MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
SHA3-384 hash: 65a3e481f1501f9cc563003e417ffbd0a09fa2245eabf12808c2c9833f0c640573103326fe3ebd38a16e0f55c7359db1
SHA1 hash: 464017cb83b085d66ee577590a17440fc149573e
MD5 hash: 00b02c12df9e82202963e7090dc5c034
humanhash: vermont-april-berlin-alabama
File name:activate.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:1'153'192 bytes
First seen:2025-12-03 19:51:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:TyfibjWwiHI8APdqT+j6fe9efPHlAPEXSAKb2C3moiVFp6Y:m6ewi9T+SAcXiC9Vp
TLSH T17A35231256C8E932E4EA2B7028FA03930A37FDF14998D3663E45165F8DB3384A57573B
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:87-120-219-23 ACRStealer AutoIT CypherIT exe


Avatar
iamaachum
https://stormcentre.org/

ACRStealer C2: 87.120.219.23

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/1baf33f6-961a-45af-945f-315a2dec5ab6/
Malware family:
n/a
ID:
1
File name:
activate.exe
Verdict:
Malicious activity
Analysis date:
2025-12-03 19:53:51 UTC
Tags:
autoit stealer
Link:
https://app.any.run/tasks/ee6c232b-1bfa-48ef-8d85-d7bc3beae461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42374/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693094f016e6db515e466c36
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Launching the process to create tasks for the scheduler
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context at autoit CAB expand explorer infostealer installer installer installer-heuristic invalid-signature lolbin lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx signed
Link:
https://www.filescan.io/uploads/693094ed856673a0547e09df/reports/6739736c-c778-4130-8e78-d97305375d86/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-02T12:20:00Z UTC
Last seen:
2025-12-05T09:38:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Autoit.sb Trojan.Win32.Autoit.acycw Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9b56e98-5481-4b04-bbed-df7b386cb545
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825775
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825775 Sample: activate.exe Startdate: 03/12/2025 Architecture: WINDOWS Score: 100 64 RlWmWupKZi.RlWmWupKZi 2->64 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Antivirus detection for URL or domain 2->74 76 5 other signatures 2->76 11 activate.exe 1 18 2->11         started        14 elevation_service.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 78 Uses schtasks.exe or at.exe to add and modify task schedules 11->78 18 cmd.exe 1 11->18         started        21 at.exe 1 11->21         started        process6 signatures7 68 Drops PE files with a suspicious file extension 18->68 23 cmd.exe 4 18->23         started        26 conhost.exe 18->26         started        28 conhost.exe 21->28         started        process8 file9 62 C:\Users\user\AppData\...\Conversion.com, PE32 23->62 dropped 30 Conversion.com 23->30         started        34 findstr.exe 1 23->34         started        process10 dnsIp11 66 87.120.219.23, 443, 49695, 49696 NET1-ASBG Bulgaria 30->66 80 Found many strings related to Crypto-Wallets (likely being stolen) 30->80 82 Tries to harvest and steal browser information (history, passwords, etc) 30->82 84 Modifies the context of a thread in another process (thread injection) 30->84 86 4 other signatures 30->86 36 msedge.exe 30->36         started        38 chrome.exe 30->38         started        40 chrome.exe 30->40         started        42 5 other processes 30->42 signatures12 process13 process14 44 WerFault.exe 16 36->44         started        46 WerFault.exe 36->46         started        48 WerFault.exe 16 38->48         started        50 WerFault.exe 16 38->50         started        52 WerFault.exe 40->52         started        54 WerFault.exe 40->54         started        56 WerFault.exe 42->56         started        58 WerFault.exe 42->58         started        60 4 other processes 42->60
Score:
30%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/00b02c12df9e82202963e7090dc5c034
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41/
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 01:54:23 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3myy242d4h55yp5d6eyxb4zdafhze3i42zwlkk63ygy6sngvvaq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251203-ylg19sfq4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e83e8d3-a488-4a1a-8f74-06b80a8e35d7
Unpacked files
SH256 hash:
86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
MD5 hash:
00b02c12df9e82202963e7090dc5c034
SHA1 hash:
464017cb83b085d66ee577590a17440fc149573e
Link:
https://www.unpac.me/results/41b9ed34-489d-4ce2-b6d1-9b2734deb8a8/
SH256 hash:
d5fd5f7965968a9043ae72415cbcbe3d0ff0960a4b995f9264bd453b792d7ed5
MD5 hash:
d88e69aea2b2f7afcf778fccbc6854dd
SHA1 hash:
b40d151b5f2710f79a09b8501c93eb4aeaa52c36
Link:
https://www.unpac.me/results/41b9ed34-489d-4ce2-b6d1-9b2734deb8a8/
SH256 hash:
149c43689a0eac08420ac6087b3340535170acbfda88a85821d9590272edc882
MD5 hash:
bf8097361d26d672bab38957e37da280
SHA1 hash:
704360bac55757848755358a118ca515d20a441d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/41b9ed34-489d-4ce2-b6d1-9b2734deb8a8/
Parent samples :
6c5087d06021234b772afefdacfad8da2cf0a085bf2392ec2ad60f7544fc41f4
ced6f0e86377df269f92007123890005f6a96931901eca9b6b9da87fe5fab48f
c4e1711c4029933d1a4ec238edf1de5b275e73d7422305447742e5b713a478a0
70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
SH256 hash:
e0349885df9e41367a4659ed1c026b902931bcfb162164ec86186d5ef42ea523
MD5 hash:
8258c9bb2f5c1c78e0266f292a211669
SHA1 hash:
70b12e321668681a2236f3441c65a7e33a8d5769
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/41b9ed34-489d-4ce2-b6d1-9b2734deb8a8/
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86d98c6b9a1f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41

(this sample)

  
Link
https://tria.ge/251203-yeyqfafp7t/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42374/

Comments