MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d64daff8bacd3501d6704d8d88f5fb348658b1133840cd27623d1ca8951b4224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ACRStealer

Vendor detections: 3

Intelligence 3 IOCs YARA 2 File information Comments

SHA256 hash:	d64daff8bacd3501d6704d8d88f5fb348658b1133840cd27623d1ca8951b4224
SHA3-384 hash:	cc4f0ddf3ed9d362a4661ebfcf2818c45c07175b8b1bec6d8343c76b28fe339378adbbe8c25cef7698ef82a6e4ddf712
SHA1 hash:	87f631cfe1f3e10af6dbafa92e7c1cc0de25d2e8
MD5 hash:	a2366169cd6871ba02d8aedff206f4ce
humanhash:	mobile-steak-video-alaska
File name:	i№st@113R ver.4.8__P@$$ 0082.rar
Download:	download sample
Signature	ACRStealer Create hunting rule
File size:	8'945'074 bytes
First seen:	2025-04-16 23:26:52 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
Note:	This file is a password protected archive. The password is: 0082
ssdeep	196608:QtMWq3Rn0+wbg1HBhf35n7UGVi/OEpH30MbPyz02yhGtV:Qto3R4mHBhP1pi/OEd30MbPo02YYV
TLSH	T1D09633F1878110E1ACF6F62FA1039D3F61D8E31A8232548C739468AAFB2FD797186565
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	aachum
Tags:	ACRStealer AutoIT file-pumped pw-0082 rar

iamaachum

https://chefupdates.rest/ => https://mega.nz/file/DA0Q3CDa#badz2vIsAOhwfonYwTcPyq_37VpRKNpBum6LLNC52vE

ACRStealer C2: http://detailpummel.shop/Up

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file is a password protected archive. The password is: 0082

This file archive contains 26 file(s), sorted by their relevance:

File name:	dynamiclinkui.dll
File size:	587'976 bytes
SHA256 hash:	0b31c371ca1247a8d5451752d17db277fa3c73a2d85fe0c6ecbb817a3a9a7cc5
MD5 hash:	1e8030aa264522f0d9b4cabd6787807f
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	bug61443.phpt
File size:	201 bytes
SHA256 hash:	d975a6121a71e77cb5ba50b3da5f9d165de19c0b076c95f54d9643f3efeee75c
MD5 hash:	22bf2862a9ab2d272f783954a20048bf
MIME type:	text/plain
Signature	ACRStealer

File name:	dereference_008.phpt
File size:	388 bytes
SHA256 hash:	e4019c8dab7f6656374c58784d0e95d09f39ee0a88f57e275a598557235205d8
MD5 hash:	558c31747d57c35ab32d3eb1e7c0fb24
MIME type:	text/x-c++
Signature	ACRStealer

File name:	015.phpt
File size:	343 bytes
SHA256 hash:	73e596bcda31e30cc3fbe3e1862e51ec1cf5cad5563e9db7ac341d1e455f226b
MD5 hash:	3f3a081bc7e4568d6695d756efd6b3f3
MIME type:	text/plain
Signature	ACRStealer

File name:	passByReference_003.phpt
File size:	827 bytes
SHA256 hash:	730e1349ff993c91ba7da49003604ba384910f868fe341f9234f58fe041c4d9c
MD5 hash:	2409e7cf241f7daa78d584cee5ec7409
MIME type:	text/plain
Signature	ACRStealer

File name:	libwalocal.dll
File size:	1'880'880 bytes
SHA256 hash:	9f2bfbd4a93bede82d4b5e465660deeffe3291f3e0df7a37c36282317be588d1
MD5 hash:	62d829f91ec96677fbbc4362cf6fb98d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	stripos_variation8.phpt
File size:	2'360 bytes
SHA256 hash:	136f000f36280e19c23fcc22a75887e85f3727ee0e6e3da77178d32e04c5842f
MD5 hash:	9e49529b26750ecc0a2bf98f1977f1c1
MIME type:	text/plain
Signature	ACRStealer

File name:	gh10239_1.phpt
File size:	380 bytes
SHA256 hash:	742e3f6a75c5a667dccded9ac6527673b5f9076ce5dbab82dfd5ed4ba20b9115
MD5 hash:	1e2b61e151f27d985c3c9774ebb0e245
MIME type:	text/plain
Signature	ACRStealer

File name:	intl_convertcpp.h
File size:	1'254 bytes
SHA256 hash:	c5e9dd242ff06f0c7054efe6830fd0eee29fa5dc994410ad02108ec7c1de7654
MD5 hash:	116789dc1d8f004ec276ce458b00180a
MIME type:	text/x-c
Signature	ACRStealer

File name:	try_finally_011.phpt
File size:	249 bytes
SHA256 hash:	582748391d5baf7c282ec5e8b42bfc44795e97cc6a323414d51995ac60409116
MD5 hash:	908b35141db74c0b0151bbcf3dc4350a
MIME type:	text/plain
Signature	ACRStealer

File name:	exception_during_shutdown.phpt
File size:	595 bytes
SHA256 hash:	8ebf214a23f3447c4df52adc40acc6b26f4b3449ac63202dc6fadfa933efc4b4
MD5 hash:	bfdb58f7be9c03a54dcd25bc5d268249
MIME type:	text/plain
Signature	ACRStealer

