MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224
SHA3-384 hash: ace00f8f7dc8f9020a5789b0227cb7c0b683bf6be20b5db9e286bdc2413b057b8edf318eb111d490570bb1807f121ca4
SHA1 hash: 71385be9932cd6c6211d5b0d6f36798d48ff9843
MD5 hash: 7dd7e0ebc5b87d689376da2a994302f4
humanhash: arkansas-network-south-oxygen
File name:setup_patched.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:13'514'752 bytes
First seen:2025-05-18 10:57:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:SNmI8t+G7ixpuUYHqMU1kEW062lJQArI8t+G7ixpuUYHqMU1kEW062B:SNmZ17ixwfHqMUrrZ17ixwfHqMUj
TLSH T192D68C52B54089B1E9D612784DAFD6B22638AD816F1042C73389BBFC2FF5F84DE25358
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon cac47aaaa4a4a4a4 (4 x ACRStealer, 1 x LummaStealer)
Reporter aachum
Tags:ACRStealer de-pumped exe


Avatar
iamaachum
https://ttotemany.blog/?pub_id=321&key=5odZ1peYLhCuTziyWXtaf7SOqwlPFrJIUQ3vcNDMK0s8&site_id=397&data=cY6vrkpFJmalH3wI4 => https://www.mediafire.com/file/ks5e1a4vpvrvp3i/%F0%9D%97%97%F0%9D%97%A2%F0%9D%97%AA@%F0%9D%97%A1%F0%9D%97%9F%F0%9D%97%A2%F0%9D%97%94%F0%9D%97%97$_%F0%9D%97%96%F0%9D%97%A2%F0%9D%97%A0%F0%9D%97%A3%F0%9D%97%9F%F0%9D%97%98%F0%9D%97%A7%F0%9D%97%98%E2%9D%8F%E2%A4%96%F0%9D%97%A6%F0%9D%97%98%F0%9D%97%A7%F0%9D%97%A8%F0%9D%97%A3%E2%9C%B7%F0%9D%97%96%F0%9D%97%A292%F0%9D%97%97%F0%9D%97%98#$$8466.tar/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
483
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_patched.exe
Verdict:
Malicious activity
Analysis date:
2025-05-18 10:53:51 UTC
Tags:
stealer loader delphi
Link:
https://app.any.run/tasks/e6b4e0e4-a5bc-4fbc-ace8-284f4700fb4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6829bd48e5aa44ec2e1a6f32
Tags:
dropper spawn hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Adding an access-denied ACE
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context base64 fingerprint lolbin microsoft_visual_cc overlay overlay packed packed packed packer_detected remote
Link:
https://www.filescan.io/uploads/6829bd3bbff72ff46b65be6e/reports/bbc85d4a-d45c-4be9-9831-2c9813f671c4/overview
Verdict:
Malicious
Labled as:
Malware_49.4
Link:
https://www.hybrid-analysis.com/sample/6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ae25da7-d30b-4550-b257-7c9c3ac636f1
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1693318
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes many files with high entropy
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1693318 Sample: setup_patched.exe Startdate: 18/05/2025 Architecture: WINDOWS Score: 100 101 trustdomainnet.live 2->101 103 data-seed-prebsc-1-s1.binance.org 2->103 105 a8a00b7a27dd309f6.awsglobalaccelerator.com 2->105 113 Suricata IDS alerts for network traffic 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for URL or domain 2->117 119 5 other signatures 2->119 11 setup_patched.exe 2 2->11         started        16 DistriCompiler89.exe 2->16         started        18 DistriCompiler89.exe 2->18         started        signatures3 process4 dnsIp5 109 172.67.221.174, 443, 49721, 49722 CLOUDFLARENETUS United States 11->109 95 C:\Users\user\hjksfwe.exe, PE32 11->95 dropped 97 C:\Users\user\hjksfaf.exe, PE32 11->97 dropped 149 Found many strings related to Crypto-Wallets (likely being stolen) 11->149 151 Drops PE files to the user root directory 11->151 153 Tries to harvest and steal ftp login credentials 11->153 161 9 other signatures 11->161 20 hjksfwe.exe 7 11->20         started        24 hjksfaf.exe 11->24         started        26 chrome.exe 11->26         started        35 3 other processes 11->35 99 C:\Users\user\AppData\Local\...\C4E20E0.tmp, PE32 16->99 dropped 155 Modifies the context of a thread in another process (thread injection) 16->155 157 Maps a DLL or memory area into another process 16->157 159 Found direct / indirect Syscall (likely to bypass EDR) 16->159 28 VirtuServer128.exe 16->28         started        31 7za.exe 16->31         started        33 7za.exe 18->33         started        file6 signatures7 process8 dnsIp9 65 C:\Users\user\dx0.dll, PE32 20->65 dropped 67 C:\Users\user\IconX.dll, PE32 20->67 dropped 69 C:\Users\user\DistriCompiler89.exe, PE32 20->69 dropped 71 C:\Users\user\DirectGUI.dll, PE32 20->71 dropped 121 Multi AV Scanner detection for dropped file 20->121 123 Drops PE files to the user root directory 20->123 37 DistriCompiler89.exe 6 20->37         started        41 WerFault.exe 16 26->41         started        43 WerFault.exe 16 26->43         started        111 trustdomainnet.live 104.21.20.51 CLOUDFLARENETUS United States 28->111 73 C:\ProgramData\Direct\testarc.zip, Zip 28->73 dropped 75 C:\ProgramData\Direct\ronin\...\logo.png, PNG 28->75 dropped 77 C:\ProgramData\Direct\okx\static\video.mp4, ISO 28->77 dropped 79 26 other malicious files 28->79 dropped 125 Found direct / indirect Syscall (likely to bypass EDR) 28->125 45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 WerFault.exe 16 35->49         started        51 WerFault.exe 16 35->51         started        file10 signatures11 process12 file13 81 C:\ProgramData\Iaclientv2\dx0.dll, PE32 37->81 dropped 83 C:\ProgramData\Iaclientv2\IconX.dll, PE32 37->83 dropped 85 C:\ProgramData\...\DistriCompiler89.exe, PE32 37->85 dropped 87 C:\ProgramData\Iaclientv2\DirectGUI.dll, PE32 37->87 dropped 127 Contains functionalty to change the wallpaper 37->127 129 Contains functionality to automate explorer (e.g. start an application) 37->129 131 Contains functionality to register a low level keyboard hook 37->131 133 2 other signatures 37->133 53 DistriCompiler89.exe 7 37->53         started        signatures14 process15 file16 89 C:\Users\user\AppData\Local\...