MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ACRStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
SHA3-384 hash: 897964c02adafdd6c03ecb47e07fedae608e12c5584922ab062c449cbceb488a5f5458ef1ea3618fd3d1622fb6dc20f3
SHA1 hash: 536d13a5cefedbddc01015d02b2decbe4e4c96c2
MD5 hash: 960ad9da0c6d048617b1a610ff382adf
humanhash: dakota-magnesium-edward-apart
File name:Setup.exe
Download: download sample
Signature ACRStealer
Create hunting rule
File size:1'304'064 bytes
First seen:2025-12-03 19:02:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:VyqDUun9yPw4pVgFtAV3JhlpSys6pMi1sAF08yY3Ozo5xda7XufoYkhgAY:w0n9yZHg/GZSH6J1TehY3so5xdgCWf
TLSH T1A95533269AF89036D97627B045FF07F31A327D3086729E6A7284BE5E0D73258E4343B5
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:ACRStealer de-pumped exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/2400e62a-c178-4eea-8596-224c54fcfecf/
Malware family:
n/a
ID:
1
File name:
_fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-03 19:04:35 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/57a2152b-d36b-4e1e-8b47-69c0c6b56955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42358/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6930894e16e6db515e4667d2
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Launching the process to create tasks for the scheduler
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm at autoit CAB expand explorer installer installer installer-heuristic lolbin microsoft_visual_cc packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69308946189af9fec66ba3e5/reports/807f5649-5b16-4fc0-833c-18f191eca1dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-03T16:14:00Z UTC
Last seen:
2025-12-05T14:13:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Autoit.sb Trojan.Win32.Autoit.acydr Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8c8913a2-1c7b-4484-8b69-d540a5376d10
Result
Threat name:
ACR Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825738
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ACR Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825738 Sample: Setup.exe Startdate: 03/12/2025 Architecture: WINDOWS Score: 100 72 udolzcEnjYXQ.udolzcEnjYXQ 2->72 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 5 other signatures 2->84 11 Setup.exe 1 18 2->11         started        14 elevation_service.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 86 Uses schtasks.exe or at.exe to add and modify task schedules 11->86 18 cmd.exe 1 11->18         started        21 at.exe 1 11->21         started        process6 signatures7 76 Drops PE files with a suspicious file extension 18->76 23 cmd.exe 4 18->23         started        26 conhost.exe 18->26         started        28 conhost.exe 21->28         started        process8 file9 70 C:\Users\user\AppData\Local\...\Jungle.com, PE32 23->70 dropped 30 Jungle.com 23->30         started        34 findstr.exe 1 23->34         started        36 WerFault.exe 2 28->36         started        38 WerFault.exe 2 28->38         started        40 WerFault.exe 28->40         started        42 9 other processes 28->42 process10 dnsIp11 74 87.120.219.23, 443, 49686, 49687 NET1-ASBG Bulgaria 30->74 88 Found many strings related to Crypto-Wallets (likely being stolen) 30->88 90 Tries to harvest and steal browser information (history, passwords, etc) 30->90 92 Modifies the context of a thread in another process (thread injection) 30->92 94 4 other signatures 30->94 44 chrome.exe 30->44         started        46 msedge.exe 30->46         started        48 chrome.exe 30->48         started        50 5 other processes 30->50 signatures12 process13 process14 52 WerFault.exe 16 44->52         started        54 WerFault.exe 16 44->54         started        56 WerFault.exe 46->56         started        58 WerFault.exe 46->58         started        60 WerFault.exe 48->60         started        62 WerFault.exe 48->62         started        64 WerFault.exe 50->64         started        66 WerFault.exe 50->66         started        68 4 other processes 50->68
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/960ad9da0c6d048617b1a610ff382adf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7/
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ysrxmobjn2kbazlasn6hgn7ol42hjryqrwz5cogcskciqhcehtq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251203-xp1r4svkbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/205e04dc-54a9-4af2-8403-8a3aca4a84c5
Unpacked files
SH256 hash:
fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
MD5 hash:
960ad9da0c6d048617b1a610ff382adf
SHA1 hash:
536d13a5cefedbddc01015d02b2decbe4e4c96c2
Link:
https://www.unpac.me/results/d43529f8-cc77-448a-86e3-362a31c85b08/
SH256 hash:
c5ab31901e4622a030146f95b85edb80100faa25edcb589e654dbdc366d5eaf5
MD5 hash:
b73e8246708df1e286df01c64db435ec
SHA1 hash:
082916c60b8d9b3e9b0fac5d4a740a2dbe4e4534
Link:
https://www.unpac.me/results/d43529f8-cc77-448a-86e3-362a31c85b08/
SH256 hash:
149c43689a0eac08420ac6087b3340535170acbfda88a85821d9590272edc882
MD5 hash:
bf8097361d26d672bab38957e37da280
SHA1 hash:
704360bac55757848755358a118ca515d20a441d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/d43529f8-cc77-448a-86e3-362a31c85b08/
Parent samples :
6c5087d06021234b772afefdacfad8da2cf0a085bf2392ec2ad60f7544fc41f4
ced6f0e86377df269f92007123890005f6a96931901eca9b6b9da87fe5fab48f
c4e1711c4029933d1a4ec238edf1de5b275e73d7422305447742e5b713a478a0
70428c1fd7f8879239050155e0a37ed65c6997855e8a8420e2d2f09598ba5cd6
86d98c6b9a1f0fdee1fd1f898b8799180a7c9368e6b365a95ede0d8f49a6ad41
fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe251bb1c14b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ACRStealer

zip 18794a9b9d04286144e5ca91fdfec3c18da1860f17267ed68fe5e4ce3bbf993b

ACRStealer

Executable exe fe251bb1c14b74a0832b049be399bf72f9a3a638846d9e89c614942440e221e7

(this sample)

  
Dropped by
MD5 00c70fe113fbba486e9b539bfdae3d33
  
Dropped by
SHA256 18794a9b9d04286144e5ca91fdfec3c18da1860f17267ed68fe5e4ce3bbf993b
Cape
Cape
https://www.capesandbox.com/analysis/42358/

Comments