MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5
SHA3-384 hash: dd31d1df79ce389339a9e9b12681f4d52db08ec7ffc457e482b4f6f0c4e74ef9f0d18a72de4ff7e9726c7fce668f7091
SHA1 hash: ea16917f1cf19b86f53b61e032a010c607a7ed05
MD5 hash: 15753001204630c254b85fceadcb3027
humanhash: florida-lima-nebraska-carolina
File name:main.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:39'053'312 bytes
First seen:2024-11-24 21:07:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (36 x CoinMiner, 18 x AsyncRAT, 17 x QuasarRAT)
ssdeep 786432:lzynVYtYYbKGk6ojijibkmr3x/Y25UQmxzgir:RYh6ouwPJX5URg
Threatray 6 similar samples on MalwareBazaar
TLSH T1F08733120602F1EFED65E1B394F4D4428943A205691D6FA9D0E57DF25EEA3E3C3B8E60
TrID 35.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
22.5% (.EXE) Win64 Executable (generic) (10522/11/4)
10.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.6% (.EXE) Win32 Executable (generic) (4504/4/1)
4.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Anonymous
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
456
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2024-11-24 21:17:03 UTC
Tags:
evasion blankgrabber stealer discord pyinstaller susp-powershell growtopia discordgrabber generic ims-api upx python
Link:
https://app.any.run/tasks/95801d2b-a9f0-4889-a934-afccd21cd1dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674395b8b31374f09834116a
Tags:
autorun gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Creating a window
Running batch commands
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Reading critical registry keys
Searching for synchronization primitives
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Stealing user critical data
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/674395b5a74125d65f1fa54e/reports/7b9dc699-1967-4883-a1e8-ad0fc79bfd0d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5
Result
Threat name:
Blank Grabber, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561956
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: Xmrig
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Blank Grabber
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561956 Sample: main.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 130 monerooceans.stream 2->130 132 ip-api.com 2->132 134 2 other IPs or domains 2->134 156 Sigma detected: Xmrig 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 Antivirus / Scanner detection for submitted sample 2->160 162 18 other signatures 2->162 13 main.exe 3 2->13         started        16 services64.exe 2->16         started        signatures3 process4 file5 118 C:\Users\user\AppData\Local\Temp\sxmr.exe, PE32+ 13->118 dropped 120 C:\Users\user\AppData\Local\Temp\Built.exe, PE32+ 13->120 dropped 19 Built.exe 22 13->19         started        23 sxmr.exe 13->23         started        142 Writes to foreign memory regions 16->142 144 Allocates memory in foreign processes 16->144 146 Creates a thread in another existing process (thread injection) 16->146 25 conhost.exe 16->25         started        signatures6 process7 file8 106 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 19->106 dropped 108 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 19->108 dropped 110 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 19->110 dropped 112 16 other files (none is malicious) 19->112 dropped 166 Modifies Windows Defender protection settings 19->166 168 Adds a directory exclusion to Windows Defender 19->168 170 Tries to harvest and steal WLAN passwords 19->170 172 Removes signatures from Windows Defender 19->172 27 Built.exe 1 72 19->27         started        174 Writes to foreign memory regions 23->174 176 Allocates memory in foreign processes 23->176 178 Creates a thread in another existing process (thread injection) 23->178 31 conhost.exe 4 23->31         started        34 sihost64.exe 25->34         started        36 cmd.exe 25->36         started        38 cmd.exe 25->38         started        signatures9 process10 dnsIp11 136 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 27->136 138 discord.com 162.159.135.232, 443, 49744 CLOUDFLARENETUS United States 27->138 222 Found many strings related to Crypto-Wallets (likely being stolen) 27->222 224 Tries to harvest and steal browser information (history, passwords, etc) 27->224 226 Modifies Windows Defender protection settings 27->226 238 5 other signatures 27->238 40 cmd.exe 27->40         started        43 cmd.exe 27->43         started        53 30 other processes 27->53 122 C:\Users\user\AppData\...