MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71
SHA3-384 hash: 7d24a8d608bd71cb4b8c87398209ade92ccfb992b1bc9dd6d35e8a5db78bfbb350bd81c6b3f0ddae0415bd08e8fe20ea
SHA1 hash: c0a6e0431bce3094b30749a4daa377e84a8131a7
MD5 hash: 45c233da703dc586b4d5e1303835754a
humanhash: nine-ten-king-east
File name:SETUP.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:7'130'195 bytes
First seen:2025-07-16 12:03:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ac0df3cb49d714c81e70b5b92c304f2 (3 x HijackLoader, 1 x ACRStealer, 1 x DeerStealer)
ssdeep 98304:siCcRHNbPYcpEJOjOmjKi+czBNDInTOQhA3hsX7tPhSpYTOu9Qj4shcbiCcB:siZbFcOai+cbk2hsxP0pYTOu9qhqij
Threatray 31 similar samples on MalwareBazaar
TLSH T18476D0137690903EE5AA02718C6FAE6485A57D738A314257F7A0FF1D2DF05C2B623B1B
TrID 88.5% (.AX) DirectShow filter (201555/2/20)
4.6% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 5b3931b29cd1631d (9 x LummaStealer, 3 x RemcosRAT, 2 x RedLineStealer)
Reporter aachum
Tags:178-130-47-243 ACRStealer AmateraStealer exe HIjackLoader IDATLoader


Avatar
iamaachum
https://defnprtfre.cfd/?uid=296&sid=298&lp=BKbNneR3st => https://mega.nz/file/6V9VUKJD#InVHlXmocH8A537ZuHKtvPvcYaWvCQ2YpYS2czlMxRI

ACR/Amatera C2: 178.130.47.243

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SETUP.exe
Verdict:
No threats detected
Analysis date:
2025-07-16 12:05:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15d0f741-d518-4da3-b4f2-dc51eb1ea962