File name:	libwavmodapi.dll
File size:	4'781'360 bytes
SHA256 hash:	3c3d8d965bd77dee71575465d21a66777f475e9dc096dc74eca7f8c8563a59fb
MD5 hash:	63068466ca1174caf81e4001fd0c59bd
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	property_override_protectedStatic_privateStatic.phpt
File size:	536 bytes
SHA256 hash:	de6c7ce2dadda3573bead477592c496ba8d9b6d2e30448622be0899bd337d19b
MD5 hash:	ad8f1a37a3877b46d251152e90963163
MIME type:	text/x-c++
Signature	ACRStealer

File name:	ast_printing.phpt
File size:	486 bytes
SHA256 hash:	8004a11455123353be774794d50a323ffae44d58d82c6f707fcc591126b88dcd
MD5 hash:	4552834858a8672c66f93a9254ce5062
MIME type:	text/x-c++
Signature	ACRStealer

File name:	libwaresource.dll
File size:	4'654'384 bytes
SHA256 hash:	73cb1a52cda3ca650d5e6823e5454f76ffab2ce7b69eeeb261df6276006f3d2d
MD5 hash:	a7bcd6caf81ec3885556a8cf8c4add00
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	ug.txt
File size:	11'386 bytes
SHA256 hash:	9d0268d1eeb8dfdebbb8ea1033c2b99cd667a244c9859085be5d54c9e5ced369
MD5 hash:	ef3e8d61d03e42a3b40d6f0b12535adb
MIME type:	text/plain
Signature	ACRStealer

File name:	formatter_get_locale_variant2.phpt
File size:	1'107 bytes
SHA256 hash:	bbeda4dd58efdad5a4ef07603fed15dec0ed49e190818b3201d316692b76537f
MD5 hash:	1a4ccb2ed42ec433e519933f8c5559e8
MIME type:	text/x-c
Signature	ACRStealer

File name:	bug70001.phpt
File size:	483 bytes
SHA256 hash:	e75b012df2bc6acb86b0647f07dbc6b57e31f0317ab14a6bf5e93d93d16e0198
MD5 hash:	8cb4a072f6ef78947426657061c93078
MIME type:	text/plain
Signature	ACRStealer

File name:	gnome-colors-human_48.png
File size:	39'182 bytes
SHA256 hash:	b40e6742e84a7ad29e0baee960d0502e3dce959e68cc97cf90c5b693a4ef617d
MD5 hash:	f6d3e695490f3653aa596ed14f6d9afc
MIME type:	image/png
Signature	ACRStealer

File name:	libwaheap.dll
File size:	103'216 bytes
SHA256 hash:	532fd260954d47eb1364ea4e79f313b56f4b440a17f32519dcedeb7c91276705
MD5 hash:	17b24cd98ab8714abfb1847aab4bcc38
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	bug_53280.phpt
File size:	1'340 bytes
SHA256 hash:	4d21f79e83492ae83218791443a4f80d8099450d886ab5eecd521505abea2a23
MD5 hash:	029327cea49a5a4cbee6b3f06e17cf24
MIME type:	text/x-ruby
Signature	ACRStealer

File name:	DateTime_clone_basic2.phpt
File size:	1'762 bytes
SHA256 hash:	68273155ba953b0558ce811e08480989cc1124207f0193ddff7122e2d1a7218a
MD5 hash:	c8da54947c9abea549dd9cc236cbfdd7
MIME type:	text/plain
Signature	ACRStealer

File name:	test.cdb
File size:	2'230 bytes
SHA256 hash:	735f45809811ab7180c0d803c6cc5b2e95f17c5c7598cb2c4eedcfe8d0ecd019
MD5 hash:	12fc5ba2b9dcfef2480e5324eeb5f3e5
MIME type:	application/octet-stream
Signature	ACRStealer

File name:	zip_entry_filesize.phpt
File size:	1'546 bytes
SHA256 hash:	55ec5a4c73cface72dfbe576cbed775352e7db61737f760386651a6d16775d98
MD5 hash:	7f4810d29c0d0a0999ea0982bbcd747f
MIME type:	text/plain
Signature	ACRStealer

File name:	popen_pclose_error.phpt
File size:	633 bytes
SHA256 hash:	627692a36f6c3f4d1365f6a73cf08827320bc5839f1b41c2dddfd7390cd95203
MD5 hash:	59d6a406ff35f73d6947e1a9c1e377ee
MIME type:	text/plain
Signature	ACRStealer

File name:	Setup.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	734'016'357 bytes
SHA256 hash:	5d227742e3c06d911bbe0210e09a863922382e62cfdad98243a906c44d8e6e11
MD5 hash:	f49fc27e5e55fbe6ceae64bfa0d48bf1
De-pumped file size:	125'440 bytes (Vs. original size of 734'016'357 bytes)
De-pumped SHA256 hash:	6d0cc6d88e86ee709ef96e6a314f0eaf4d578627b62dd660dccba00c953c1956
De-pumped MD5 hash:	c9258c5670bbe95fbeec1f7d6a9396ae
MIME type:	application/x-dosexec
Signature	ACRStealer

Vendor Threat Intelligence

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6800413f2203b3e10ccfe6f2

Tags:

autoit emotet

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d64daff8bacd3501d6704d8d88f5fb348658b1133840cd27623d1ca8951b4224

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d64daff8bacd3501d6704d8d88f5fb348658b1133840cd27623d1ca8951b4224/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zg276f2zu2qdvtqjwgyr5p3gsdfrmithbam2j3chuokrfi3iisa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution spyware stealer

Link:

https://tria.ge/reports/250417-fa6w5sspy8/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)