MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
SHA3-384 hash: b5fc0a99de56fc467eedfc4b6d62d87f2fc4414e129f949e09d18aa5396ff6b800cfcad58ba98c39f07cbcee4d0858eb
SHA1 hash: e28aa8c23c96bde501b8df69f70656daee8e3b1f
MD5 hash: 886db440049f1ec018b7f8e6dae7f8a0
humanhash: magazine-crazy-louisiana-november
File name:VulcanMessage5.dll
Download: download sample
Signature ACRStealer
Create hunting rule
File size:1'990'728 bytes
First seen:2026-05-18 22:31:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2f307598ade8fe7e1696a56203dfaaa5 (4 x ACRStealer, 1 x Amatera)
ssdeep 49152:dH6CoyxYmdLNWWS5VyO1bAAii6x1fH4ia5At/y:dH6CZNlOdkoA4
Threatray 652 similar samples on MalwareBazaar
TLSH T15295BF22BB85C0BDD1DD013D2628BBAEA67DA2A80F124DD7B3C459FD8D348C19E35617
TrID 50.4% (.DLL) foobar 2000 generic component (102066/2/5)
38.6% (.DLL) foobar 2000 Diskwriter output component (78066/2/3)
3.2% (.EXE) Win64 Executable (generic) (6522/11/2)
2.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:ACRStealer dll getauthdash-icu HIjackLoader IDATLoader


Avatar
iamaachum
https://wdnvffur.it.com/ => https://www.mediafire.com/file/tt3m9i9qcuiecbt/D0WNL0AD_SETUP_(PASS_1659).zip/file

ACRStealer C2: getauthdash.icu

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66373/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0b934f9492784948344c1f
Tags:
shellcode injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 evasive expired-cert fingerprint infostealer invalid-signature microsoft_visual_cc overlay packed reconnaissance short-lived-cert signed
Link:
https://www.filescan.io/uploads/6a0b9343c9d535126e01804c/reports/6c815b32-0c16-4cb1-aee3-5dbb4301c307/overview
Verdict:
Malicious
Labled as:
Infostealer/ACRStealer
Link:
https://www.hybrid-analysis.com/sample/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
Verdict:
Clean
File Type:
dll x32
First seen:
2026-05-18T07:34:00Z UTC
Last seen:
2026-05-19T10:13:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1870c834-a15e-4bb4-af93-37ee1394c1f9
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1915334
Signature
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1915334 Sample: VulcanMessage5.dll Startdate: 19/05/2026 Architecture: WINDOWS Score: 100 31 getauthdash.icu 2->31 33 ggx-tn-connectir.unwittingdork.digital 2->33 35 ggc-tn-connectir.unwittingdork.digital 2->35 41 Suricata IDS alerts for network traffic 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 9 loaddll32.exe 1 2->9         started        signatures3 process4 dnsIp5 37 getauthdash.icu 172.67.214.205, 443, 49691 CLOUDFLARENETUS United States 9->37 39 ggx-tn-connectir.unwittingdork.digital 104.21.96.120, 443, 49694 CLOUDFLARENETUS United States 9->39 49 Found many strings related to Crypto-Wallets (likely being stolen) 9->49 51 Tries to harvest and steal browser information (history, passwords, etc) 9->51 53 Writes to foreign memory regions 9->53 55 6 other signatures 9->55 13 cmd.exe 1 9->13         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        19 25 other processes 9->19 signatures6 process7 process8 21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        25 WerFault.exe 2 17->25         started        27 WerFault.exe 2 19->27         started        process9 29 WerFault.exe 2 21->29         started       
Score:
14%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/886db440049f1ec018b7f8e6dae7f8a0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-18 10:46:55 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rodt76ntd6u3bwog5g5q4wr3b5fjjcthvkwveg4dlc6nazosn3yq._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
11dd3a81d47ffb582db0531b12eee20fe3ded74da792aa3e83488d53e71909b1
ACRStealer
87cad69f724d9a372ba26df845d27df013d8916e9f0d2ee05ec1585553cbe632
ACRStealer
8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
ACRStealer
a39eca46f834e874975e46eeda652906ab3576735fe930cec7e284560c6145ca
ACRStealer
a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e
ACRStealer
b7e18d6227ed641061b9e7a24ddfe3002f4c449b6107a5ff8a3976ef4e20c05a
ACRStealer
e49fbf6640e8c5e9d47731ac1ddc2b7e6711df3b22e851220ec2f6a5ce8d6ecb
ACRStealer
error
ACRStealer
+ 642 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1
MD5 hash:
886db440049f1ec018b7f8e6dae7f8a0
SHA1 hash:
e28aa8c23c96bde501b8df69f70656daee8e3b1f
Link:
https://www.unpac.me/results/85b2331e-aff1-4586-a36d-b73d41929d99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

zip 894e95162d51b37b895de95c8bffd2c43a09e96d9ecfbc6f2f1de8a8287e7a1f

ACRStealer

DLL dll 8b873ff9b31fa9b0d9c6e9bb0e5a3b0f4a948a67aaad521b8358bcd065d26ef1

(this sample)

  
Link
https://tria.ge/260518-16xzbshs9m/behavioral1
  
Dropped by
SHA256 894e95162d51b37b895de95c8bffd2c43a09e96d9ecfbc6f2f1de8a8287e7a1f
  
Delivery method
Distributed via web download
  
Dropped by
MD5 f773ef00867934e759a7e23bc919fe06
Cape
Cape
https://www.capesandbox.com/analysis/66373/

Comments