MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df3d99d225cbe4bcaa60344529c7d07600f3a1b746b62316e09079ba3816aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 75 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8df3d99d225cbe4bcaa60344529c7d07600f3a1b746b62316e09079ba3816aaa
SHA3-384 hash: ee1ab8423802a6a78f8d7b618101218fbd6ef9a305bc331fb1fb9cc21124ff35994fdc728c99cb6774c404b2dc8f1f58
SHA1 hash: eaa8a7e70a367f53f076e57cef2ea742b9e2867a
MD5 hash: b208c2afd307ab308473d1fd94b0f1af
humanhash: pluto-november-alanine-bluebird
File name:SETUP.zip
Download: download sample
File size:50'485'600 bytes
First seen:2026-06-13 13:02:39 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:dHDYDdJpfb0t7J05oOSUQx05oOSUQxxGDkxvnF3zLABLobLeHOScKF+HnsHJAA9V:SdJZbKJrjrhpz6obLeNcHgrCKLmDqCu
TLSH T10CB73329F88539A0E44ED1B808E12DA863F46DB536AF17C82335751BEB67F2C175C632
Magika zip
Reporter aachum
Tags:ACRStealer file-pumped harmful-ferretcilantro-icu zip


Avatar
iamaachum
https://tsdnvtrk.it.com/ => https://www.mediafire.com/file/ys8uevu43648wl7/D0WNL0AD_SETUP_(PASS=1369).zip/file

ACRStealer C2: harmful.ferretcilantro.icu

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
ES ES
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:python37.dll
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:405'031'619 bytes
SHA256 hash: 26b76fb59f10c234ad04ef35a97d2e0a2570a0f5a16253ea09c106da19ac7249
MD5 hash: c70324d4d1b6dcbaf0bcfc30f6f000ce
De-pumped file size:10'745'344 bytes (Vs. original size of 405'031'619 bytes)
De-pumped SHA256 hash: 78dfe6524da5cec3940ee11b59797d77e498f7518182665a23b7ee173c4ba21b
De-pumped MD5 hash: c0dbe0f487353bc4deec3ea50f93c7fc
MIME type:application/x-dosexec
File name:docker-machine-driver-vmware.exe
File size:9'091'008 bytes
SHA256 hash: 81b19226a589672c704fd95669c75e19587920cd6de83e1b72c03a2760de9800
MD5 hash: 9bc4fa3b06a0351d3ef3b085cd9b98a5
MIME type:application/x-dosexec
File name:vmappsdk-ja.dll
File size:14'050'752 bytes
SHA256 hash: 2c838ca9427d3d2ba24a005a1d4759c09bd82a6649ee1c78a00af08d93128bc9
MD5 hash: 86fd26289808705dc7f1ebc9d77be18c
MIME type:application/x-dosexec
File name:BvSshClient-942.exe
File size:26'809'512 bytes
SHA256 hash: 016b1918c0f8eb4977276590f7889c2e2129e5dcb69c7cdef9a70640202e7c7e
MD5 hash: 76d569cefeb51080503ffba2921301d9
MIME type:application/x-dosexec
File name:basichttp.dll
File size:47'040 bytes
SHA256 hash: c43740ba2597bf27e6d6dc4063e9bcb3eeb784a4b6d50fb87042f413aeddebe7
MD5 hash: fd89218f0ab1c1aecd05e5b6259f0b9a
MIME type:application/x-dosexec
File name:vcruntime140.dll
File size:83'784 bytes
SHA256 hash: 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
MD5 hash: a2523ea6950e248cbdf18c9ea1a844f6
MIME type:application/x-dosexec
File name:vmui-zh_CN.dll
File size:169'408 bytes
SHA256 hash: 6767289ab3955c0db86b6c69663d52825deff94990006a125a0087333ecc51ec
MD5 hash: dc8f64a4226ceb1f14259525e3d5bd10
MIME type:application/x-dosexec
File name:vctl.exe
File size:28'157'888 bytes
SHA256 hash: 415e2781406da0d342091424f099b2a6d420d030ca4bd17e417745aad708cb04
MD5 hash: 31676c6d20a73ee876f2b8dbdc63afd7
MIME type:application/x-dosexec
File name:vmappsdk-zh_CN.dll
File size:14'048'704 bytes
SHA256 hash: ef68bc634ebd7f8824ed26a7bf8862c714733722f6cb3a69698227c68cd93dd3
MD5 hash: cb7be1c74ebd26a4e417a537c5c80384
MIME type:application/x-dosexec
File name:vmui-ja.dll
File size:170'432 bytes
SHA256 hash: 5765e86df87043dd885f26bfc5e34a202f54ef71d92cb0263ffc41911276671a
MD5 hash: 88f99e567713a4d09e397c0f8ef81b6b
MIME type:application/x-dosexec
File name:Setu.exe
File size:95'896 bytes
SHA256 hash: a8fd08774f4d5693129d46f6f59ce5de6986066f796f1c1a567ae14c59b9ba67
MD5 hash: 00a93e4a08632b496634d66d975cb036
MIME type:application/x-dosexec
File name:vmware.vmsg
File size:615'952 bytes
SHA256 hash: 804939e980ab2e4bc82174c30d576c788b014a310d45b290e79a888f4403f5e0
MD5 hash: 4408114c9bd57ab729bde8a38c370406
MIME type:text/plain
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ae4ca81b-4b33-43b6-a6bc-313581a00fc6/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2d5569a15110463ee54606
Tags:
infosteal vmdetect
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8df3d99d225cbe4bcaa60344529c7d07600f3a1b746b62316e09079ba3816aaa
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8df3d99d225cbe4bcaa60344529c7d07600f3a1b746b62316e09079ba3816aaa
Gathering data
Threat name:
Binary.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2026-06-13 02:52:15 UTC
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxz5thjcls7exsvgancffhd5a5qa6oq3orvwemlobedzxi4bnkva._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260613-sj77saf12t/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of local email clients
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:ClearWater_Ransomware
Create hunting rule
Author:Arrbat
Description:Detects ClearWater ransomware using a mix of family-specific names, 7-Zip SFX metadata, and anti-recovery indicators
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RemusStealer_GoPayload
Create hunting rule
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:WIN_WebSocket_Base64_C2_20250726
Create hunting rule
Author:dogsafetyforeverone
Description:Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 8df3d99d225cbe4bcaa60344529c7d07600f3a1b746b62316e09079ba3816aaa

(this sample)

DLL dll 78dfe6524da5cec3940ee11b59797d77e498f7518182665a23b7ee173c4ba21b

  
Link
https://tria.ge/260613-prennafw2x/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 78dfe6524da5cec3940ee11b59797d77e498f7518182665a23b7ee173c4ba21b
  
Dropping
MD5 c0dbe0f487353bc4deec3ea50f93c7fc

Comments