MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3
SHA3-384 hash: e89eef80cea1204cda7ca62f93e86b819d2ec40bb30cef2109472d6d9962316622226ba052bf0ff9fbcb5505c129f88f
SHA1 hash: 90c22c96594c52ceafa551c563e60fdf2f5c332f
MD5 hash: ae89db36336750fb87ea78a8d0ef0b83
humanhash: zebra-uncle-table-wyoming
File name:qgB7ZMYQE.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:1'912'968 bytes
First seen:2026-03-27 21:29:58 UTC
Last seen:2026-03-27 22:31:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5af915f278815e76bad476ef32593028 (4 x LummaStealer, 3 x ACRStealer, 2 x AmateraStealer)
ssdeep 24576:NanWkw4EZymTFzVe29jcpCDlHYwnJEFGaXZaaDnxOvzYqmh4bFa3Ev5:oAII9CYE4bFau5
Threatray 21 similar samples on MalwareBazaar
TLSH T138955B11FEC764F1E403163259BB22AF23399C050F36AA97DB84797DF9BB2D41826349
TrID 48.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.1% (.EXE) Win64 Executable (generic) (6522/11/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:77-238-236-29 ACRStealer dropped-by-RenPyLoader exe signed

Code Signing Certificate

Organisation:new-pay.heleket.com
Issuer:E8
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-04T03:08:11Z
Valid to:2026-06-02T03:08:10Z
Serial number: 0523cd54eaf24c39b6a3f8e80bec72b669bd
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 02a8c915ea7e44d6d6c3ba953fa9a626dadfd7362c1173e36689afd86becce7a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
https://file407985.host70v.cfd/

ACRStealer C2: 77.238.236.29

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
qgB7ZMYQE.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-27 21:25:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57e51512-1552-4e80-b24d-f68ee1573859

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.24582723.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c6f5b1aacb4c376b14d5d2
Tags:
trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-27T10:13:00Z UTC
Last seen:
2026-03-29T18:18:00Z UTC
Hits:
~100
Detections:
UDS:DangerousObject.Multi.Generic BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5e5471d-2136-407f-b664-300af420ce4d
Result
Threat name:
GO Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1890473
Signature
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GO Stealer
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1890473 Sample: qgB7ZMYQE.exe Startdate: 27/03/2026 Architecture: WINDOWS Score: 100 103 www.weebly.com 2->103 105 www.amd.com 2->105 107 6 other IPs or domains 2->107 131 Suricata IDS alerts for network traffic 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 8 other signatures 2->137 11 qgB7ZMYQE.exe 7 2->11         started        16 CircuitPilot.exe 2->16         started        18 powershell.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 123 77.238.236.29, 443, 49684, 49685 TELERU-ASRU Russian Federation 11->123 125 185.121.233.94 IPCORE-ASES Spain 11->125 95 C:\Users\user\ij.exe\CircuitPilot.exe, PE32+ 11->95 dropped 97 C:\Users\user\ij.exe\vcomp140.dll, PE32+ 11->97 dropped 99 C:\Users\user\ij.exe\amd_ags_x64.dll, PE32+ 11->99 dropped 177 Found many strings related to Crypto-Wallets (likely being stolen) 11->177 179 Tries to harvest and steal browser information (history, passwords, etc) 11->179 181 Writes to foreign memory regions 11->181 187 6 other signatures 11->187 22 CircuitPilot.exe 11->22         started        26 powershell.exe 15 57 11->26         started        29 chrome.exe 11->29         started        101 C:\Users\user\AppData\Local\TempBF554.tmp, PE32+ 16->101 dropped 183 Modifies the context of a thread in another process (thread injection) 16->183 185 Maps a DLL or memory area into another process 16->185 31 StreamA32.exe 16->31         started        33 XPFix.exe 16->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        file6 signatures7 process8 dnsIp9 83 C:\ProgramData\MgrMaintain\CircuitPilot.exe, PE32+ 22->83 dropped 85 C:\ProgramData\MgrMaintain\vcomp140.dll, PE32+ 22->85 dropped 87 C:\ProgramData\MgrMaintain\amd_ags_x64.dll, PE32+ 22->87 dropped 151 Found direct / indirect Syscall (likely to bypass EDR) 22->151 39 CircuitPilot.exe 22->39         started        115 www.weebly.com 74.115.51.7, 443, 49709 WEEBLYUS United States 26->115 117 79.124.59.142, 49708, 49710, 49711 TAMATIYA-ASBG Bulgaria 26->117 153 Creates autostart registry keys with suspicious values (likely registry only malware) 26->153 155 Creates an autostart registry key pointing to binary in C:\Windows 26->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 26->157 159 2 other signatures 26->159 43 powershell.exe 40 26->43         started        46 conhost.exe 26->46         started        48 schtasks.exe 1 26->48         started        50 schtasks.exe 1 26->50         started        file10 signatures11 process12 dnsIp13 89 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 39->89 dropped 91 C:\ProgramData\StreamA32.exe, PE32+ 39->91 dropped 93 C:\Users\user\AppData\Local\...\C7D1892.tmp, PE32+ 39->93 dropped 161 Modifies the context of a thread in another process (thread injection) 39->161 163 Found hidden mapped module (file has been removed from disk) 39->163 165 Maps a DLL or memory area into another process 39->165 175 2 other signatures 39->175 52 StreamA32.exe 39->52         started        57 XPFix.exe 39->57         started        127 e2897.b.akamaiedge.net 23.217.124.103 AKAMAI-ASUS United States 43->127 167 Early bird code injection technique detected 43->167 169 Writes to foreign memory regions 43->169 171 Queues an APC in another process (thread injection) 43->171 173 Loading BitLocker PowerShell Module 43->173 59 MuiUnattend.exe 43->59         started        61 csc.exe 43->61         started        file14 signatures15 process16 dnsIp17 109 5.8.248.245 WIDETELECOM-ASIQ Russian Federation 52->109 79 C:\Users\user\AppData\...\Secure Preferences, JSON 52->79 dropped 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->139 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->141 143 Tries to harvest and steal browser information (history, passwords, etc) 52->143 149 5 other signatures 52->149 63 chrome.exe 52->63         started        66 chrome.exe 52->66 injected 68 chrome.exe 52->68 injected 72 3 other processes 52->72 145 Switches to a custom stack to bypass stack traces 57->145 111 mpla-clo.cc 172.67.149.95 CLOUDFLARENETUS United States 59->111 113 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84 AMAZONEXPANSIONGB United States 59->113 147 Unusual module load detection (module proxying) 59->147 81 C:\Users\user\Bafijet\Rusiwatiw.dll, PE32 61->81 dropped 70 cvtres.exe 61->70         started        file18 signatures19 process20 dnsIp21 129 192.168.2.9, 443, 49683, 49684 unknown unknown 63->129 74 chrome.exe 63->74         started        77 WerFault.exe 66->77         started        process22 dnsIp23 119 googlehosted.l.googleusercontent.com 192.178.50.65 GOOGLEUS United States 74->119 121 clients2.googleusercontent.com 74->121
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwarm5urk65dmszkma33a5lopc4hqxs3mlmns7qljlm5rp6pbhbq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
amaterastealer
Create hunting rule
Similar samples:
02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
ACRStealer
10e74c75502512da56a2717c50f815d749607f76df45a9a0f9eecb8ee60f66b8
ACRStealer
21b27f53183f8613c33b50490e001e75678ad73944588987623cfddd67733cb0
ACRStealer
401309e3550e7cb31385ea5c345a45cc075f0970698fdf85495ea8d13a4c58e3
ACRStealer
59c793d693cccdcce3de19a3934c7e2b03540188972c4690ccce3688d7575be7
ACRStealer
770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db
ACRStealer
7ff5233b77dd61dbb39ae2ae22ed531d3c30863bba99f858d8d44a791cfcb4bc
ACRStealer
8b4a40d5bf036b2193ffe08ec01f8d5e5eebbd63ba793bea714965ba216362ff
ACRStealer
error
ACRStealer
f9716ee5dd7c68f16b578817d60d1baeff9502e339322eca4a78873e9e528c04
ACRStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:sectoprat defense_evasion discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260327-1cm72aet8s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Hide Artifacts: Hidden Window
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
SectopRAT
SectopRAT payload
Sectoprat family
Unpacked files
SH256 hash:
558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3
MD5 hash:
ae89db36336750fb87ea78a8d0ef0b83
SHA1 hash:
90c22c96594c52ceafa551c563e60fdf2f5c332f
Link:
https://www.unpac.me/results/0e6aaaa4-075a-4754-9c8b-8be2a7b226e9/
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/558116769157/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 558116769157ba364b2a6037b0756e78b8785e5b62d8d97e0b4ad9d8bfcf09c3

(this sample)

  
Link
https://tria.ge/260327-z3n2kshs7l/behavioral2
  
Dropped by
RenPyLoader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59566/

Comments