MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd
SHA3-384 hash: 5325ed1c0d9c1f8d4b1c3fc808fedddb108998e944e5eb82636392e8d7efc5ac776b0285db38ba4e090e77f5e9d474f8
SHA1 hash: 048c9b5dfee0572e42d71951d07fc5ce3d0544dc
MD5 hash: e7aac633d43126b95c36fbb0f024f077
humanhash: moon-eleven-sad-cola
File name:0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:13'894'656 bytes
First seen:2024-10-06 22:39:34 UTC
Last seen:2024-10-06 23:35:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 393216:OGjfFN2COQWiUbiYw4AepI8utAVQ4LYvJkK:RwCvldY4D+VQt
TLSH T15DE6339C44A35155E3065C73F75A3B2E42C217BEBA90476AA1DCF3629CEA8F34039973
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 782e96962e1e0a90 (1 x BlankGrabber)
Reporter Chainskilabs
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd.exe
Verdict:
Malicious activity
Analysis date:
2024-10-06 22:47:21 UTC
Tags:
uac xworm remote discord evasion blankgrabber stealer pyinstaller
Link:
https://app.any.run/tasks/e176cd70-c67d-46fb-89b8-29d2c146e49f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.65.12358.873.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670311c6b932c04ee8fda621
Tags:
Powershell Autorun Gumen
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a38aeb7-db5e-4154-8f2e-51befa1793b0
Result
Threat name:
Blank Grabber, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527472
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527472 Sample: H2f8SkAvdV.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 109 mail-transsexual.gl.at.ply.gg 2->109 111 discord.com 2->111 113 6 other IPs or domains 2->113 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 32 other signatures 2->135 12 H2f8SkAvdV.exe 5 2->12         started        15 GoogleServices.exe 2->15         started        18 tree.com 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 101 C:\Users\...\RAT (Remote Access TOOL).exe, PE32 12->101 dropped 103 C:\Users\user\...behaviorgraphrabber (LOGS ALL INFO).exe, PE32+ 12->103 dropped 105 C:\Users\user\AppData\Local\Temp\312.exe, PE32+ 12->105 dropped 107 C:\Users\user\AppData\...\H2f8SkAvdV.exe.log, CSV 12->107 dropped 22 Grabber (LOGS ALL INFO).exe 22 12->22         started        25 312.exe 52 12->25         started        28 RAT (Remote Access TOOL).exe 2 6 12->28         started        161 Antivirus detection for dropped file 15->161 163 Machine Learning detection for dropped file 15->163 165 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->165 167 Writes or reads registry keys via WMI 18->167 signatures6 process7 dnsIp8 79 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->79 dropped 81 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 22->81 dropped 83 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 22->83 dropped 93 16 other malicious files 22->93 dropped 31 Grabber (LOGS ALL INFO).exe 1 108 22->31         started        85 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->85 dropped 87 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 25->87 dropped 89 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 25->89 dropped 95 46 other files (43 malicious) 25->95 dropped 143 Found pyInstaller with non standard icon 25->143 35 conhost.exe 25->35         started        37 312.exe 25->37         started        115 mail-transsexual.gl.at.ply.gg 147.185.221.23, 49720, 53939, 9313 SALSGIVERUS United States 28->115 91 C:\Users\PublicbehaviorgraphoogleServices.exe, PE32 28->91 dropped 39 schtasks.exe 28->39         started        file9 signatures10 process11 dnsIp12 117 discord.com 162.159.136.232, 443, 53919 CLOUDFLARENETUS United States 31->117 119 ip-api.com 208.95.112.1, 53913, 80 TUT-ASUS United States 31->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 31->121 123 Tries to harvest and steal browser information (history, passwords, etc) 31->123 125 Modifies Windows Defender protection settings 31->125 127 6 other signatures 31->127 41 cmd.exe 31->41         started        44 cmd.exe 31->44         started        46 cmd.exe 31->46         started        50 26 other processes 31->50 48 conhost.exe 39->48         started        signatures13 process14 signatures15 145 Suspicious powershell command line found 41->145 147 Uses cmd line tools excessively to alter registry or file data 41->147 149 Encrypted powershell cmdline option found 41->149 159 3 other signatures 41->159 52 powershell.exe 41->52         started        55 conhost.exe 41->55         started        151 Modifies Windows Defender protection settings 44->151 153 Removes signatures from Windows Defender 44->153 57 powershell.exe 44->57         started        68 2 other processes 44->68 59 powershell.exe 46->59         started        62 conhost.exe 46->62         started        155 Adds a directory exclusion to Windows Defender 50->155 157 Tries to harvest and steal WLAN passwords 50->157 64 getmac.exe 50->64         started        66 powershell.exe 50->66         started        70 47 other processes 50->70 process16 file17 137 Loading BitLocker PowerShell Module 57->137 99 C:\Users\user\AppData\...\klwsszyd.cmdline, Unicode 59->99 dropped 72 csc.exe 59->72         started        139 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 64->139 141 Writes or reads registry keys via WMI 64->141 75 WmiPrvSE.exe 70->75         started        signatures18 process19 file20 97 C:\Users\user\AppData\Local\...\klwsszyd.dll, PE32 72->97 dropped 77 cvtres.exe 72->77         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-10-06 22:40:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpbq2v2cf6u4lvap3pvstxekve2cnl7k7lkiys5xiiz5nziqadgq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
BlankGrabber
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/241006-2lh54szdnp/
Behaviour
Detects videocard installed
Enumerates system info in registry
Gathers system information
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
mail-transsexual.gl.at.ply.gg:9313
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/958f61af-4146-4262-901e-f2d84ba61d3d
Unpacked files
SH256 hash:
9070da35fe04b79616b2c8da7485e8453e303fe1253fa4e19532e0f05198f1f1
MD5 hash:
731cfdf5d1ef2d9163293fce54856bf6
SHA1 hash:
6110613a7afa3609a47d9d02c9781cf8f405db06
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/cd8f15d1-49f0-40bb-b81d-e97e572a199c/
SH256 hash:
2e2e50128a487619ccd3b8132e600718f35fce8c7933d7ec67b679231d90409f
MD5 hash:
02336773471c3f35f7962188452e8db6
SHA1 hash:
a5e4330b49fa5f951b45f111347bc1eac54a3f7a
Detections:
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/cd8f15d1-49f0-40bb-b81d-e97e572a199c/
SH256 hash:
0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd
MD5 hash:
e7aac633d43126b95c36fbb0f024f077
SHA1 hash:
048c9b5dfee0572e42d71951d07fc5ce3d0544dc
Link:
https://www.unpac.me/results/cd8f15d1-49f0-40bb-b81d-e97e572a199c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bc30d57422f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bc30d57422fa9c5d40fdbeb29dc8aa93426afeafad48c4bb74233d6e51000cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments