MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7d8c91fde82da2353cb3fc0525c83b7648ad72db2c31fe067551debc0aeb47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ACRStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash: cd7d8c91fde82da2353cb3fc0525c83b7648ad72db2c31fe067551debc0aeb47
SHA3-384 hash: 0ce862f2178d051ac1c88978239747e0aaa7489d6ecc58d369682d040b4b482042e90ed1ea23d4db42203999d5c92cc9
SHA1 hash: 0a6f700dd910cff8d8d8379c3a65248777115818
MD5 hash: a5422441047edb1d9a0f3b3efad725a9
humanhash: earth-muppet-tango-undress
File name:Voltix.exe
Download: download sample
Signature ACRStealer
File size:320'344 bytes
First seen:2026-06-18 11:18:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c4cc951c5c18c96cb578ff9ba395f774 (1 x ACRStealer)
ssdeep 1536:NkwvoAtRoah8dDQao7TkKl4ql7oyJONkgUEz+yVBOS2NBWlu90O5byAU4ie8QQsv:zvFp86tTecW844f+kPxE3O
TLSH T10A643B03BB40E405C9266A758975CBF86331FC4C9E65975B31C6FE2BBEEA6C25D022C4
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c800e8f0f8e800e8 (1 x ACRStealer)
Reporter burger
Tags:ACRStealer exe signed

Code Signing Certificate

Organisation:Window Profile Tool
Issuer:Window Profile Tool
Algorithm:sha512WithRSAEncryption
Valid from:2026-06-18T04:41:42Z
Valid to:2029-06-18T04:51:42Z
Serial number: 4358a5c92abb718f4d86bc480fd57ff3
Thumbprint Algorithm:SHA256
Thumbprint: b57dc91d252a3878b301e462960d99ce11ce2529b79107efd6f6815421d79ac7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
164
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
25278093626.zip
Verdict:
No threats detected
Analysis date:
2026-06-18 10:35:44 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Tags:
injection trojan virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
exploit packed signed
Verdict:
Malicious
Labled as:
Win64/Kryptik_AGeneric.ANK trojan
Verdict:
Clean
File Type:
exe x64
First seen:
2026-06-19T21:08:00Z UTC
Last seen:
2026-06-19T23:22:00Z UTC
Hits:
~10
Result
Threat name:
ACR Stealer, DocSa Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates / moves files in alternative data streams (ADS)
Creates an undocumented autostart registry key
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries DNS domain through GetComputerNameExW (potential sandbox evasion)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Yara detected ACR Stealer
Yara detected DocSa Stealer by APT28
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929903 Sample: Voltix.exe Startdate: 18/06/2026 Architecture: WINDOWS Score: 100 43 store.purestack.lol 2->43 45 proxy.willowfleet.click 2->45 47 4 other IPs or domains 2->47 63 Suricata IDS alerts for network traffic 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 7 other signatures 2->69 9 Voltix.exe 14 2->9         started        signatures3 process4 dnsIp5 57 158.94.208.44, 49694, 80 OMEGATECH-ASSC Germany 9->57 59 store.purestack.lol 172.67.153.216, 443, 49693 CLOUDFLARENET-CloudflareIncUS Canada 9->59 61 litter.catbox.moe 108.181.20.36, 443, 49688 AS40676-PsychzNetworksUS United States 9->61 35 C:\Users\user\AppData\...\t62z6fe8ri.exe, PE32+ 9->35 dropped 37 C:\Users\user\AppData\...\saavcmrgsm.exe, PE32+ 9->37 dropped 77 Creates / moves files in alternative data streams (ADS) 9->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 9->79 81 Tries to harvest and steal browser information (history, passwords, etc) 9->81 83 9 other signatures 9->83 14 saavcmrgsm.exe 1 9 9->14         started        18 t62z6fe8ri.exe 103 9->18         started        21 chrome.exe 9->21         started        file6 signatures7 process8 dnsIp9 39 C:\Users\user\...\AppReadiness8bbe01.exe, PE32+ 14->39 dropped 41 :x (copy), PE32+ 14->41 dropped 85 Antivirus detection for dropped file 14->85 87 Multi AV Scanner detection for dropped file 14->87 89 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->89 97 3 other signatures 14->97 23 AppReadiness8bbe01.exe 18 14->23         started        49 polygon.field-crew12.one 104.21.89.94, 443, 49700, 49701 CLOUDFLARENET-CloudflareIncUS Canada 18->49 51 polygon-bor-rpc.publicnode.com 172.66.150.162, 443, 49698 CLOUDFLARENET-CloudflareIncUS Canada 18->51 91 Suspicious powershell command line found 18->91 93 Tries to steal Crypto Currency Wallets 18->93 95 Queries DNS domain through GetComputerNameExW (potential sandbox evasion) 18->95 27 powershell.exe 18->27         started        29 explorer.exe 43 1 18->29 injected 31 chrome.exe 21->31         started        file10 signatures11 process12 dnsIp13 53 polygon.drpc.org 104.18.10.59, 443, 49696, 49697 CLOUDFLARENET-CloudflareIncUS Canada 23->53 55 proxy.willowfleet.click 104.21.8.126, 443, 49699 CLOUDFLARENET-CloudflareIncUS Canada 23->55 71 Antivirus detection for dropped file 23->71 73 Multi AV Scanner detection for dropped file 23->73 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->75 33 conhost.exe 27->33         started        signatures14 process15
Gathering data
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-18 09:03:19 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
cd7d8c91fde82da2353cb3fc0525c83b7648ad72db2c31fe067551debc0aeb47
MD5 hash:
a5422441047edb1d9a0f3b3efad725a9
SHA1 hash:
0a6f700dd910cff8d8d8379c3a65248777115818
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments