MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
SHA3-384 hash: b0d26b56d58200d39e4da83dd582895270d66429346a7088761425443617fa6c039f5598d7e653c4f41db7af89318565
SHA1 hash: 764f8e234ed690af047b85ed009f7e44ba45e17f
MD5 hash: 942905b4eefb23719a0ec3269a6e0e90
humanhash: arkansas-jupiter-double-timing
File name:verification.google
Download: download sample
Signature ACRStealer
Create hunting rule
File size:786'944 bytes
First seen:2026-03-12 14:07:00 UTC
Last seen:2026-03-12 14:24:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6d4a82647d89b817681751d0b48f39c9 (1 x ACRStealer)
ssdeep 12288:omwu3CpQwYFAMAZREFdZUvi6lnRKi0XM4azT9WWEasK1n4:nwu3Cp0KMQunyi6l0FSvTsK1n4
Threatray 58 similar samples on MalwareBazaar
TLSH T117F48D53AA8705F1F66B0A34009AF65F4B2DD5981F20CAF78B54AD97AA333D03474EC6
TrID 38.2% (.EXE) Win64 Executable (generic) (6522/11/2)
26.4% (.EXE) Win32 Executable (generic) (4504/4/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.7% (.EXE) Generic Win/DOS Executable (2002/3)
11.7% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter jitesh
Tags:ACRStealer dll dropper

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
IN IN
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57210/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.38376254.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b2c8a65a439615ccbfb733
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto packed
Link:
https://www.filescan.io/uploads/69b2c89e2000fc76c3d680c2/reports/f7aebd1b-dc41-495b-916d-714f22ca37e6/overview
Verdict:
Suspicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
Verdict:
Clean
File Type:
dll x32
Link:
https://opentip.kaspersky.com/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8db8b3d7-08aa-4c85-86e8-9a05c1844e11
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
Threat name:
Win32.Infostealer.Babar
Create hunting rule
Status:
Malicious
First seen:
2026-03-12 14:07:29 UTC
File Type:
PE (Dll)
Extracted files:
13
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udczqctubadiiqbq3u4vv7xmwibzvv544kt62322xs6m4yi2t6ia._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
430b69b2268bb1f2f0821c8cf65d648917e1d13fd5c6f945b5830534e1d0e559
ACRStealer
a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
ACRStealer
a39eca46f834e874975e46eeda652906ab3576735fe930cec7e284560c6145ca
ACRStealer
c4627fbcce87136d2ec6fdb876b8c4496d7f25411d2c24860ba1ec0f8f39e916
ACRStealer
dd9d5a825771588aa9173933dba188bb40815188774e72381f20c0590fc01d81
ACRStealer
e691dcafd1d329091197791751faf5a54ea531b2314ce60ed962bf82839d3426
ACRStealer
e9fbb7b8229e0d887460503b0e1c20a9c190bffe7d69e4d2337aaa6d92503f47
ACRStealer
error
ACRStealer
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260312-re6mqahw2k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Unpacked files
SH256 hash:
a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90
MD5 hash:
942905b4eefb23719a0ec3269a6e0e90
SHA1 hash:
764f8e234ed690af047b85ed009f7e44ba45e17f
Link:
https://www.unpac.me/results/403071cf-139a-4a81-9b83-755a4f78dcc1/
SH256 hash:
c71ff7ae97f33cd9350623c5589c76a7cafed3ed5ccda9b814ce340efac57d48
MD5 hash:
84b0b7b1bae713ab4cd9d803521f16e1
SHA1 hash:
d55789dc309b7fa1becc73561ef38bd988f9d5e8
Link:
https://www.unpac.me/results/403071cf-139a-4a81-9b83-755a4f78dcc1/
SH256 hash:
ce4c69211d7ff8e7f98f077a32dfeca4e2e9778e825de981f3416733b2c19041
MD5 hash:
b5c35bce3abc033baa9c3ae25754e5c1
SHA1 hash:
8d4bb7594ab9577ec7379364d99100e97065cd1e
Link:
https://www.unpac.me/results/403071cf-139a-4a81-9b83-755a4f78dcc1/
SH256 hash:
d591432b380f169fa1fe5e6d872c54daae5d0a66962557a2ab516fb7c1c7aa7d
MD5 hash:
345393708f656b640bd797da14f67014
SHA1 hash:
dface5202de476a17e334ef784e15221d07fc425
Link:
https://www.unpac.me/results/403071cf-139a-4a81-9b83-755a4f78dcc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

DLL dll a0c5980a740806844030dd395afeecb2039ad7bce2a7ed6f5abcbcce611a9f90

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3794567/
  
URLhaus
https://urlhaus.abuse.ch/url/3794569/
  
URLhaus
https://urlhaus.abuse.ch/url/3794576/
  
URLhaus
https://urlhaus.abuse.ch/url/3794580/
  
URLhaus
https://urlhaus.abuse.ch/url/3794582/
  
URLhaus
https://urlhaus.abuse.ch/url/3794584/
  
URLhaus
https://urlhaus.abuse.ch/url/3794585/
  
URLhaus
https://urlhaus.abuse.ch/url/3794586/
  
URLhaus
https://urlhaus.abuse.ch/url/3794590/
  
URLhaus
https://urlhaus.abuse.ch/url/3794592/
  
URLhaus
https://urlhaus.abuse.ch/url/3794594/
  
URLhaus
https://urlhaus.abuse.ch/url/3794596/
Cape
Cape
https://www.capesandbox.com/analysis/57210/
  
URLhaus
https://urlhaus.abuse.ch/url/3794605/
  
URLhaus
https://urlhaus.abuse.ch/url/3794606/
  
URLhaus
https://urlhaus.abuse.ch/url/3794612/
  
URLhaus
https://urlhaus.abuse.ch/url/3794617/
  
URLhaus
https://urlhaus.abuse.ch/url/3794619/
  
URLhaus
https://urlhaus.abuse.ch/url/3794622/
  
URLhaus
https://urlhaus.abuse.ch/url/3794627/
  
URLhaus
https://urlhaus.abuse.ch/url/3794633/
  
URLhaus
https://urlhaus.abuse.ch/url/3794637/
  
URLhaus
https://urlhaus.abuse.ch/url/3794638/
  
URLhaus
https://urlhaus.abuse.ch/url/3794642/
  
URLhaus
https://urlhaus.abuse.ch/url/3794649/
  
URLhaus
https://urlhaus.abuse.ch/url/3794660/
  
URLhaus
https://urlhaus.abuse.ch/url/3794662/
  
URLhaus
https://urlhaus.abuse.ch/url/3794666/

Comments