MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf
SHA3-384 hash: 0944eed6d5c104e9078621ec6da2854360d8cc4861b05aba164206e71a05077ccb13357d7ccc072505ff7e46dab0104d
SHA1 hash: 00e044aaaeaed930d65de0acd48bd70d5e37a790
MD5 hash: 78cb669c60979d9bd85970a9b2c9eac6
humanhash: twenty-zulu-colorado-yankee
File name:beb.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:2'027'520 bytes
First seen:2026-06-02 15:40:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (103 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 49152:wj3TVq6wGwy19G+rZrnVsmVraeXsBoXPSwCno:ggGwoGgZrnVsmxRcBoX6wN
TLSH T1A1952392AAA41557F8BA03F1D4BB014617B17CAD9B6403BF258DF2640EB33D24937B4E
TrID 39.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
21.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.3% (.EXE) Win64 Executable (generic) (6522/11/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 72b17171f9b03234 (1 x ACRStealer)
Reporter abuse_ch
Tags:ACRStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/e6d8b54f-db44-401c-bfed-c9d941a27770/
Malware family:
n/a
ID:
1
File name:
beb.exe
Verdict:
Malicious activity
Analysis date:
2026-06-02 15:44:05 UTC
Tags:
generic autoit clickfix stealer
Link:
https://app.any.run/tasks/6e77f108-fb8e-4bf6-8599-afd25f4c3e56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68822/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.18834.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1ef97757b7bf261d60534f
Tags:
phishing autoit emotet spoof
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
DNS request
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit CAB explorer fingerprint installer installer installer-heuristic keylogger lolbin microsoft_visual_cc packed reconnaissance rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6a1ef970099ef368af171ca4/reports/d80d8b6c-806e-49a5-94b3-792069e55d8b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-01T23:18:00Z UTC
Last seen:
2026-06-03T04:26:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Agent.myxglf Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/90cbbd39-20b2-43b5-8b61-0c4e18fadc1b
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1921769
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1921769 Sample: beb.exe Startdate: 02/06/2026 Architecture: WINDOWS Score: 100 29 dust.packetflow.cc 2->29 31 vdsina.vg 2->31 33 jZHZLNetytZqOpshaVVIc.jZHZLNetytZqOpshaVVIc 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 2 other signatures 2->47 9 beb.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\AutoIt3.exe, PE32 9->27 dropped 14 AutoIt3.exe 1 9->14         started        process6 dnsIp7 35 dust.packetflow.cc 172.67.203.73, 443, 49688, 49704 CLOUDFLARENET-CloudflareIncUS Canada 14->35 37 vdsina.vg 104.248.198.130, 443, 49703 DIGITALOCEAN-ASN-DigitalOceanLLCUS Netherlands 14->37 49 Suspicious powershell command line found 14->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 14->51 53 Tries to harvest and steal browser information (history, passwords, etc) 14->53 55 8 other signatures 14->55 18 powershell.exe 15 14->18         started        21 chrome.exe 14->21         started        signatures8 process9 signatures10 39 Found suspicious powershell code related to unpacking or dynamic code loading 18->39 23 conhost.exe 18->23         started        25 chrome.exe 21->25         started        process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf/
Verdict:
Malicious
Threat:
Backdoor.Win32.UDP
Link:
https://tip.neiki.dev/file/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-02 04:10:50 UTC
File Type:
PE+ (Exe)
Extracted files:
44
AV detection:
11 of 36 (30.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=voe5budonkxgxlx2lcwlg2zmvorl3vacxgwwthxeaiw53mmdc7hq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260602-s4xxjshs9t/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf
MD5 hash:
78cb669c60979d9bd85970a9b2c9eac6
SHA1 hash:
00e044aaaeaed930d65de0acd48bd70d5e37a790
Link:
https://www.unpac.me/results/ee1bd6a3-3524-42a9-aab2-e5641c0f19af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe ab89d0d06e6aae6baefa58acb36b2caba2bdd402b9ad699ee4022dddb18317cf

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68822/
  
URLhaus
https://urlhaus.abuse.ch/url/3855091/
  
Delivery method
Distributed via web download

Comments