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14833/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6877954f84b37dd61eef05cc
Tags:
injection vmdetect dropper packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Moving a file to the %temp% subdirectory
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm expired-cert explorer fingerprint installer invalid-signature lolbin microsoft_visual_cc msiexec overlay overlay runonce signed
Link:
https://www.filescan.io/uploads/6877954e7bc45bdee1ae5111/reports/38102dd3-5ea8-4e0b-8420-8daa33c49a5a/overview
Verdict:
Suspicious
Labled as:
Malware_48.7
Link:
https://www.hybrid-analysis.com/sample/c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9228000-5473-4dc2-9c12-6241050a7dae
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1738021
Signature
Allocates memory in foreign processes
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Queries Google from non browser process on port 80
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1738021 Sample: SETUP.exe Startdate: 16/07/2025 Architecture: WINDOWS Score: 100 122 x.ss2.us 2->122 124 windowsupdateorg.live 2->124 126 4 other IPs or domains 2->126 144 Found malware configuration 2->144 146 Yara detected HijackLoader 2->146 148 PE file has a writeable .text section 2->148 150 Joe Sandbox ML detected suspicious sample 2->150 13 SETUP.exe 29 2->13         started        17 SharkBrowser.exe 2->17         started        19 SharkBrowser.exe 2->19         started        signatures3 process4 file5 104 C:\Users\user\AppData\Local\...\setup.exe, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\setup.exe, PE32 13->106 dropped 108 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 13->108 dropped 166 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 13->166 21 setup.exe 56 13->21         started        168 Multi AV Scanner detection for dropped file 17->168 signatures6 process7 file8 90 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 21->90 dropped 92 C:\Users\user\AppData\...\python38.dll (copy), PE32 21->92 dropped 94 C:\Users\user\AppData\Local\...\pytC8E3.tmp, PE32 21->94 dropped 96 14 other malicious files 21->96 dropped 24 Stream_Tech.exe 6 21->24         started        28 svchost.exe 38 21->28         started        30 ISBEW64.exe 21->30         started        32 5 other processes 21->32 process9 file10 98 C:\ProgramData\forjask\python38.dll, PE32 24->98 dropped 100 C:\ProgramData\forjask\VCRUNTIME140.dll, PE32 24->100 dropped 102 C:\ProgramData\forjask\Stream_Tech.exe, PE32 24->102 dropped 162 Switches to a custom stack to bypass stack traces 24->162 164 Found direct / indirect Syscall (likely to bypass EDR) 24->164 34 Stream_Tech.exe 3 24->34         started        38 WerFault.exe 2 28->38         started        40 WerFault.exe 28->40         started        42 WerFault.exe 28->42         started        44 3 other processes 28->44 signatures11 process12 file13 84 C:\Users\user\AppData\Local\...\A3BF05E.tmp, PE32 34->84 dropped 152 Drops PE files to the user root directory 34->152 154 Found hidden mapped module (file has been removed from disk) 34->154 156 Switches to a custom stack to bypass stack traces 34->156 158 2 other signatures 34->158 46 Stream_Tech.exe 2 34->46         started        signatures14 process15 dnsIp16 134 178.130.47.243, 443, 49722, 49723 SUMTEL-AS-RIPEMoscowRussiaRU Russian Federation 46->134 118 C:\Users\user\ks.exe, PE32 46->118 dropped 120 C:\Users\user\ih.exe, PE32 46->120 dropped 136 Found many strings related to Crypto-Wallets (likely being stolen) 46->136 138 Tries to harvest and steal ftp login credentials 46->138 140 Tries to harvest and steal browser information (history, passwords, etc) 46->140 142 6 other signatures 46->142 51 ih.exe 46->51         started        55 ks.exe 46->55         started        58 chrome.exe 46->58         started        60 3 other processes 46->60 file17 signatures18 process19 dnsIp20 86 C:\Windows\Temp\...\ih.exe, PE32 51->86 dropped 160 Multi AV Scanner detection for dropped file 51->160 62 ih.exe 51->62         started        128 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189 TANDEMUS United States 55->128 130 84.54.44.48 DZINET-ASRU Russian Federation 55->130 132 3 other IPs or domains 55->132 88 C:\ProgramData\SharkBrowser.exe, PE32 55->88 dropped 66 cmd.exe 55->66         started        68 WerFault.exe 16 58->68         started        70 WerFault.exe 58->70         started        72 WerFault.exe 60->72         started        74 WerFault.exe 60->74         started        76 WerFault.exe 60->76         started        78 WerFault.exe 60->78         started        file21 signatures22 process23 file24 110 C:\Windows\Temp\...\QtXml4.dll, PE32 62->110 dropped 112 C:\Windows\Temp\...\QtWebKit4.dll, PE32 62->112 dropped 114 C:\Windows\Temp\...\QtNetwork4.dll, PE32 62->114 dropped 116 6 other malicious files 62->116 dropped 170 Multi AV Scanner detection for dropped file 62->170 172 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 62->172 80 conhost.exe 66->80         started        82 reg.exe 66->82         started        signatures25 process26
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/45c233da703dc586b4d5e1303835754a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybhcy5eabegmq24xhoegvuneript7sesf34bls73tzeamo4sznyq._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
ACRStealer
2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
ACRStealer
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
ACRStealer
9667f74b0fa7eb520c63f2d4dc953d1fd68780059b98db4d1dffa3f94f3de7b1
ACRStealer
a9aecc8c364d40c7cd96996479abbf5e7e6f5231e7c00a1064d1c30580ba6ad2
ACRStealer
ad0756e532f5dc6d4d77ffc8c36526be8da1acce4943ff5ef34cfe134d7ff314
ACRStealer
c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71
ACRStealer
c36338fbc2b1913fd79443706dedbc9f58adcfaf5af1dab06a592446e8f6dec6
ACRStealer
db0a48bf74364163187c63f71b91bf77435207e2ce740f80189ff07af0e9cdaf
ACRStealer
error
ACRStealer
f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
ACRStealer
+ 21 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader defense_evasion discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/250716-n8s2yahk41/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70687a5c-2184-4a29-986f-19c0780a1162
Unpacked files
SH256 hash:
c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71
MD5 hash:
45c233da703dc586b4d5e1303835754a
SHA1 hash:
c0a6e0431bce3094b30749a4daa377e84a8131a7
Link:
https://www.unpac.me/results/7b79ad50-9e38-4e90-a32e-cd3fb2cdfc20/
SH256 hash:
e50b107f63378ac5c54837bf9957bd2424bc936a529a8464acab14bba6da0b25
MD5 hash:
7c8558be8197cb42e671c517e1214f38
SHA1 hash:
0884d8abf91e0bfa31d9428995f4aee2fdedb713
Link:
https://www.unpac.me/results/7b79ad50-9e38-4e90-a32e-cd3fb2cdfc20/
SH256 hash:
6bc21f17e72875a6b94d1be00699db67ef15a97d2c4a206e320702883e13ec4c
MD5 hash:
63b1780efda6aca89098092e43a3ee03
SHA1 hash:
b62d5617e238b93652a30cbdbe8c16f8b839f12b
Link:
https://www.unpac.me/results/7b79ad50-9e38-4e90-a32e-cd3fb2cdfc20/
SH256 hash:
3030a0abc780611ae2bb389817dfb41633c76d6a30239818c2c5958f3727faac
MD5 hash:
5ffbaf9114e13bc5ca2f60cd95d78aa2
SHA1 hash:
883f9108b79d45d057c8ab95db239eab47da6609
Link:
https://www.unpac.me/results/7b79ad50-9e38-4e90-a32e-cd3fb2cdfc20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

Executable exe c04e2c7480090cc86b973b886ad1a48a1f3fc8922ef815cbfb9e48063b92cb71

(this sample)

  
Link
https://tria.ge/250716-ns7kdsvzgw/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/14833/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments