MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
SHA3-384 hash: f386d235f72deaa773188177beb5518b7c909370839e7d03b84494b68c5b214497208f7de7e6dd18cee75f9555a88630
SHA1 hash: bf634605a1d106d8f84688d84f833efcd59e8992
MD5 hash: d32175880985f3095418f2f5db2eaab3
humanhash: mountain-pluto-ceiling-mexico
File name:x039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:12'608'504 bytes
First seen:2026-01-08 15:08:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (43 x BlankGrabber, 22 x Efimer, 18 x PythonStealer)
ssdeep 196608:hFUhyslgTSJIeRo+jFgaIAjNyMzEltbW897GGr1LDsBTG9WdvWQ4a/R6f:hOysfuSfdjcMo1N3sB15WQzAf
TLSH T186C63314622044EDFCE3D13BA59150E2B7F2B5255B31CADB0BA852993F67BF25D3CA08
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe purecrypter signed

Code Signing Certificate

Organisation:SecureApp_3661
Issuer:SecureApp_3661
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-06T19:06:27Z
Valid to:2027-01-06T19:26:27Z
Serial number: 46ed8b29ae6cf1984b9b62b55ed53cc2
Thumbprint Algorithm:SHA256
Thumbprint: 0b8df2ff56494bc89ec0fc524aa71404a9dfddf91a017b27ffe0020b236abeb4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/51cd4345-139f-4e59-abd5-724520b1fb93/
Malware family:
n/a
ID:
1
File name:
x039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2.exe
Verdict:
Malicious activity
Analysis date:
2026-01-08 12:28:19 UTC
Tags:
python anti-evasion auto-reg pyinstaller stealer purehvnc netreactor
Link:
https://app.any.run/tasks/2d83738c-9afa-4017-a76e-da6c271aa0bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48189/
Detection(s):
SecuriteInfo.com.Variant.Application.Tedy.3948.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695fa2e19922425f92fed5b5
Tags:
obfuscate xtreme virus spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context expand expired-cert installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller python short-lived-cert signed
Link:
https://www.filescan.io/uploads/695fc86e07ef5fa68e815dd4/reports/65b9f52f-4ed7-4b60-a589-20225a2fa9b5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-06T17:42:00Z UTC
Last seen:
2026-01-09T10:45:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Python.Agent.gen
Link:
https://opentip.kaspersky.com/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f8de5cb8-1249-4705-88b5-6edbaab6c858
Result
Threat name:
PureCrypter
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1846669
Signature
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Detected PureCrypter Trojan
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1846669 Sample: vLimT2plin.exe Startdate: 08/01/2026 Architecture: WINDOWS Score: 100 90 Suricata IDS alerts for network traffic 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 6 other signatures 2->96 11 vLimT2plin.exe 36 2->11         started        14 RuntimeBroker.exe 36 2->14         started        16 RuntimeBroker.exe 2->16         started        18 svchost.exe 1 1 2->18         started        process3 dnsIp4 60 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->60 dropped 62 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->62 dropped 64 C:\Users\user\AppData\Local\...\python314.dll, PE32+ 11->64 dropped 72 18 other malicious files 11->72 dropped 21 vLimT2plin.exe 3 11->21         started        74 21 other malicious files 14->74 dropped 25 RuntimeBroker.exe 14->25         started        66 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->66 dropped 68 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 16->68 dropped 70 C:\Users\user\AppData\Local\...\python314.dll, PE32+ 16->70 dropped 76 18 other malicious files 16->76 dropped 27 RuntimeBroker.exe 16->27         started        86 127.0.0.1 unknown unknown 18->86 file5 process6 file7 50 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 21->50 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->98 29 RuntimeBroker.exe 36 21->29         started        52 C:\Users\user\...\serviceruntimezxvd.exe, PE32 25->52 dropped 33 serviceruntimezxvd.exe 25->33         started        54 C:\Users\user\AppData\...\wmisvc2jdt.exe, PE32 27->54 dropped 35 wmisvc2jdt.exe 27->35         started        signatures8 process9 file10 78 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 29->78 dropped 80 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 29->80 dropped 82 C:\Users\user\AppData\Local\...\python314.dll, PE32+ 29->82 dropped 84 18 other malicious files 29->84 dropped 110 Multi AV Scanner detection for dropped file 29->110 37 RuntimeBroker.exe 2 3 29->37         started        112 Antivirus detection for dropped file 33->112 signatures11 process12 file13 56 C:\Users\user\AppData\...\sysmanagerb3ru.exe, PE32 37->56 dropped 40 sysmanagerb3ru.exe 5 37->40         started        process14 dnsIp15 88 130.12.181.70, 49687, 49689, 49693 DATAHOPDatahop-SixDegreesGB Canada 40->88 58 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 40->58 dropped 100 Antivirus detection for dropped file 40->100 102 Multi AV Scanner detection for dropped file 40->102 104 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 40->104 106 6 other signatures 40->106 45 powershell.exe 37 40->45         started        file16 signatures17 process18 signatures19 108 Loading BitLocker PowerShell Module 45->108 48 conhost.exe 45->48         started        process20
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/d32175880985f3095418f2f5db2eaab3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2/
Verdict:
Malicious
Threat:
Family.PUREHVNC
Link:
https://tip.neiki.dev/file/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-07 00:18:40 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aooz5jsz6iy2qjwdgqhp2x2ysrix6f2ngg2k26afyyy5fmib3lba._file
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye defense_evasion discovery execution keylogger persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/260108-sh5ehafx5f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
HawkEye
Hawkeye family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae0a8846-e91e-4058-b03a-f7078719aedf
Unpacked files
SH256 hash:
039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2
MD5 hash:
d32175880985f3095418f2f5db2eaab3
SHA1 hash:
bf634605a1d106d8f84688d84f833efcd59e8992
Link:
https://www.unpac.me/results/012cdbe5-251f-410a-a958-60e4f2339172/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/039d9ea659f231a826c3340efd5f5894517f174d31b4ad7805c631d2b101dac2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48189/

Comments