32 Executable (generic) (4504/4/1)
6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter monitorsg
Tags:ACRStealer ClearFake dll

Intelligence


File Origin
# of uploads :
1
# of downloads :
165
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm expand lolbin masquerade mingw packed
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Infostealer.Tinba
Status:
Malicious
First seen:
2026-07-13 17:09:41 UTC
File Type:
PE (Dll)
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
41b3e4f80aa2deeaf56c5181cd3fc1b2ee545d053d29934408bb17ddd7ea2096
MD5 hash:
148e75303ebb5618ed07c98cc8ea4200
SHA1 hash:
f89bc89ecd064cacbcaa495da3d07e41d1f5ae67
SH256 hash:
b3708f27ddaebb5f2f256416e5082de39dd48d2a9b2bf0e9076794c3c4ca8506
MD5 hash:
6a950ac68feeb2baa61b7914015c1702
SHA1 hash:
c6661c64931f9db4d5ee8a3a555e5b6a8b4d4f75
Malware family:
ACRStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:pe_detect_tls_callbacks
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026
Author:SixHands
Description:Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

DLL dll 41b3e4f80aa2deeaf56c5181cd3fc1b2ee545d053d29934408bb17ddd7ea2096

(this sample)

  
Delivery method
Distributed via web download

Comments