\services64.exe, PE32+ 31->122 dropped 228 Adds a directory exclusion to Windows Defender 31->228 45 cmd.exe 31->45         started        47 cmd.exe 1 31->47         started        49 cmd.exe 1 31->49         started        230 Writes to foreign memory regions 34->230 232 Allocates memory in foreign processes 34->232 234 Creates a thread in another existing process (thread injection) 34->234 236 Found direct / indirect Syscall (likely to bypass EDR) 34->236 51 conhost.exe 34->51         started        55 3 other processes 36->55 57 2 other processes 38->57 file12 signatures13 process14 signatures15 194 Modifies Windows Defender protection settings 40->194 196 Removes signatures from Windows Defender 40->196 70 3 other processes 40->70 198 Adds a directory exclusion to Windows Defender 43->198 72 2 other processes 43->72 59 services64.exe 45->59         started        62 conhost.exe 45->62         started        200 Suspicious powershell command line found 47->200 202 Uses cmd line tools excessively to alter registry or file data 47->202 204 Encrypted powershell cmdline option found 47->204 208 3 other signatures 47->208 74 3 other processes 47->74 64 schtasks.exe 49->64         started        66 conhost.exe 49->66         started        206 Tries to harvest and steal WLAN passwords 53->206 68 getmac.exe 53->68         started        76 58 other processes 53->76 process16 file17 210 Writes to foreign memory regions 59->210 212 Allocates memory in foreign processes 59->212 214 Creates a thread in another existing process (thread injection) 59->214 79 conhost.exe 59->79         started        216 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 64->216 218 Writes or reads registry keys via WMI 64->218 114 C:\Users\user\AppData\...\shcaicw5.cmdline, Unicode 76->114 dropped 116 C:\Users\user\AppData\Local\Temp\A82cZ.zip, RAR 76->116 dropped 220 Loading BitLocker PowerShell Module 76->220 83 csc.exe 76->83         started        85 conhost.exe 76->85         started        signatures18 process19 file20 124 C:\Users\user\AppData\...\sihost64.exe, PE32+ 79->124 dropped 126 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 79->126 dropped 148 Injects code into the Windows Explorer (explorer.exe) 79->148 150 Writes to foreign memory regions 79->150 152 Modifies the context of a thread in another process (thread injection) 79->152 154 3 other signatures 79->154 87 sihost64.exe 79->87         started        90 cmd.exe 79->90         started        92 explorer.exe 79->92         started        128 C:\Users\user\AppData\Local\...\shcaicw5.dll, PE32 83->128 dropped 95 cvtres.exe 83->95         started        signatures21 process22 dnsIp23 180 Writes to foreign memory regions 87->180 182 Allocates memory in foreign processes 87->182 184 Creates a thread in another existing process (thread injection) 87->184 97 conhost.exe 87->97         started        186 Adds a directory exclusion to Windows Defender 90->186 99 powershell.exe 90->99         started        102 conhost.exe 90->102         started        104 powershell.exe 90->104         started        140 monerooceans.stream 149.102.143.109, 10128, 49740 COGENT-174US United States 92->140 188 System process connects to network (likely due to code injection or exploit) 92->188 190 Query firmware table information (likely to detect VMs) 92->190 signatures24 192 Detected Stratum mining protocol 140->192 process25 signatures26 164 Loading BitLocker PowerShell Module 99->164
Gathering data
Threat name:
Win32.Coinminer.XMRig
Create hunting rule
Status:
Malicious
First seen:
2024-11-24 21:08:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcfgxsg5c7gxzwr3ror44oxjvw4nme7t3k4xidrsyz6ijkzrak2q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
coinminer.xmrig
Create hunting rule
xmrig
Create hunting rule
Similar samples:
1c0d63ed602d3c5b4c7fea32e801ab1b2610f7e9d50c3ccb7ca9550810ea2e0a
BlankGrabber
268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
BlankGrabber
72fdb72dcc71697b027824211e2879f4bf8c8974e56a857f2fca30ad7b675d6f
BlankGrabber
9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
BlankGrabber
9d904569ff4c27fccee3c7bce8fefb282525a1936e7fd2078585f033fc7c61d4
BlankGrabber
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
BlankGrabber
error
BlankGrabber
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig collection credential_access defense_evasion discovery execution miner persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/241124-zyt22azkey/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Detects videocard installed
Gathers system information
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5bef8b81-b177-49fc-bdbc-ce726814ed23
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/188a6bc8dd17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments