MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12
SHA3-384 hash: 52d196d8ee37bc419d411055b23f55328973f767ad4ed8789eb74a2e8171859b08e510fb6060aaa51bbc02675b21c802
SHA1 hash: 89933117f8a5c40aa0df1322bb7f97d55a19c1a8
MD5 hash: 7ded862eb533e09fd10108d455a407cb
humanhash: blossom-lion-pennsylvania-florida
File name:verification.google
Download: download sample
Signature ACRStealer
Create hunting rule
File size:1'716'736 bytes
First seen:2026-03-20 07:53:14 UTC
Last seen:2026-03-20 08:44:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash beffb241b5640e4cf84d9bdbb1fbfc51 (1 x ACRStealer)
ssdeep 12288:kjmKF+kEhnbsuGm7Cr6LlAkSgkrDfPe4mmnPP9ZGXcCjS5xuZfxxAkTXEQ/fXyQC:kjnr8DloJvfPtA4+Hs1
Threatray 33 similar samples on MalwareBazaar
TLSH T1D785091B40DA5CD7F321027B662735067F2B84C73A66ECE5B4DD119F2BF272A42678A0
TrID 38.2% (.EXE) Win64 Executable (generic) (6522/11/2)
26.4% (.EXE) Win32 Executable (generic) (4504/4/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.7% (.EXE) Generic Win/DOS Executable (2002/3)
11.7% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:ACRStealer dll Google verification-google

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Gathering data
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.55938675.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bcec3888c80c01586c4c2e
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context amatera soft-404
Link:
https://www.filescan.io/uploads/69bcfd242000fc76c3f03159/reports/1a3215ef-5457-4f73-b1a0-201cec536496/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12
Verdict:
Malicious
File Type:
dll x32
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a6e89d09-54b5-4b48-830e-b5b8ad9c7e77
Result
Threat name:
Amatera Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1886744
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amatera Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1886744 Sample: verification.google.dll Startdate: 20/03/2026 Architecture: WINDOWS Score: 96 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Amatera Stealer 2->63 65 Joe Sandbox ML detected suspicious sample 2->65 8 loaddll32.exe 1 2->8         started        process3 signatures4 67 Found many strings related to Crypto-Wallets (likely being stolen) 8->67 69 Tries to steal Crypto Currency Wallets 8->69 71 Unusual module load detection (module proxying) 8->71 11 rundll32.exe 8->11         started        14 rundll32.exe 1 8->14         started        17 rundll32.exe 1 8->17         started        19 21 other processes 8->19 process5 dnsIp6 73 System process connects to network (likely due to code injection or exploit) 11->73 75 Tries to harvest and steal browser information (history, passwords, etc) 11->75 77 Writes to foreign memory regions 11->77 21 powershell.exe 11->21         started        23 chrome.exe 11->23         started        59 104.21.46.118 CLOUDFLARENETUS United States 14->59 79 Allocates memory in foreign processes 14->79 81 Tries to steal Crypto Currency Wallets 14->81 83 Creates a thread in another existing process (thread injection) 14->83 25 powershell.exe 14->25         started        27 chrome.exe 14->27         started        37 2 other processes 17->37 29 rundll32.exe 1 19->29         started        32 powershell.exe 19->32         started        35 powershell.exe 19->35         started        39 19 other processes 19->39 signatures7 process8 dnsIp9 41 conhost.exe 21->41         started        43 conhost.exe 25->43         started        85 Writes to foreign memory regions 29->85 87 Allocates memory in foreign processes 29->87 89 Tries to steal Crypto Currency Wallets 29->89 91 Creates a thread in another existing process (thread injection) 29->91 45 chrome.exe 29->45         started        57 172.67.203.128 CLOUDFLARENETUS United States 32->57 47 conhost.exe 32->47         started        49 conhost.exe 35->49         started        51 conhost.exe 39->51         started        53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        signatures10 process11
Score:
30%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2026-03-20 06:42:10 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdq35ohpummrloydshuxte7wuz3u73nip4nwdvt7tu6ixnrqrmja._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
08bbca1e793987092b0fee110128e2c380a85bfa736263d4a29dd7f858383158
ACRStealer
0c7b5f5ebd66465ca682b496f7937bd056c04ec7d156e78dde012ef8541ef4b4
ACRStealer
315e1aa6b6aae26f189bddc5ba32baab8509c9d204d282c3f1b49d284b225aa7
ACRStealer
5c81dcd6c3824436c1997ed858bf562e5d97584d14a88269f1553d211cdd9e15
ACRStealer
8ac1c5ccafeaac4bcd19d9ca5f182980e00cd6c5fba048990e21c5fd6623c820
ACRStealer
c69284960d9e928c6d051c3787e28d620963201873b59ec2637331640cd0677e
ACRStealer
dd9d5a825771588aa9173933dba188bb40815188774e72381f20c0590fc01d81
ACRStealer
e9fbb7b8229e0d887460503b0e1c20a9c190bffe7d69e4d2337aaa6d92503f47
ACRStealer
ebb03085c9091d87e29f79ffc36f35277aaf46ec4356abf29c3bc93e87e8cd82
ACRStealer
error
ACRStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/260320-jq4nhaby91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Unpacked files
SH256 hash:
b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12
MD5 hash:
7ded862eb533e09fd10108d455a407cb
SHA1 hash:
89933117f8a5c40aa0df1322bb7f97d55a19c1a8
Link:
https://www.unpac.me/results/9550c7ce-57ca-472f-9940-836d93a882ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

DLL dll b0e1beb8efa31915bb0391e97993f6a6774feda87f1b61d67f9d3c8bb6308b12

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3800401/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3800410/
  
URLhaus
https://urlhaus.abuse.ch/url/3800416/
  
URLhaus
https://urlhaus.abuse.ch/url/3800417/
  
URLhaus
https://urlhaus.abuse.ch/url/3800422/
  
URLhaus
https://urlhaus.abuse.ch/url/3800096/
  
URLhaus
https://urlhaus.abuse.ch/url/3800101/
  
URLhaus
https://urlhaus.abuse.ch/url/3800425/
Cape
Cape
https://www.capesandbox.com/analysis/58296/

Comments