MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 10


Intelligence 10 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa
SHA3-384 hash: 276be88ed9e68a2b2cc323ce16bfcb745053fcbefe9edbc8c83a7eaeb40db7d9293bdd40731975642139f54c5c720ccf
SHA1 hash: a8c98ba05ac710a92c4df15956f81cf81073746f
MD5 hash: b8e16b93be678043ec587ec1c759c2de
humanhash: blue-iowa-charlie-lima
File name:VSSADMIN.EXE
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:7'380'816 bytes
First seen:2023-09-15 20:14:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 98304:9jzHqdVfB2GyuT/9vUIdD9C+z3zO917vOTh+ezsNh75S2zh/hQqIvmJ1YPFlVtqU:9PQsGbT/9bvLz3S1bA32zOqxYPdH
Threatray 396 similar samples on MalwareBazaar
TLSH T1A57633DAA3C109F4D477C63DC2C28945DAB5752B03A4DA8F03B466B61F1BAD48D3BB12
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e8f8f8c8cdc8c8f8 (1 x BlankGrabber)
Reporter smica83
Tags:BlankGrabber exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VSSADMIN.EXE
Verdict:
No threats detected
Analysis date:
2023-09-15 20:14:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/453790a9-44e4-4943-95ac-680a519b9475

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlankStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448932/
Detection(s):
SecuriteInfo.com.Python.Muldrop.16.6446.15206.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control expand greyware lolbin masquerade overlay packed
Link:
https://www.filescan.io/uploads/6504bb470870810f017faf18/reports/6fad49c3-ecd0-49b4-adc6-640bfc226caa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309234
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potentially malicious time measurement code found
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1309234 Sample: VSSADMIN.EXE.exe Startdate: 15/09/2023 Architecture: WINDOWS Score: 100 75 tse1.mm.bing.net 2->75 97 Found malware configuration 2->97 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 3 other signatures 2->103 11 VSSADMIN.EXE.exe 22 2->11         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->65 dropped 67 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->69 dropped 71 16 other malicious files 11->71 dropped 121 Very long command line found 11->121 123 May check the online IP address of the machine 11->123 125 Drops PE files with a suspicious file extension 11->125 127 5 other signatures 11->127 15 VSSADMIN.EXE.exe 1 54 11->15         started        signatures6 process7 dnsIp8 77 discord.com 162.159.138.232, 443, 49718 CLOUDFLARENETUS United States 15->77 79 ip-api.com 208.95.112.1, 49715, 49717, 80 TUT-ASUS United States 15->79 81 blank-2md3e.in 15->81 55 C:\ProgramData\Microsoft\Windows\...\???.scr, PE32+ 15->55 dropped 57 C:\Windows\System32\drivers\etc\hosts, ASCII 15->57 dropped 59 C:\Users\user\AppData\...\WUTJSCBCFX.png, ASCII 15->59 dropped 61 2 other malicious files 15->61 dropped 85 Very long command line found 15->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 15->87 89 Tries to harvest and steal browser information (history, passwords, etc) 15->89 91 5 other signatures 15->91 20 cmd.exe 1 15->20         started        23 cmd.exe 15->23         started        25 cmd.exe 1 15->25         started        27 21 other processes 15->27 file9 signatures10 process11 signatures12 105 Suspicious powershell command line found 20->105 107 Very long command line found 20->107 109 Uses cmd line tools excessively to alter registry or file data 20->109 111 Bypasses PowerShell execution policy 20->111 43 2 other processes 20->43 113 Encrypted powershell cmdline option found 23->113 29 powershell.exe 23->29         started        32 conhost.exe 23->32         started        115 Modifies Windows Defender protection settings 25->115 117 Removes signatures from Windows Defender 25->117 34 powershell.exe 19 25->34         started        45 2 other processes 25->45 119 Adds a directory exclusion to Windows Defender 27->119 37 WMIC.exe 1 27->37         started        39 WMIC.exe 27->39         started        41 WMIC.exe 27->41         started        47 39 other processes 27->47 process13 dnsIp14 73 C:\Users\user\AppData\...\ozweafg0.cmdline, Unicode 29->73 dropped 50 csc.exe 29->50         started        93 Potential dropper URLs found in powershell memory 34->93 95 DLL side loading technique detected 37->95 83 192.168.2.1 unknown unknown 47->83 file15 signatures16 process17 file18 63 C:\Users\user\AppData\Local\...\ozweafg0.dll, PE32 50->63 dropped 53 cvtres.exe 50->53         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa/
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 17:47:01 UTC
File Type:
PE+ (Exe)
Extracted files:
384
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxozpem6xszenlou7spjwia33vt5uuimph4nrhfu5xd7x5sild5a._file
Verdict:
unknown
Similar samples:
1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85
BlankGrabber
1fb54bb9a1eb4301ba6a4308cb7a6a39fb92408d69a6cbe4edbad0b574e0c9a1
BlankGrabber
27f599038343d5433f51dcff77ecf7f72256b21829e96b9ce71a7241466f0a7e
BlankGrabber
60ee0d0e9f0799545b6d1739f6554a1591bf62c6efaee94f48fea42e7d4e4f1f
BlankGrabber
7efdd86bde8ebe7882d0de3f1a06444be741b9e7b748c2b1a6a2193d97bf431a
BlankGrabber
9d0fbad002a0d52d8a7725ec88a93d3b2a85d7c919b5ab751085532436181edc
BlankGrabber
a5175e7e515488e850d4249639688ba5f937b6c87c1bd4d316e981c6e33a4133
BlankGrabber
c37494daa1a9c3b20e3f19414e25907b598b45be7ae5486d144b28a98ade3aa3
BlankGrabber
d4139f98ba668f982b8004ee094718a2e0451a4616b01f977ff883c6191c19f2
BlankGrabber
+ 386 additional samples on MalwareBazaar
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber upx
Link:
https://tria.ge/reports/230915-y1j46shh34/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa
MD5 hash:
b8e16b93be678043ec587ec1c759c2de
SHA1 hash:
a8c98ba05ac710a92c4df15956f81cf81073746f
Link:
https://www.unpac.me/results/344cd309-3559-4548-81f6-58f404517113/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_KB_CERT_00bfb15001bbf592d4962a7797ea736fa3
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked, fake or invalid certificate
Reference:https://capesandbox.com/analysis/444899/
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448932/

Comments