MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
SHA3-384 hash: 6ed1f6404b0b2521a9d311c76f2fb87c6315c327b76834e718feda5d6b616b32f5e169be969bb94015d16bb2bfb5e1ea
SHA1 hash: 5bca0d1868bd543d139162003fd5b8f14b57e1e5
MD5 hash: 949ce8d74fb987d0d11827a510cc730d
humanhash: nine-march-grey-yellow
File name:Setup_patched.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:2'630'144 bytes
First seen:2025-12-03 18:53:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:3yqDUun9yPw4pVgFtAV3JhlpSys6pMi1sAF08yY3Ozo5xda7XufoYkhgAY:C0n9yZHg/GZSH6J1TehY3so5xdgCWf
TLSH T1B2C533269AF89036D97627B045FF07F31A327D3086729E6A7284BE5E0D73258E4343B5
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:87-120-219-23 ACRStealer AutoIT CypherIT de-pumped exe


Avatar
iamaachum
https://disk.yandex.ru/d/sQYWFlxboO7WcA

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/54ca6157-50bb-4d6b-a993-172990d6be46/
Malware family:
n/a
ID:
1
File name:
Setup_patched.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-03 18:48:55 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/c25601e9-6236-480e-9780-c76659033b18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42351/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6930861516e6db515e4662d2
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Launching the process to create tasks for the scheduler
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm autoit CAB expand installer installer installer-heuristic lolbin microsoft_visual_cc overlay overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69308722856673a0547df0bb/reports/ae22deec-39e4-4d66-bf8d-fa1930b7b405/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-03T16:03:00Z UTC
Last seen:
2025-12-05T13:15:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Autoit.sb Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.acydp
Link:
https://opentip.kaspersky.com/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cfbdd272-9245-49db-a219-9833851c513f
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825720
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825720 Sample: Setup_patched.exe Startdate: 03/12/2025 Architecture: WINDOWS Score: 100 56 udolzcEnjYXQ.udolzcEnjYXQ 2->56 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Antivirus detection for URL or domain 2->66 68 5 other signatures 2->68 11 Setup_patched.exe 1 18 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 signatures5 70 Uses schtasks.exe or at.exe to add and modify task schedules 11->70 16 cmd.exe 1 11->16         started        19 at.exe 1 11->19         started        process6 signatures7 60 Drops PE files with a suspicious file extension 16->60 21 cmd.exe 4 16->21         started        24 conhost.exe 16->24         started        26 conhost.exe 19->26         started        process8 file9 54 C:\Users\user\AppData\Local\...\Jungle.com, PE32 21->54 dropped 28 Jungle.com 21->28         started        32 findstr.exe 1 21->32         started        process10 dnsIp11 58 87.120.219.23, 443, 49692, 49693 NET1-ASBG Bulgaria 28->58 72 Found many strings related to Crypto-Wallets (likely being stolen) 28->72 74 Tries to harvest and steal ftp login credentials 28->74 76 Tries to harvest and steal browser information (history, passwords, etc) 28->76 78 6 other signatures 28->78 34 chrome.exe 28->34         started        36 chrome.exe 28->36         started        38 chrome.exe 28->38         started        40 chrome.exe 28->40         started        signatures12 process13 process14 42 WerFault.exe 16 34->42         started        44 WerFault.exe 16 34->44         started        46 WerFault.exe 16 36->46         started        48 WerFault.exe 16 36->48         started        50 WerFault.exe 38->50         started        52 WerFault.exe 38->52         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/949ce8d74fb987d0d11827a510cc730d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6/
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obbiyh6x7cdzeoifafk6bi362zogtf4fl2fiiihc2lyjlgf2ltla._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251203-xjrx1sfl8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c840c3ae-6a2a-4ed3-a7f3-bb5516146139
Unpacked files
SH256 hash:
1c96d7126d854ad6d224189eb3058c4367f48dda27ed6cb282f11f9fcff6809e
MD5 hash:
76f9b7f668acfef3c1bded8236890e35
SHA1 hash:
d6483d43ed38aa705d27486636dac220ab630285
Link:
https://www.unpac.me/results/5f6d44cf-a4e9-4b83-b3ba-47dfdddfc6f0/
SH256 hash:
149c43689a0eac08420ac6087b3340535170acbfda88a85821d9590272edc882
MD5 hash:
bf8097361d26d672bab38957e37da280
SHA1 hash:
704360bac55757848755358a118ca515d20a441d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5f6d44cf-a4e9-4b83-b3ba-47dfdddfc6f0/
Parent samples :
6c5087d06021234b772afefdacfad8da2cf0a085bf2392ec2ad60f7544fc41f4
ced6f0e86377df269f92007123890005f6a96931901eca9b6b9da87fe5fab48f
c4e1711c4029933d1a4ec238edf1de5b275e73d7422305447742e5b713a478a0
70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
SH256 hash:
70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
MD5 hash:
949ce8d74fb987d0d11827a510cc730d
SHA1 hash:
5bca0d1868bd543d139162003fd5b8f14b57e1e5
Link:
https://www.unpac.me/results/5f6d44cf-a4e9-4b83-b3ba-47dfdddfc6f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

zip 18794a9b9d04286144e5ca91fdfec3c18da1860f17267ed68fe5e4ce3bbf993b

ACRStealer

Executable exe 70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6

(this sample)

  
Link
https://tria.ge/251203-xbggbaspes/behavioral2
  
Dropped by
SHA256 18794a9b9d04286144e5ca91fdfec3c18da1860f17267ed68fe5e4ce3bbf993b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42351/
  
Dropped by
MD5 00c70fe113fbba486e9b539bfdae3d33

Comments