MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed
SHA3-384 hash: 5fc66da0f87d25aedf4580220c00ffdcf8a0c2bc93fbaab7ea7e6e51cf183b4aaa5ef81ade2299311dceb18672cb7a3a
SHA1 hash: d99925ae225cf4143688431617b69aa387504a85
MD5 hash: c6e0b6b49449d94b9a27ee20ab8392da
humanhash: uncle-comet-gee-double
File name:python.exe
Download: download sample
Signature PureCrypter
Create hunting rule
File size:14'130'747 bytes
First seen:2026-05-04 20:41:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e35fb1fe9a7bf8d1475815caacafea9 (1 x PureCrypter)
ssdeep 393216:5Yush6m6iwLzhu51VUfhGuI7avt0hCpmEpG/soAlL5CIqG2lS:eusJde1c1VlRo0hCEEzvlLQIqI
TLSH T19CE63324A0929479E8F11538433AD7F50B2E4D209F52D4DB63C43675FAAF6C0BA38B67
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 011d45253929e1c6 (4 x BlackGuard, 2 x CoinMiner, 1 x RedLineStealer)
Reporter smica83
Tags:exe purecrypter

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
_4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed.exe
Verdict:
Malicious activity
Analysis date:
2026-05-04 20:43:14 UTC
Tags:
python pyinstaller openssl tool auto-reg
Link:
https://app.any.run/tasks/ed5085d0-a457-43e0-9fa1-7e2e8bf302e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64512/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive expand lolbin microsoft_visual_cc overlay packed packed pyinstaller
Link:
https://www.filescan.io/uploads/69f904bbdf14f1cb2ac9f496/reports/ac99cb15-f182-405b-95d3-22f1e476c358/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-03T05:20:00Z UTC
Last seen:
2026-05-04T18:53:00Z UTC
Hits:
~10
Detections:
Backdoor.MSIL.AsyncRat.ru Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad06bf1d-7477-4e4a-9050-7f97949454ea
Result
Threat name:
PureCrypter
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1908351
Signature
.NET source code contains potential unpacker
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1908351 Sample: python.exe Startdate: 04/05/2026 Architecture: WINDOWS Score: 96 64 Suricata IDS alerts for network traffic 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 .NET source code contains potential unpacker 2->68 70 Joe Sandbox ML detected suspicious sample 2->70 7 python.exe 77 2->7         started        11 nsedge.exe 77 2->11         started        13 nsedge.exe 77 2->13         started        process3 file4 38 C:\Users\user\AppData\...\unicodedata.pyd, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\select.pyd, PE32 7->40 dropped 42 C:\Users\user\AppData\...\Python.Runtime.dll, PE32 7->42 dropped 50 24 other malicious files 7->50 dropped 72 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 7->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->74 76 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 7->76 78 Queries memory information (via WMI often done to detect virtual machines) 7->78 15 python.exe 2 7 7->15         started        20 conhost.exe 7->20         started        52 27 other malicious files 11->52 dropped 80 Found pyInstaller with non standard icon 11->80 22 nsedge.exe 1 11->22         started        24 conhost.exe 11->24         started        44 C:\Users\user\AppData\...\unicodedata.pyd, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\select.pyd, PE32 13->46 dropped 48 C:\Users\user\AppData\...\Python.Runtime.dll, PE32 13->48 dropped 54 24 other malicious files 13->54 dropped 26 nsedge.exe 1 13->26         started        28 conhost.exe 13->28         started        signatures5 process6 dnsIp7 56 104.194.152.199, 49724, 56001 PONYNETUS United States 15->56 36 C:\Users\user\AppData\Local\...\nsedge.exe, PE32 15->36 dropped 58 Found many strings related to Crypto-Wallets (likely being stolen) 15->58 60 Tries to harvest and steal Bitcoin Wallet information 15->60 62 Detected PureCrypter Trojan 15->62 30 cmd.exe 1 15->30         started        32 cmd.exe 1 22->32         started        34 cmd.exe 26->34         started        file8 signatures9 process10
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c6e0b6b49449d94b9a27ee20ab8392da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed/
Verdict:
Malicious
Threat:
Backdoor.MSIL.AsyncRat
Link:
https://tip.neiki.dev/file/4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Suspicious
First seen:
2026-05-03 10:03:40 UTC
File Type:
PE (Exe)
Extracted files:
919
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2f22poywoafwavjnn44hmij5gqp7m7gylx3xtrfxufxd35pplwq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/260504-zgq9tagw4j/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
System Location Discovery: System Language Discovery
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4e8bad3dd8b3805b02a96b79c3b109e9a0ffb3e6c2efbbce25bd0b71efaf7aed
MD5 hash:
c6e0b6b49449d94b9a27ee20ab8392da
SHA1 hash:
d99925ae225cf4143688431617b69aa387504a85
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
05bc8e003725eaf665ad809b8092502c78591ea3aaaaa5c22597e99194354d43
MD5 hash:
1d3140adb748624d96ff5899b8fdeabe
SHA1 hash:
d07d967566f2679114109609609f0ab80a6d99c3
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
0cebbe81418a11b060a2cb01f3ff6a2b47113ecb7e37c21a0b98f3627935fd65
MD5 hash:
9cc1098c3c8263d55de275f4e16f69e5
SHA1 hash:
e2b4f02ef2bf28a1211ea86fe06ae503edcb916e
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
1e56d06cd11a70e4e742835fae850b0256a74a163223bc9c254b26b4fbc8e495
MD5 hash:
e2193da278064db8c4b4daad4d86c487
SHA1 hash:
cc9a6dff186ad7d5d45c7d944f45297c3f044ec7
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
3ab0a85e83746fb36fa022d7201d55878cc603836695fbcdacf76a6cb9cd9e07
MD5 hash:
bf043067301dc1447d63cd6c9a67e4e8
SHA1 hash:
d251e1068cdc23d7a889613aa1e195bed7a57cb2
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
893bc558a98811063021ebad8024e5d57b8b8e006a295bc7d3fd70944d6eb134
MD5 hash:
7cf92f21ab48a525ead2e7a15c406858
SHA1 hash:
9739e8281cf67e2e21bda2c4bd0e1cc42fa7fa4d
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
a9ce3997f7a22ab9860b8ea3151f8d612138a07dc49947a4f44f863e719a5833
MD5 hash:
16ea6f2e784f524be532922dfabc699a
SHA1 hash:
ca8e31865c57f5f312931de0ef264032ee61957b
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
a9d7732a3c3de09f0601a7fa2555093dcb49f08e2fc62a86091461f0f38393ed
MD5 hash:
4bea1ba68690620b78c7502ac968f0ba
SHA1 hash:
acdc523fa28632fcecede3eeaf62c6bce26527b4
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
d204ad74dc18cd07320c8e665bd32ec6549b555ce97e61e4d3cf88437a64988e
MD5 hash:
78ce21de5b188fca28ec79febfd1ffbd
SHA1 hash:
0dada9b4e0def50e91993b626b26ba25550e8e51
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
d7b659e28d18d0e2b1f709861d51b5cb3cd37bb12056feab5764cd03165a2c9d
MD5 hash:
9c04e9aa61d79528b7a015de2b7d9e44
SHA1 hash:
5c8432189cb81a81b2015fe9c85e55a45e18810e
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
e6cb8b51dbd5d5b5548696e6ddf17875af73b8abd99ca1572d32b1df98028591
MD5 hash:
14a6409dc09a3ae3308227b51b52a8ad
SHA1 hash:
bb00449c403ba3b7ccf7e70ae1d4488b7f25ed57
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
SH256 hash:
eff99a7341d6541ff84f979c72f7f738080af100c648173b42d7406a62cb1fea
MD5 hash:
0102d33ace80a9c04be86563e82829fe
SHA1 hash:
3ade5c079049419f71054e0f46a66c7dd328e6d9
Link:
https://www.unpac.me/results/a23646e8-0e0d-41b0-952f-7de3a6bdf5d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e8bad3dd8b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64512/

Comments