\A80634D.tmp, PE32 53->89 dropped 91 C:\ProgramData\VirtuServer128.exe, PE32 53->91 dropped 93 C:\ProgramData\Iaclientv2\7za.exe, PE32+ 53->93 dropped 135 Contains functionalty to change the wallpaper 53->135 137 Contains functionality to automate explorer (e.g. start an application) 53->137 139 Modifies the context of a thread in another process (thread injection) 53->139 141 4 other signatures 53->141 57 VirtuServer128.exe 14 53->57         started        61 7za.exe 53->61         started        signatures17 process18 dnsIp19 107 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84 AMAZONEXPANSIONGB United States 57->107 143 Writes many files with high entropy 57->143 145 Switches to a custom stack to bypass stack traces 57->145 147 Found direct / indirect Syscall (likely to bypass EDR) 57->147 63 conhost.exe 61->63         started        signatures20 process21
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nn6q3wntu3vtkj7zuljolvow2ezn2orie232aa2jfrua2zy36isa._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250518-m2xacacj41/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224
MD5 hash:
7dd7e0ebc5b87d689376da2a994302f4
SHA1 hash:
71385be9932cd6c6211d5b0d6f36798d48ff9843
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
452236c163ce17b863b141a6d703a12dd7dbd59056ca91fff7a95476b7891ffa
MD5 hash:
248c2a8e3ae96d412bef0482c2e72287
SHA1 hash:
abb9ffce59c81277d2a355278e7c261d28005a2b
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
dab997afc873163343e61e0637b5eaad92d8e315903a606fd07ba061d43da301
MD5 hash:
0edd95da584b4378d95ff7b65726b0de
SHA1 hash:
1a3ed565a25cbb709eab55288337ff246a5abf7d
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
185b3ddd77f89dee753913b63a73fcf741339bf5fe6aa1fb8bf35205453ea0f1
MD5 hash:
b0d00cc9e91a5742de60a99817d9e0b3
SHA1 hash:
7ed35ddb8629c58c43afaf9195ff042d5fbf08c4
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
9ee2e7297de53ca1ed2cb5e7b6f213a2414faee597becbba1384946eab8a4673
MD5 hash:
5901670e531f53e8dd9420cb58fa8e07
SHA1 hash:
f195e26887f42079542fe51f4dde968686249b77
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
214a872761863265009c9cfdabee53b6ddb04c9e8a3f9d85bb49d807885a1ecf
MD5 hash:
1d68b0f4e9f6fa046eb63cc3f2f34d1a
SHA1 hash:
21b7065fcccd79141d2df45d7e94ad4ed98bd027
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
5ba43fd67d38a843bec8999888144c741dbbc830bfafcd0e05f2f16911f16b4e
MD5 hash:
9dedf2bd298f603a8eea462754c6b3dd
SHA1 hash:
9fa5aa9857251353b7c09b1a5d3ec62b78a26374
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
918d3856bb6b33fe83110f254fd346d4eb32a1809713590594b3ed367e1885e5
MD5 hash:
02b0326a305ef8b13c98f18626802930
SHA1 hash:
b5a0dce3c89e198390105bec0617b88f87022412
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
463b35b8f89c40dd2cd8d647d2e826a590dd369d0ad743f64b122b9735712dcd
MD5 hash:
4b45cdf9ccb566ed65fbcdacd579dc5c
SHA1 hash:
912344749be556095c3f07733b96130650acbbed
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
bcf6fbbdf1ad402dc761f87d79688c9b81aa70d63b835fc6618fc8e0686f39f4
MD5 hash:
81d9bcceb78795cd0315b24960f2d130
SHA1 hash:
a697a3d09e3f9d0ee69df229d14e7e9ae671829b
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
06fc132e0e256b9a4e4ddd05d3af4d75e40c750eccf94a76251b104c65cffcdf
MD5 hash:
bbcfeab7e871cddac2d397ee7fa91fdc
SHA1 hash:
bb9471b0476b8382039fa879e88b06608b653273
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
075c40f08c44089e979f70d1475e84b64d75966b8207c1f20c6b7f8481c08e3c
MD5 hash:
1b2c60a6d6c3833b413943862b2bfed8
SHA1 hash:
1c00eaae1370e63f22841018e70e6090790a4300
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
0acbbaa648ffbcc6375736dd35ee7a20bfcf5976dfc558ca72d820e7f7cdad85
MD5 hash:
9a055da2f2819f155c33d47cd67a7c00
SHA1 hash:
1ca0a282dbd483972b40bf4ccff4f747227f422c
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
222ef8e7f4234ee53f17d69d92eeac60f29e1c1f768f276a7a66684319af3448
MD5 hash:
4861bd64e276029bfe1df55754504844
SHA1 hash:
b6487b1cfa62c669006f2477e6d1ce27572bbc70
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
40c28c9c0b1fc26d450008c7109e3adcb468953e27670df133824f9969ad1de9
MD5 hash:
6aa8bb224b30a20a5d07a2734568d6d7
SHA1 hash:
aaa44c985f887a74b5bbd8f85894ca2c70fd7f74
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
60e3ba31839982af1805fc68083d8f9fc1e6a2a69baf064828f243650ca5a8ba
MD5 hash:
f2dd41b3cef71efc5f1c0b9948246e31
SHA1 hash:
bdc43e5bc53abe65e95cf767e120216d8217717f
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
8cd62185703a5543707725cbe0f4e997aa080e0ee1eb0391d8929e2f43c40b35
MD5 hash:
a39df582ca051afc8811fbd00db12f10
SHA1 hash:
f8e76d1f160d5fe0ada4389e44f18a1667d90afd
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
93bb82eb2786708add9f1538283658ee949aa79e658196f0386ad88fb61320b1
MD5 hash:
066f7fcca265d01a5b7eaf41ade789b1
SHA1 hash:
dcfd5d499c71f83d4a3b7026728ad79eeab13f89
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
a0b2b5e50eff3968c6c05cf18fc93ba3fd2a5de6c35bda609b14e9247e99d2e3
MD5 hash:
50914702cb6c72275018643c557ef8c5
SHA1 hash:
a60b307966ae1329ff1c16f187117768179bb719
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
SH256 hash:
cd54cce0f7c8936baa14b3a3b22630f076a55dcb8268b4b4ce1e3f331ccc2de0
MD5 hash:
01d0aac146a689f6507c575fda330fc3
SHA1 hash:
318704d4e861c529d1cd4c544791bc3e7bc797cc
Link:
https://www.unpac.me/results/bd074c78-00db-4800-a22c-127b51bd8cb9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

zip aec04267c0e4b298c0c001d5eb450100b022a367816b4b8e2d9d16b2e47665dd

ACRStealer

Executable exe 6b7d0dd9b3a6eb3527f9a2d2e5d5d6d132dd3a2826b7a003492c680d671bf224

(this sample)

anyrun
any.run
https://app.any.run/tasks/e6b4e0e4-a5bc-4fbc-ace8-284f4700fb4e
  
Dropped by
SHA256 aec04267c0e4b298c0c001d5eb450100b022a367816b4b8e2d9d16b2e47665dd
  
Delivery method
Distributed via web download
  
Dropped by
MD5 c9a97ddb8b6ad313f60ace3490beaff3

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
commented on 2025-05-18 11:01:32 UTC

Wrong link. Should be https://zasdxcvfdsxccdff.click/?fR95wo6q4pQnEuY8OLBilJMTxvgAZ0t3X7HCFDaz=slT2YPOgD6kVrBURGIhvzMK1a47e9WEpmJ0CqFuojiS=7XYh0MgSuaBOyWQxwmG1JdfvDIkNUKLbqFV8rzAes52RoHP&p_title=xdGDvwhQpkFmVYrP7LZ3tiIW8f5 => https://mega.nz/file/wFYRRbxY#4JpjTkXmBToVZqp9kY_krpwZY9tMSZUsFaUoeCvNFd0