MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3810ca5f17d8f617252b5460eafbed27e85722e794e394b2fbcb760ecf3d2a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments

SHA256 hash: b3810ca5f17d8f617252b5460eafbed27e85722e794e394b2fbcb760ecf3d2a3
SHA3-384 hash: efefcd133c339570a73a4a83dcffc8e94dc2ed1b006f27a8734db1129694eff66974b1464bff71c8d4bd112ff75b2b00
SHA1 hash: 670e724ab0e1b075c448a8dbdd9f23e12dbf3157
MD5 hash: cd333de0a879c14647425c3af91ff26a
humanhash: wolfram-california-twelve-colorado
File name:crepectl.exe
Download: download sample
Signature ACRStealer
File size:3'423'016 bytes
First seen:2026-04-24 22:08:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 949702a4ec364bbd58c950ed402fca0e (1 x ACRStealer)
ssdeep 49152:MNRKzVtSdZhe7i5PXGzHqTVMkF1pbPh86h2CNWsdKzkmDayfP5mDzw4EZCUNjWc:oyVtyZh6i5ezLk9a+2rsQxmgJ
TLSH T1BDF5CF21FB828162D9EE017821AA9B7A4E3DAD748738C1C3DBD13DAD88305D2773E755
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 286069d8d8962208 (1 x ACRStealer)
Reporter aachum
Tags:ACRStealer dropped-by-RenPyLoader exe motivate-starkmond-cfd


Avatar
iamaachum
https://vbhgrhdu.it.com/ => https://www.mediafire.com/file/e54c094o1uhakwg/D0WNL0AD_SETUP_FILE_(KEY_1121).zip/file

ACRStealer C2: motivate.starkmond.cfd

Intelligence


File Origin
# of uploads :
1
# of downloads :
137
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
crepectl.exe
Verdict:
Malicious activity
Analysis date:
2026-04-24 21:58:59 UTC
Tags:
stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
injection dropper smtp
Result
Verdict:
Clean
Maliciousness:

Behaviour
Adding an access-denied ACE
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-24T17:55:00Z UTC
Last seen:
2026-04-26T17:26:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Shelma.chuc BSS:Trojan.Win32.Generic Trojan.Win32.Shelma.sb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected unpacking (changes PE section rights)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-04-24 21:19:44 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
unc_loader_053
Similar samples:
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b3810ca5f17d8f617252b5460eafbed27e85722e794e394b2fbcb760ecf3d2a3
MD5 hash:
cd333de0a879c14647425c3af91ff26a
SHA1 hash:
670e724ab0e1b075c448a8dbdd9f23e12dbf3157
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WHIRLPOOL_Constants
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe b3810ca5f17d8f617252b5460eafbed27e85722e794e394b2fbcb760ecf3d2a3

(this sample)

Comments