MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
SHA3-384 hash: a82cef38e60eed2d6c3be3f1b0c26cd7a38024bdc76f42d51c7496b17fa588824d4de83bc64290f83699520345be0c71
SHA1 hash: 718236990015e18150ddcd54a544a773dbb4d77e
MD5 hash: c8386a4c276538ef46d637c629e47fa4
humanhash: nitrogen-oranges-venus-video
File name:c8386a4c_e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:9'334'485 bytes
First seen:2023-05-19 07:46:22 UTC
Last seen:2023-05-20 14:54:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:sDdafMj8SOtQp6bmJPeNQ9iBq5qumdtS+TDM:0afeOmpOKMprTD
Threatray 29 similar samples on MalwareBazaar
TLSH T1D09633A5A6F50EE1F6FA2236C882D016C6B4FC675324CE8703E4456A1F337662C3B795
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pmmkowalczyk1111
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8386a4c_e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
Verdict:
Malicious activity
Analysis date:
2023-05-19 07:49:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21a7c905-9fd7-437a-82ec-5a47c9d6b360

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Launching the process to change network settings
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Creating a window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Setting browser functions hooks
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85643/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/646729777dab2ebd47d21643/reports/f1fa30cc-47a4-4d49-9a94-1471d15b7133/overview
Verdict:
Malicious
Labled as:
Graftor.Generic
Link:
https://www.hybrid-analysis.com/sample/e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9695cbd9-8b87-4b98-8a3a-537ddb811fe9
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236926
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Contains functionality to modify Windows User Account Control (UAC) settings
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Disables the Windows registry editor (regedit)
Disables UAC (registry)
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869919 Sample: Qb9MzYgzL4.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 Sigma detected: Capture Wi-Fi password 2->78 80 4 other signatures 2->80 9 Qb9MzYgzL4.exe 28 2->9         started        process3 file4 50 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->50 dropped 52 C:\Users\user\...\tinyaes.cp311-win_amd64.pyd, PE32+ 9->52 dropped 54 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 9->54 dropped 56 21 other malicious files 9->56 dropped 88 Drops PE files with a suspicious file extension 9->88 90 Drops PE files to the startup folder 9->90 92 Adds a directory exclusion to Windows Defender 9->92 94 Tries to harvest and steal WLAN passwords 9->94 13 Qb9MzYgzL4.exe 25 9->13         started        signatures5 process6 file7 66 C:\Users\user\AppData\Local\Temp\bound.exe, MS-DOS 13->66 dropped 68 C:\Users\user\AppData\Local\...\Camera.exe, PE32 13->68 dropped 70 C:\ProgramData\Microsoft\...\? ???.scr, PE32+ 13->70 dropped 72 C:\Windows\System32\drivers\etc\hosts, ASCII 13->72 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 13->110 112 Modifies the hosts file 13->112 114 Adds a directory exclusion to Windows Defender 13->114 116 Tries to harvest and steal WLAN passwords 13->116 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        22 cmd.exe 13->22         started        24 26 other processes 13->24 signatures8 process9 signatures10 26 bound.exe 6 91 17->26         started        30 conhost.exe 17->30         started        82 Uses netsh to modify the Windows network and firewall settings 19->82 84 Adds a directory exclusion to Windows Defender 19->84 86 Tries to harvest and steal WLAN passwords 19->86 32 net.exe 1 19->32         started        34 conhost.exe 19->34         started        36 Camera.exe 22->36         started        38 conhost.exe 22->38         started        40 systeminfo.exe 24->40         started        42 WMIC.exe 24->42         started        44 50 other processes 24->44 process11 file12 58 C:\Windows\winnt32.exe, MS-DOS 26->58 dropped 60 C:\Users\Public\...\????????????????????:?, data 26->60 dropped 62 C:\Users\Public\...\????????????????????, data 26->62 dropped 64 4 other malicious files 26->64 dropped 96 Multi AV Scanner detection for dropped file 26->96 98 Detected unpacking (changes PE section rights) 26->98 100 Creates files in alternative data streams (ADS) 26->100 108 7 other signatures 26->108 46 net1.exe 1 32->46         started        102 Machine Learning detection for dropped file 36->102 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 40->104 106 DLL side loading technique detected 42->106 48 net1.exe 44->48         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6/
Threat name:
ByteCode-MSIL.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2023-05-14 12:35:59 UTC
File Type:
PE+ (Exe)
Extracted files:
278
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4j2amo33n7a6gzdp7ymjouda5sgfvkzwy7gczb7ktekjtgk5el3a._file
Verdict:
malicious
Similar samples:
04068045a1e383d70522914bfd3ac40b0203d0cd13687ad217b92eca44450f86
BlankGrabber
12dce304f7dd9fbe88d7d8bfe943540c3fd0121fb5fb471ea080c5b4f182d39c
BlankGrabber
5ce9df04ac0b2241af1e7d9f95406dbfb628fdb0b1998667894c6e5812bcbffe
BlankGrabber
5d17781561881f8c412498515db843561d6a8971009431f390de99b3a46ec4bc
BlankGrabber
6ce60efbd50f755eb8ab0c3093fadff5d7e7b594710df3788cd4e45fb8e2e6f6
BlankGrabber
937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86
BlankGrabber
9d85f7e7bbce1fc023353548d2bd1a54223370ccc64f073bcd473545aa36f6bc
BlankGrabber
b5e6b887d6175aab915bdadee6b804a8815e9cd43ad208eedea464b338cf8c3c
BlankGrabber
c072f81e922796d43b29a7f7b59b7c6f3a4ff70a05ea1f5b6523ee1b809fabf3
BlankGrabber
d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
BlankGrabber
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence pyinstaller ransomware spyware stealer trojan upx
Link:
https://tria.ge/reports/230519-jmjh6acf78/
Behaviour
Enumerates processes with tasklist
Gathers system information
Kills process with taskkill
Modifies Control Panel
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Drops file in Windows directory
Sets desktop wallpaper using registry
Checks whether UAC is enabled
Drops desktop.ini file(s)
Modifies WinLogon
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Disables RegEdit via registry modification
Drops file in Drivers directory
Modifies WinLogon for persistence
UAC bypass
Unpacked files
SH256 hash:
e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
MD5 hash:
c8386a4c276538ef46d637c629e47fa4
SHA1 hash:
718236990015e18150ddcd54a544a773dbb4d77e
Link:
https://www.unpac.me/results/e51fccce-ba4a-4b51-a4ad-f390864444e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e274063b7b6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments