MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlankGrabber

Vendor detections: 7

Intelligence 7 IOCs YARA 17 File information Comments

SHA256 hash:	0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb
SHA3-384 hash:	44569190d26a11f12caccc9a84cea55e4ed8c5edfb2172b565cd6f281ccaf8d5f2706e375dbccc81ce888934bfd25391
SHA1 hash:	4c94f5782aea773e0b9618f559b82a7e29abd7cb
MD5 hash:	4c023b5b77ff883d939e26130a30072d
humanhash:	victor-rugby-seventeen-helium
File name:	Logged.exe
Download:	download sample
Signature	BlankGrabber Create hunting rule
File size:	9'859'584 bytes
First seen:	2025-07-16 15:19:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cf5b55b032188167348d5cf6018c2b0 (1 x BlankGrabber)
ssdeep	196608:2FGkWbtalbaqxDQPgmmYbXlEji+FejvlLvGFEzgATS:6GkWURa/PCYDlEji+MVeFEzgAT
TLSH	T1C5A69D56E2FD00E8D57AC0B8C6574627EBB238551330A7EB56A08A652F33FE16E7D310
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	BlankGrabber de-pumped exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Logged.exe

Verdict:

No threats detected

Analysis date:

2025-07-16 15:19:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/de699c79-a3b5-4ea9-ab32-83008b4c0e0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/14873/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6877c30884b37dd61eef08fb

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/6877c3028a7d628a81b28071/reports/be058e58-6afc-4612-97e0-f47d39366ec0/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fd5a3b2c-a05e-456f-b6fc-0867798e74b7

Result

Threat name:

n/a

Detection:

suspicious

Classification:

evad

Score:

23 / 100

Link:

https://www.joesandbox.com/analysis/1738161

Signature

Contains functionality to prevent local Windows debugging

Behaviour

Behavior Graph:

Download SVG

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Html Javascript in Html PDB Path PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/4c023b5b77ff883d939e26130a30072d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bwjhsm4bo5cyxbykm5iiegxfpk3o223zxzoyf24g3n6jortwchfq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250716-sqe5kswpx9/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bf40c716-7522-473b-92ae-a413d765b393

Unpacked files

SH256 hash:

0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb

MD5 hash:

4c023b5b77ff883d939e26130a30072d

SHA1 hash:

4c94f5782aea773e0b9618f559b82a7e29abd7cb

Link:

https://www.unpac.me/results/914b4fd2-31fb-4183-b4f8-2893b09b5d21/

SH256 hash:

125c927e375c1038220cdfdf667aab4b5db3c76b9384d4161125314a0f98fd38

MD5 hash:

f7c01fb64edffad41bd342d3be7c9468

SHA1 hash:

d6634828f23ee6b6f3879c299a0ce759c80807ae

Link:

https://www.unpac.me/results/914b4fd2-31fb-4183-b4f8-2893b09b5d21/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ducktail Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked ducktail malware samples.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	skip20_sqllang_hook Create hunting rule
Author:	Mathieu Tartare <mathieu.tartare@eset.com>
Description:	YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:	https://www.welivesecurity.com/

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BlankGrabber

zip 313b28fc0332dc974ecb1513145277e41c041560a8c61e3fdca5faace3c98f16

BlankGrabber

exe 0d9279338177458b870a6750821ae57ab6ed6b79be5d82eb86db7c97467611cb

(this sample)

Dropped by

MD5 331e8d0a28c5766e30e157dd94be3af7

Dropped by

SHA256 313b28fc0332dc974ecb1513145277e41c041560a8c61e3fdca5faace3c98f16

Cape

https://www.capesandbox.com/analysis/14873/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample