MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a67fd7e1f3bd5d1bca01efa7bd91407635d0c69e4d8924b0c4c87296dc11d40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: 5a67fd7e1f3bd5d1bca01efa7bd91407635d0c69e4d8924b0c4c87296dc11d40
SHA3-384 hash: e9e0a7e42115d4818523711fc515f7cc7a2a3ccba62f270fe8b67d450c9dae72f8206c9745ba19e3c2214ccb63d5f199
SHA1 hash: 6021e8847189f411d1a913228a0c73eb59c5ff25
MD5 hash: 8cd18949fe86667303cd19c683310d55
humanhash: north-floor-sad-carbon
File name:ws-Setup-Complete.exe
Download: download sample
Signature ACRStealer
File size:523'776 bytes
First seen:2026-07-04 03:37:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:w/rPjP4yBY/2qkBF/JlU11KYuYGDjgyKhrFgtJas/JTwJWBGK4Nou:w/rPkyBGPIzlHYG4ZatJasRTyWBGK4t
TLSH T18EB49C4AEAC382F1EC035677326FF32B6B665D1ACD79CBDEE7E56E40A952240100F251
TrID 34.0% (.EXE) Win64 Executable (generic) (6522/11/2)
23.5% (.EXE) Win32 Executable (generic) (4504/4/1)
10.7% (.ICL) Windows Icons Library (generic) (2059/9)
10.5% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:ACRStealer exe stream-luminfrastructure-cc


Avatar
iamaachum
https://k6nlm0707259.cfd/ => https://mega.nz/file/kIdTxI7K#YzMKxntEKR59QcwU0t8s9jngZQImmY3BSaNwPm5DIHU

ACRStealer C2: stream.luminfrastructure.cc
ACRStealer DDR: https://telegra.ph/Executing-modules-as-scripts-06-16

Intelligence


File Origin
# of uploads :
1
# of downloads :
122
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
ws-Setup-Complete.exe
Verdict:
Malicious activity
Analysis date:
2026-07-04 03:31:10 UTC
Tags:
stealer vidar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed stealer
Verdict:
Clean
File Type:
exe x32
First seen:
2026-07-02T05:37:00Z UTC
Last seen:
2026-07-03T21:34:00Z UTC
Hits:
~100
Result
Threat name:
ACR Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2026-07-02 12:12:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5a67fd7e1f3bd5d1bca01efa7bd91407635d0c69e4d8924b0c4c87296dc11d40
MD5 hash:
8cd18949fe86667303cd19c683310d55
SHA1 hash:
6021e8847189f411d1a913228a0c73eb59c5ff25
Malware family:
ACRStealer
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:pe_no_import_table
Description:Detect pe file that no import table

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 5a67fd7e1f3bd5d1bca01efa7bd91407635d0c69e4d8924b0c4c87296dc11d40

(this sample)

  
Delivery method
Distributed via web download

Comments