MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
SHA3-384 hash: 398a3b9221f544e85200e087b799985db7f942868f89eab0d3332622d9e3cf492a7f9bd8f6b7384b78d4acd230a74128
SHA1 hash: 69fd2bc250c4b7516c14347cdebce13bcf5a32b3
MD5 hash: c6b292b003d55618c54690c07faf18ae
humanhash: kentucky-neptune-early-whiskey
File name:Win_Driver_SSL_support_v43.22.209.44.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:8'084'528 bytes
First seen:2026-03-06 10:53:50 UTC
Last seen:2026-03-06 11:40:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c36661b1430f713b4102b6bf8db4ef15 (1 x ACRStealer)
ssdeep 98304:93JaWsfunVs5DMxxanw0HizxpB51ppx0txc3ej0SIRs:93J3O0KMxmfcLSIRs
Threatray 3 similar samples on MalwareBazaar
TLSH T158864C3137A6C53AF56116F12D3DEA6F002DBD660B74A4CB92884D1E99B46C34E36F23
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:ACRStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
https://wormhole.app/D1MdWQ#q5b73AD4dleijR--RR0iXg
Verdict:
Malicious activity
Analysis date:
2026-03-05 16:28:22 UTC
Tags:
websocket evasion stealer telegram xmrig miner pastebin winring0-sys vuln-driver loader arch-exec
Link:
https://app.any.run/tasks/26dad061-563a-43d7-b03b-1ca6f41d5d0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55778/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Shelma.chpp.3878.24229.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69aa2000002d37d5c984428d
Tags:
injection obfusc crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 crypto embarcadero_delphi explorer fingerprint invalid-signature lolbin packed signed
Link:
https://www.filescan.io/uploads/69aab25797feb4afd66f7fe6/reports/dc31f995-6f10-4e1b-b065-050a42d0a516/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Shelma.chpp Trojan-PSW.Win32.Amatera.sb Trojan.Win32.Shelma.sb
Link:
https://opentip.kaspersky.com/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1e18fc32-6aca-4bcc-adc6-57c2af2a4dcf
Result
Threat name:
ACR Stealer, Amatera Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1879473
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected Amatera Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1879473 Sample: Win_Driver_SSL_support_v43.... Startdate: 06/03/2026 Architecture: WINDOWS Score: 100 22 registry.npmjs.org 2->22 24 pypi.org 2->24 26 5 other IPs or domains 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 8 Win_Driver_SSL_support_v43.22.209.44.exe 1 2->8         started        12 elevation_service.exe 2->12         started        signatures3 process4 dnsIp5 28 77.91.96.203, 443, 49725, 49728 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->28 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Tries to harvest and steal browser information (history, passwords, etc) 8->46 48 Writes to foreign memory regions 8->48 50 8 other signatures 8->50 14 powershell.exe 14 16 8->14         started        18 chrome.exe 8->18         started        signatures6 process7 dnsIp8 30 91.219.23.145, 49739, 80 POWERNETRU Russian Federation 14->30 32 api.github.com 140.82.114.6, 443, 49744, 49745 GITHUBUS United States 14->32 34 5 other IPs or domains 14->34 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->52 54 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 14->56 58 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 14->58 20 conhost.exe 14->20         started        signatures9 process10
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c6b292b003d55618c54690c07faf18ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc/
Verdict:
Malicious
Threat:
Trojan.Win32.Shelma
Link:
https://tip.neiki.dev/file/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-05 16:18:03 UTC
File Type:
PE (Exe)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmktwp62rek3yhr54olj7n6sgqkiq3o2byh3nkurlsvkag7doc6a._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
ACRStealer
9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
ACRStealer
error
ACRStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/260306-mzm9naey7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc
MD5 hash:
c6b292b003d55618c54690c07faf18ae
SHA1 hash:
69fd2bc250c4b7516c14347cdebce13bcf5a32b3
Link:
https://www.unpac.me/results/38343873-15f4-4c94-8639-825c03db7718/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b153b3fda89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe 9b153b3fda8915bc1e3de3969fb7d23414886dda0e0fb6aa915caaa01be370bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3789365/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55778/

Comments