MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EternalRocks


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
SHA3-384 hash: efd7e713772ac7d5b4b111d67e8eb2e4e9f074ca6a39df9755b51b12f15a8b2d2b4dc991cf00da29a61e487d9cc91d0e
SHA1 hash: 5504d36449910615ff096fca21e16b79c2221e7c
MD5 hash: 5e0463e90e1b2925662d69b79dd704a5
humanhash: quiet-floor-oven-angel
File name:CrashRpt1403.dll
Download: download sample
Signature EternalRocks
Create hunting rule
File size:9'682'944 bytes
First seen:2025-12-10 20:13:37 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 196608:i7ujFHwSGAOZRCQL+pKity5qG25/dbUkya2a23Db2DQ6r:DwSGAFQL+pT3l422a63l
Threatray 5 similar samples on MalwareBazaar
TLSH T1AFA67C10A4C86607FD7ADFBC999E72500F7AB5952901BB398F4149DD2ED2B98C8039F3
TrID 88.1% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10522/11/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter aachum
Tags:78-40-193-126 ACRStealer dll dropped-by-RenPyLoader EternalRocks


Avatar
iamaachum
https://file506703.host23y.cfd/ => https://www.mediafire.com/file/hpp2sl1cbryaeq6/Free+Download+Files.zip/file

ACRStealer C2: 78.40.193.126

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44225/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939d49bbde6a3e59710001d
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated packed
Link:
https://www.filescan.io/uploads/6939d4961eac7b9b76a484b8/reports/c265e259-c238-4194-978c-5fd6cd996ded/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
Verdict:
Clean
File Type:
executable.pe.32.dll
First seen:
2025-12-10T10:09:00Z UTC
Last seen:
2025-12-12T13:47:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f468419e-909e-47af-a6ad-8534e22878e1
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830557
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1830557 Sample: CrashRpt1403.dll Startdate: 10/12/2025 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for submitted file 2->76 78 Sigma detected: Powershell Download and Execute IEX 2->78 80 Yara detected Powershell download and execute 2->80 82 7 other signatures 2->82 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 3 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 23 other processes 9->18 signatures5 104 Writes to foreign memory regions 11->104 106 Allocates memory in foreign processes 11->106 108 Injects a PE file into a foreign processes 11->108 20 InstallUtil.exe 11->20         started        24 InstallUtil.exe 14->24         started        26 InstallUtil.exe 14->26         started        28 rundll32.exe 2 16->28         started        30 InstallUtil.exe 18->30         started        process6 dnsIp7 60 78.40.193.126 BBNED-AS1NL Netherlands 20->60 84 Bypasses PowerShell execution policy 20->84 86 Contains functionality to inject code into remote processes 20->86 88 Writes to foreign memory regions 20->88 102 2 other signatures 20->102 32 powershell.exe 20->32         started        36 chrome.exe 20->36         started        38 chrome.exe 20->38         started        46 5 other processes 20->46 90 Tries to harvest and steal browser information (history, passwords, etc) 24->90 92 Modifies the context of a thread in another process (thread injection) 24->92 94 Tries to steal Crypto Currency Wallets 24->94 96 Found direct / indirect Syscall (likely to bypass EDR) 24->96 98 Allocates memory in foreign processes 28->98 100 Injects a PE file into a foreign processes 28->100 40 InstallUtil.exe 28->40         started        42 chrome.exe 30->42         started        44 chrome.exe 30->44         started        signatures8 process9 dnsIp10 58 62.60.135.5 DDOSING-BGP-NETWORKUS Iran (ISLAMIC Republic Of) 32->58 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 32->64 66 Loading BitLocker PowerShell Module 32->66 48 conhost.exe 32->48         started        68 Writes to foreign memory regions 40->68 70 Allocates memory in foreign processes 40->70 72 Modifies the context of a thread in another process (thread injection) 40->72 74 Tries to steal Crypto Currency Wallets 40->74 50 chrome.exe 40->50         started        52 chrome.exe 40->52         started        54 msedge.exe 40->54         started        56 4 other processes 40->56 signatures11 process12
Score:
52%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.53 Win 32 Exe x86
Link:
https://app.malva.re/file/5e0463e90e1b2925662d69b79dd704a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc/
Verdict:
Malicious
Threat:
VHO:Trojan.Win32.Sdum
Link:
https://tip.neiki.dev/file/ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 20:14:16 UTC
File Type:
PE (.Net Dll)
Extracted files:
3
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrcstyich3zvt2vc4i6fusjh5obcv7sljzzimdstosfi4a6qbh6a._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
5f43b0ad8cdf49434c552629330efc2e02e9f10444200cec44cc81b061e25398
EternalRocks
659c31a6b26b23e18ea9d81e986f91ab3dd489e149d7dc8bc11b6364d1412a23
EternalRocks
ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
EternalRocks
b126af50b8713b37e4c1c6c0ee88aa5eba5f0047f10f9ee1f351385f26e6629f
EternalRocks
dd86a3e996b53b952e35477b7980929b1c43c42efec0eadc618115a22ffb86dc
EternalRocks
error
EternalRocks
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/251210-yz29cs1nar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unpacked files
SH256 hash:
ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
MD5 hash:
5e0463e90e1b2925662d69b79dd704a5
SHA1 hash:
5504d36449910615ff096fca21e16b79c2221e7c
Link:
https://www.unpac.me/results/d617ce00-99b4-4aa2-a18c-efd0ce347f30/
SH256 hash:
c0bd3d7c1eeae3b7fc76861271d18e2d35ba95dc46f25d3dd2b673a41ed6db43
MD5 hash:
fc5cd1f7cfee8cafafc87a899c24e776
SHA1 hash:
146a5fc23668b2ce8f34b7a0d91e1059bc5fd5d2
Detections:
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/d617ce00-99b4-4aa2-a18c-efd0ce347f30/
SH256 hash:
2209931809a1a9f2158f3408da77b7cb55cef92ffd69090c6d125db42e4e7022
MD5 hash:
c3d3c8ebd7c4fb5250564e54a85e6f2d
SHA1 hash:
a21e25bc9c9b2b1d31bc2ccfc9ac50dc98309922
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d617ce00-99b4-4aa2-a18c-efd0ce347f30/
Parent samples :
b126af50b8713b37e4c1c6c0ee88aa5eba5f0047f10f9ee1f351385f26e6629f
5f43b0ad8cdf49434c552629330efc2e02e9f10444200cec44cc81b061e25398
659c31a6b26b23e18ea9d81e986f91ab3dd489e149d7dc8bc11b6364d1412a23
dd86a3e996b53b952e35477b7980929b1c43c42efec0eadc618115a22ffb86dc
edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc
8ea57e02b096d8f2b8c23234ba29dba7fcd61ea4388b89234084252d59d14c26
04ced453d7e0681c6da073ddc5172c8976885af3afd3be8abb46008ea0a08dbf
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternalRocks

zip 602194d715d24147d57cd58cdbd6e7fafce9ca198398f7c2e2e22f3a00216763

EternalRocks

DLL dll edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e

EternalRocks

DLL dll ac4529e1023ef359eaa2e23c5a4927eb822afe4b4e72860e53748a8e03d009fc

(this sample)

  
Link
https://tria.ge/251210-ypa25a1mcr/behavioral1
  
Dropped by
SHA256 edb7270ef47a630256e963b7b490fc2802ebb6fe99ac5a017d35300e107c331e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44225/
  
Dropped by
MD5 be1a38232acbb1f5294d2d72f45a79a2

Comments