MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlankGrabber

Vendor detections: 7

Intelligence 7 IOCs YARA 21 File information Comments

SHA256 hash:	344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae
SHA3-384 hash:	19e26002eaa07b6d79afd1d06eef1eef634091fc75c77ae69dd451e434a3604dc8ee400507edec93264adc95c625b834
SHA1 hash:	e24aca1fdc4b5cb5f22307d003e13c89ae467850
MD5 hash:	74739614223a2ad7955dab3d7de696e3
humanhash:	mexico-one-mockingbird-music
File name:	strix temp.rar
Download:	download sample
Signature	BlankGrabber Create hunting rule
File size:	5'184'939 bytes
First seen:	2025-10-29 13:12:43 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	98304:Wj0PuywGgId+p9CN+7+S1S5Jab00tsuQEVcrksB9B4w3QU/VxrHdN:ZPuyFgId+mN+7pM5u3crNt1xrL
TLSH	T158363347BF95220190910DF232A81F3FC98405A6F2D85AF279446EABBF52D92FDF0752
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	burger
Tags:	BlankGrabber infostealer rar

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 5 file(s), sorted by their relevance:

File name:	D3DCompiler_43.dll
File size:	2'529'176 bytes
SHA256 hash:	ffedb064adc25328b24dcf145b04045a867a5574c931516d7845babf2a08937f
MD5 hash:	d010ab113ed06bf6b42c7746ef395e21
MIME type:	application/x-dosexec
Signature	BlankGrabber

File name:	d3dx10_43.dll
File size:	514'480 bytes
SHA256 hash:	b5f2e4d842c758fae91323888ace39328c47d9546231757f73831e2369ae58ed
MD5 hash:	190649d410964753a54a306caeb33cb8
MIME type:	application/x-dosexec
Signature	BlankGrabber

File name:	d3dx11_43.dll
File size:	279'984 bytes
SHA256 hash:	25814402ce1d74f198958aa38661242189b4e5d640177087d0ba0ecf65d19a44
MD5 hash:	015743813e8d70a91cce6319fd2ec94a
MIME type:	application/x-dosexec
Signature	BlankGrabber

File name:	Strix Temp.exe
File size:	7'805'952 bytes
SHA256 hash:	8822e22d3710e18e50c34361ecc837557f5fe22c5cdf24cfea2575e77309c36b
MD5 hash:	fd230aaae8cabf950d5edec87422a223
MIME type:	application/x-dosexec
Signature	BlankGrabber

File name:	d3dx9_43.dll
File size:	2'404'248 bytes
SHA256 hash:	36b84dfa0ef9d3ff3549a7ad54d2a8032bd22c879219ee1a959137c4ef8786c4
MD5 hash:	460d2b03615d8c0697721ce26aee1e60
MIME type:	application/x-dosexec
Signature	BlankGrabber

Vendor Threat Intelligence

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690212e29942f1282eca1198

Tags:

downloader dropper smtp

Verdict:

Unknown

Threat level:

n/a -.1.0/10

Confidence:

100%

Tags:

anti-debug expired-cert microsoft_visual_cc signed

Link:

https://www.filescan.io/uploads/690212e11e2960f52211f261/reports/6e04667c-b604-4c1c-9cde-9d676f5e0181/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae

Verdict:

Malicious

File Type:

rar

First seen:

2025-10-29T15:47:00Z UTC

Last seen:

2025-10-31T04:35:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win32.Stealer.cwhv

Link:

https://opentip.kaspersky.com/344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Rar Archive

Link:

https://app.malva.re/file/74739614223a2ad7955dab3d7de696e3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae/

Verdict:

Malicious

Threat:

Family.BLANKGRABBER

Link:

https://tip.neiki.dev/file/344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae

Threat name:

Win64.Trojan.Dacic

Status:

Malicious

First seen:

2025-10-29 13:13:48 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=grbcdqmugc6qo2hbx36epcabugxqdkmt76x6vpxp7pmjun2yagxa._file

Result

Malware family:

blankgrabber

Score:

10/10

Tags:

family:blankgrabber adware collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Link:

https://tria.ge/reports/251029-q7xpvagz8e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/344221c19430bd0768e1befc478801a1af01a993ffafeabeeffbd89a375801ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	Discord_APIs Create hunting rule

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Websites Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/