MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88efdaa4d897576e5e7c8aab16068386ca4b9a4de0a1e4d17a0c4d59b48b25e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ACRStealer

Vendor detections: 5

Intelligence 5 IOCs YARA 64 File information Comments

SHA256 hash:	d88efdaa4d897576e5e7c8aab16068386ca4b9a4de0a1e4d17a0c4d59b48b25e
SHA3-384 hash:	e222d238d6b1874ff0c8bec39eb3ed532bccfddb8469f0551bda7c1765fc2bb8967f2487853070500202b6b9f033d21a
SHA1 hash:	94303bd37704fe1fe5d21393c64f0691f65e1945
MD5 hash:	09931d251c5cd7de85d6da51d8217fdc
humanhash:	single-triple-gee-network
File name:	SETUP.zip
Download:	download sample
Signature	ACRStealer Create hunting rule
File size:	20'972'558 bytes
First seen:	2026-06-05 20:01:50 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	393216:2lbzJRDTHu+ST1J0JfLJdDsLV3L5Wh1ozktAFNwqghhp6DcK/qTZ:UbzJdLLST+f9dDsHWfozWAjTap8V/kZ
TLSH	T16227338A50B61FCACC8B1939D4D3254387ECB326530565BF5BA8D7B72EF53B1906C882
Magika	zip
Reporter	aachum
Tags:	ACRStealer file-pumped gsk-scriptlattice-cc zip

iamaachum

https://bestproviders.org/ => https://www.mediafire.com/file/i1w48ym14w7l8rx/SETUP_FILE_(PASS$_KEY=2115)).zip/file

ACRStealer C2: gsk.scriptlattice.cc

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 33 file(s), sorted by their relevance:

