MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5
SHA3-384 hash: 72ea4d0d1189421f532acf2adfe0c46653fddd32207fd47b271e8164b82fc08bd1abbf01c4ae49ff32ffe39770b90191
SHA1 hash: e4356aa03886cb0e155c1ea97db8b89ef0c3b370
MD5 hash: 4fc11103656a21ead7ce026ff80e51b6
humanhash: pizza-nuts-earth-sodium
File name:UnloockToolAcc.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:25'744'723 bytes
First seen:2026-04-10 13:32:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (59 x BlankGrabber, 27 x Efimer, 22 x NetSupport)
ssdeep 786432:Mj5vzAljSYGuSW8UW+Nj/vZAQSOPeUBWtA1deJ:o9zAjShWLNNLqQSOPeUp1de
TLSH T102473380639445EAE8D55A7C819A592353B3BDEC2FB8E14F0AB47D673B770C1AD30B21
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon 0e332b6d230e6961 (1 x PythonStealer)
Reporter burger
Tags:exe PythonStealer stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/2e3ee808-4e9a-46fc-b2eb-13015234f1d8/
Malware family:
n/a
ID:
1
File name:
https://gofile.io/d/lNsTeR
Verdict:
Malicious activity
Analysis date:
2026-04-10 13:28:49 UTC
Tags:
python anti-evasion stealer pyinstaller evasion discord arch-doc
Link:
https://app.any.run/tasks/e4dbbc90-4f90-440f-83fc-b358abb04ea6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61041/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d8fbd766ab6d001dd0f83f
Tags:
extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
DNS request
Connection attempt
Delayed reading of the file
Launching a process
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Сreating synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Sending a custom TCP request
Running batch commands
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expand installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller virus
Link:
https://www.filescan.io/uploads/69d8fc2a5ea31bc68a1df8bb/reports/10e96bf7-ddd6-4bd7-b463-0dcac2b8ba85/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-10T10:30:00Z UTC
Last seen:
2026-04-11T06:16:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Mercurial.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Mercurial.bbb
Link:
https://opentip.kaspersky.com/6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5/results?tab=lookup
Result
Threat name:
Python Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1896502
Signature
Excessive usage of taskkill to terminate processes
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Potential CobaltStrike Process Patterns
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Yara detected Generic Python Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1896502 Sample: UnloockToolAcc.exe Startdate: 10/04/2026 Architecture: WINDOWS Score: 92 56 unlocktoolpro.com 2->56 58 store1.gofile.io 2->58 60 ipinfo.io 2->60 68 Sigma detected: Capture Wi-Fi password 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Sigma detected: Potential CobaltStrike Process Patterns 2->72 74 Yara detected Generic Python Stealer 2->74 10 UnloockToolAcc.exe 1001 2->10         started        signatures3 process4 file5 48 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 10->48 dropped 50 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 10->50 dropped 52 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->52 dropped 54 122 other files (none is malicious) 10->54 dropped 80 Uses netsh to modify the Windows network and firewall settings 10->80 82 Tries to harvest and steal WLAN passwords 10->82 14 UnloockToolAcc.exe 35 10->14         started        signatures6 process7 dnsIp8 62 ipinfo.io 34.117.59.81, 443, 49703 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 14->62 64 unlocktoolpro.com 104.21.32.54, 443, 49700 CLOUDFLARENETUS United States 14->64 66 store1.gofile.io 45.112.123.227, 443, 49704 AMAZON-02US Singapore 14->66 86 Tries to harvest and steal browser information (history, passwords, etc) 14->86 88 Excessive usage of taskkill to terminate processes 14->88 90 Tries to harvest and steal WLAN passwords 14->90 18 cmd.exe 14->18         started        20 cmd.exe 1 14->20         started        23 cmd.exe 14->23         started        25 28 other processes 14->25 signatures9 process10 signatures11 27 systeminfo.exe 18->27         started        30 conhost.exe 18->30         started        76 Uses whoami command line tool to query computer and username 20->76 32 conhost.exe 20->32         started        34 whoami.exe 1 20->34         started        36 conhost.exe 23->36         started        38 whoami.exe 1 23->38         started        78 Loading BitLocker PowerShell Module 25->78 40 conhost.exe 25->40         started        42 conhost.exe 25->42         started        44 26 other processes 25->44 process12 signatures13 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->84 46 WmiPrvSE.exe 27->46         started        process14
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4fc11103656a21ead7ce026ff80e51b6
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Disco
Link:
https://tip.neiki.dev/file/6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-04-10 13:32:16 UTC
File Type:
PE+ (Exe)
Extracted files:
2547
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntu2glnlitiijjtgjopkn5wce5ddfrxqcsrfdeuxkxejb524dhsq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/260410-qtr77sew5q/
Behaviour
Gathers system information
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ce9a32dab44d084a6664b9ea6f6c2274632c6f014a251929755c890f75c19e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61041/

Comments