MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c
SHA3-384 hash: d3b1320bcfd3b130de02bb9cd3923425d25de148bbec6dbd5f43b37555dd2ec92f1579c6c1835758c83b3958da7618f7
SHA1 hash: a46ba939e57e6a4dafa3569d66cef4395c732054
MD5 hash: b477a5dc8f823e32c1ff132d8934f893
humanhash: fix-carbon-item-may
File name:i№st@113R ver.4.8__P@$$ 0072.rar
Download: download sample
Signature ACRStealer
Create hunting rule
File size:8'570'834 bytes
First seen:2025-04-13 15:06:07 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
Note:This file is a password protected archive. The password is: 0072
ssdeep 98304:BZ6RKg8EAzB6z26C32xOnIVoZba4pKr2QblhWLhJkTTOlHpO1mviWfnosCc0/otp:LoAoxSnIVCO4pKrohOc6m9Ccyo5IMcN8
TLSH T1568633FEBD7233B78E44412F6AD1319E32E02A30DB7BDB99350B275B11562C584639B1
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter aachum
Tags:ACRStealer AutoIT file-pumped pw-0072 rar


Avatar
iamaachum
https://chefupdates.rest/ => https://mega.nz/file/3JNhCapL#41m3cjWDoWmZbpBg4FlpiZ0UFJpFXnDynkY8y8zN__c

ACRStealer C2: http://microsoft.com/Up

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
ES ES
File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:snapshot_blob.bin
File size:316'538 bytes
SHA256 hash: 9b3a75a713e41bc73f219858fcac8e3031ba22732285ed3a64dc48074c725cc2
MD5 hash: c8950b01f336b05609976546b1a007e6
MIME type:application/octet-stream
Signature ACRStealer
File name:libEGL.dll
File size:493'056 bytes
SHA256 hash: 8649d77ace8e5753b9a10e7ae3349aafa9d8e3406ba9c8c36a59633a84b3c41b
MD5 hash: 39ccf402a62f068a8c573b45ea96154d
MIME type:application/x-dosexec
Signature ACRStealer
File name:resources.pak
File size:5'755'390 bytes
SHA256 hash: 268de4d99ab7c4f4ee32c8e8cb2b058a2c8d0d839f468ae8e8c0605feaa736ea
MD5 hash: 6772b597bf68622d934f207570e771b1
MIME type:application/octet-stream
Signature ACRStealer
File name:ffmpeg.dll
File size:2'929'152 bytes
SHA256 hash: af5f1bc9f6a73750fa0c7bf17439700cfb3ab23e1393f0c9899825417e319b54
MD5 hash: 5a168cb3ea9d0e7400baabf60f6ab933
MIME type:application/x-dosexec
Signature ACRStealer
File name:chrome_200_percent.pak
File size:228'644 bytes
SHA256 hash: 2c1b3e4b8a0cf837ae0a390fca54f45d7d22418e040f1dfea979622383acced6
MD5 hash: dc48a33bd20bfc7cacfc925a84b015b6
MIME type:application/octet-stream
Signature ACRStealer
File name:Setup.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:734'015'223 bytes
SHA256 hash: f5b8fb4dcd91fec6f354aee6eb402179ff4b55a0f2f2ae36154cb7ddb54b31b3
MD5 hash: ec4e847e7234f9ed2af7ff321882b41e
De-pumped file size:147'456 bytes (Vs. original size of 734'015'223 bytes)
De-pumped SHA256 hash: 964ee138024c5d70380c801eb98b5887a27d3fb14e6a5844f84491a72b9e05b5
De-pumped MD5 hash: 361edacadde8fcc8ade7a6faf6943759
MIME type:application/x-dosexec
Signature ACRStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f97987d6e7c3effad047ba
Tags:
autoit emotet
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sn47nlaiv5brygyjnzyvx3sk5w4j4ozphxnhxrx4qzszuiasnroa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250413-wywn3s1ky9/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

rar 9379f6ac08af431c1b096e715bee4aedb89e3b2f3dda7bc6fc86659a20126c5c

(this sample)

ACRStealer

Executable exe 6634019c46b6cb7f796e3fcf48a93e69e38d4e632afa8be32431d14188ea0e6e

  
Link
https://tria.ge/250413-r32zfaxzev/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 6634019c46b6cb7f796e3fcf48a93e69e38d4e632afa8be32431d14188ea0e6e
  
Dropping
MD5 7f2db5636dc02b0623689c6b5408cf87

Comments