File name:	x32bridge.dll
File size:	80'800 bytes
SHA256 hash:	2560e8466035767357208e66b09a181f9521df1c0e6a87ddfedf0a749dd41b55
MD5 hash:	f01d7082d516f7cc3eeec8c3572176f9
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Setup.exe
File size:	95'896 bytes
SHA256 hash:	a8fd08774f4d5693129d46f6f59ce5de6986066f796f1c1a567ae14c59b9ba67
MD5 hash:	00a93e4a08632b496634d66d975cb036
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	x32_bridge.dll
File size:	21'216 bytes
SHA256 hash:	c7730c8be88bd6f5e042c35731390a68bf519bb185783f71f549ce12ec151e00
MD5 hash:	1adb6226a7ed12e8ba44a58c3ac69722
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qwebp.dll
File size:	428'720 bytes
SHA256 hash:	28caf443f600b9317b94ade67620109198035c63335b91d3af3a88581b475923
MD5 hash:	6d3a549718464617961f57975149a2b8
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	loaddll.exe
File size:	125'344 bytes
SHA256 hash:	e844063f3bcc11c0df8b6868ab510a7e893264001d0763e51b56f00e3256c4c0
MD5 hash:	d055edda07dc0521271d94917f9d2409
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	LLVMDemangle.dll
File size:	464'632 bytes
SHA256 hash:	99f99e4abad8c162a36ef3e90f7d7364e6df569456647a70e3c5f17af807dd39
MD5 hash:	e9df45d405d347a4d69903b4e2d7cc9a
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	python37.dll
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	435'222'190 bytes
SHA256 hash:	03834753635c3cf1bb762d1e328a6be220e7374aa6ecb46ed58c5d237c56885d
MD5 hash:	e1863a67bb9f1d94a24c8bba5baabc00
De-pumped file size:	14'730'240 bytes (Vs. original size of 435'222'190 bytes)
De-pumped SHA256 hash:	7eb2ece5354e50ebcd954ff6a76dd74504bea6769ed6e0ecd9deb53f46211cfa
De-pumped MD5 hash:	f4790057f5bd7410900f0b5897a180bb
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	DeviceNameResolver.dll
File size:	64'224 bytes
SHA256 hash:	603ca613ae1000ee0c534694154d360d48fcff0a5db4681ca061382d814509d3
MD5 hash:	43a975de4528ebceb903bdc443537a2b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Qt5Widgets.dll
File size:	4'583'600 bytes
SHA256 hash:	fae1cbde9e10955e8b0ff414e64020be20bf9d1d62e7c583b4510b60f363faf0
MD5 hash:	07b30ed72326c030aae212224034bf28
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qtga.dll
File size:	30'384 bytes
SHA256 hash:	8aa979e85e681c0215f5a916d849d789b454dd1406ff2daf90c894efbd253d52
MD5 hash:	1eb7a620ec9dc8a24ac98ea55b475c4d
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	x32_dbg.dll
File size:	13'536 bytes
SHA256 hash:	eb89119af3e4d37f2d5494e24807f1959b0c3adb937025027f854bfb75586540
MD5 hash:	a270874e427152b32469a968ad70f229
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qwindowsvistastyle.dll
File size:	132'784 bytes
SHA256 hash:	a0b0177a40b1c74ac79bf31c9f26ab0770d54c2297d68a53d289c48ff5b23edb
MD5 hash:	cea2589b96f6a9f02fccc0bc0786965f
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qwbmp.dll
File size:	29'360 bytes
SHA256 hash:	a7d5e1099e28c9149087a602e609d257e4d9614265213f24c192e21c1ef070cb
MD5 hash:	7a6f767278b60cf9347e4280279a7459
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Qt5Gui.dll
File size:	5'438'128 bytes
SHA256 hash:	ba869785c14c4ace0924c123295a503a59cf90cc4da68e0c61c47187b3754fe6
MD5 hash:	0906103e25f7349766fc6025c491aa5a
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Qt5WinExtras.dll
File size:	455'344 bytes
SHA256 hash:	8cbe541083088cb133647074135411c9a77b06035de3de90ff6362205754fd88
MD5 hash:	095bb7707ee3b0b353f5df0d518b6bfb
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	lz4.dll
File size:	97'504 bytes
SHA256 hash:	1b73b5bae84a95bd58af72cc669d0ac2c6e4562de868bef1e840362ceabeccff
MD5 hash:	b8e4b63d957698f4ecaf47678f0bc83b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qwindows.dll
File size:	1'220'784 bytes
SHA256 hash:	60085c5b61554a1e9d96350f039597a1b77a7576a81a12a24ace9de4c323bb8d
MD5 hash:	f52d1908e2d1f5b03b72cc87df48c8ad
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	vcruntime140.dll
File size:	91'112 bytes
SHA256 hash:	c8e6089e6efe9573af55cf011c4e41b21235b2531f6c395faad53f410f22acaa
MD5 hash:	9248c36666a2fec5e2a8913d6edabf80
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qsvg.dll
File size:	31'408 bytes
SHA256 hash:	099eef1d161e9c4bb957d73678d471cc276337233a8e715e181a352760346701
MD5 hash:	7ba0979da56479bd964810e8ce794e9e
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qico.dll
File size:	36'016 bytes
SHA256 hash:	ae2d373da197c94fd6aff5b56baf3df754722926af4f71279688ce563fe6ef31
MD5 hash:	77b5eee567d88078024e3b535d6196f1
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Qt5Svg.dll
File size:	280'240 bytes
SHA256 hash:	4e5e73ae36d79192dc04ebaf1d08ac5afcb77a825af6d425ed5431845605f8a8
MD5 hash:	c7cf7bb86753ea779b0aaf9cd92a0433
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qtiff.dll
File size:	358'576 bytes
SHA256 hash:	15ad29efcf28dd9dbf8d4f5cf13a29283598c6a9b3dc438dbe22a7ccc3c98d16
MD5 hash:	0317a834a2ed5ff0e9959eb26e705632
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qgif.dll
File size:	36'528 bytes
SHA256 hash:	7ac66b0c813585b7cd3645ad3bcab0b225006cee9076b05a21cb6b8db176462d
MD5 hash:	e070dbf1a9253bde7910e040dfd5d4bc
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	asmjit.dll
File size:	305'888 bytes
SHA256 hash:	412e418493efeb0768fea2a316ede1abdf6f482f98b01b5b1e038b04021da5df
MD5 hash:	8bd6f56bffa69247390dc459d367578b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	TitanEngine.dll
File size:	540'576 bytes
SHA256 hash:	f4acad8aa176465db98256bbd018d96c2a8eb3c4e493d0dc6851a901bd4fb266
MD5 hash:	0941ff820216284733a1af99932c2013
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	msdia140.dll
File size:	2'224'200 bytes
SHA256 hash:	1e1947bc18d7630ee01b733b63fff0a8ed425dcef25a75f165eb07fc1c8be851
MD5 hash:	977374d06d8f302094d790a154dd2131
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	2
File size:	381 bytes
SHA256 hash:	4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash:	1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:	text/xml
Signature	ACRStealer

File name:	Scylla.dll
File size:	463'584 bytes
SHA256 hash:	3b5a699cf588472468085de0abfd19ed3bd3251e9a5b110348671b028f99b146
MD5 hash:	f39e0d2680ca0c765c6b57557692a86b
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	msvcp140.dll
File size:	449'616 bytes
SHA256 hash:	c8e7456f4ac9aa65ef3ad61a6daf30efec9737344d173b2d6d2c16e752052a55
MD5 hash:	996d01ad6a71761f29a98ec9e9f30007
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qicns.dll
File size:	44'720 bytes
SHA256 hash:	3587d149b774835aaebf9122945d432cb97a01f923c2bdf45c8ddf7db46fde6f
MD5 hash:	d617d449bff841e9e56ae5d66733c1f0
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	qjpeg.dll
File size:	392'368 bytes
SHA256 hash:	18706a0bff940116731de4a55d8312c054771271c49fe47f77e07b0d73529053
MD5 hash:	1f8c4a04573e26286ee2fafdf03f8f85
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	Qt5Core.dll
File size:	5'113'760 bytes
SHA256 hash:	054b08b2b64d0cf9cce74d629d8b9fc0736e12d369f99b6e5111aaa9f4559bfd
MD5 hash:	5eb49c566a30ff8bc22565b780f648e8
MIME type:	application/x-dosexec
Signature	ACRStealer

File name:	dbghelp.dll
File size:	1'250'016 bytes
SHA256 hash:	0697984deb8c7e482c50232d8ed791d759756f1aad9b62f18e4602d0db7a7cda
MD5 hash:	c6e2a6a2a8d234fa608f7fd909327a95
MIME type:	application/x-dosexec
Signature	ACRStealer

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/c59fbaef-d063-4cbd-aac0-41f943271413/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a232b5df8676ad4d361818d

Tags:

injection obfusc crypt

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d88efdaa4d897576e5e7c8aab16068386ca4b9a4de0a1e4d17a0c4d59b48b25e

Score:

29%

Verdict:

Benign

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Any_SU_Domain Create hunting rule
Author:	you
Description:	Detect any reference to .su domains or subdomains

Rule name:	Cerberus Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	Cerberus

Rule name:	certum_issuer Create hunting rule
Author:	Certum
Description:	Looks for files signed with certificate issued by Certum

Rule name:	Check_Debugger Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_all_IPv6_variants Create hunting rule
Author:	Bierchermuesli
Description:	Generic IPv6 catcher

Rule name:	detect_certum_issuer Create hunting rule
Author:	Certum
Description:	Looks for files signed with certificate issued by Certum

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	GuLoader Create hunting rule

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	skip20_sqllang_hook Create hunting rule
Author:	Mathieu Tartare <mathieu.tartare@eset.com>
Description:	YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:	https://www.welivesecurity.com/

Rule name:	SUSP_Websites Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	unknown_dropper Create hunting rule
Author:	#evilcel3ri
Description:	Detects an unknown dropper

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.