MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85
SHA3-384 hash: 97173b10db22c5ceba0fa3a51d91d552239e3c41057a74e0b59b013400d44af7a67ea6e546d1ac528f661e6d25bdae94
SHA1 hash: 1d4e9780b0b5f4a74176bff38ee80815c9eceec1
MD5 hash: 092b7f1a2b67de290da755f676763279
humanhash: may-virginia-low-quebec
File name:2k23ballinhoop.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:7'346'934 bytes
First seen:2023-07-18 05:34:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:mQ7iQsGbT/9bvLz3S1bA329OqtFM+ehUNiYrvV6/:4GbTlj3S1bO29OqtFHehUNlbc/
Threatray 15 similar samples on MalwareBazaar
TLSH T1DA76336966C249E8D577823EC6D24A0ACEF074175714DD8B03B466FA2F13BC48DBB722
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Reverse
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2k23ballinhoop.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-18 05:37:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e62e491-323b-4b3a-931c-92534bc6c6db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423205/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a window
Launching a process
Reading critical registry keys
Searching for synchronization primitives
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control expand greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64b62488f52c3e1a0149e67e/reports/e30676d0-b6ed-48d4-9e59-0d53c923df90/overview
Verdict:
Malicious
Labled as:
Packed.PyInstaller
Link:
https://www.hybrid-analysis.com/sample/1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7806ab40-3784-4ec4-80e4-a0857b1fd549
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274847
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
DLL side loading technique detected
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274847 Sample: 2k23ballinhoop.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 89 Found malware configuration 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Sigma detected: Capture Wi-Fi password 2->93 95 5 other signatures 2->95 10 2k23ballinhoop.exe 22 2->10         started        process3 file4 55 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 10->55 dropped 57 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->57 dropped 59 C:\Users\user\...\tinyaes.cp311-win_amd64.pyd, PE32+ 10->59 dropped 61 16 other files (none is malicious) 10->61 dropped 107 Very long command line found 10->107 109 May check the online IP address of the machine 10->109 111 Adds a directory exclusion to Windows Defender 10->111 113 Tries to harvest and steal WLAN passwords 10->113 14 2k23ballinhoop.exe 1 62 10->14         started        signatures5 process6 dnsIp7 73 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 14->73 75 discord.com 162.159.137.232, 443, 49703 CLOUDFLARENETUS United States 14->75 65 C:\Windows\System32\drivers\etc\hosts, ASCII 14->65 dropped 67 C:\Users\user\AppData\...\QCOILOQIKC.jpg, ASCII 14->67 dropped 69 C:\Users\user\AppData\...behaviorgraphIGIYTFFYT.jpg, ASCII 14->69 dropped 71 C:\Users\user\AppData\...IVQSAOTAQ.pdf, ASCII 14->71 dropped 77 Very long command line found 14->77 79 Tries to harvest and steal browser information (history, passwords, etc) 14->79 81 Modifies the hosts file 14->81 83 3 other signatures 14->83 19 cmd.exe 1 14->19         started        22 cmd.exe 14->22         started        24 cmd.exe 1 14->24         started        26 26 other processes 14->26 file8 signatures9 process10 signatures11 97 Very long command line found 19->97 99 Uses cmd line tools excessively to alter registry or file data 19->99 101 Encrypted powershell cmdline option found 19->101 105 3 other signatures 19->105 44 2 other processes 19->44 28 powershell.exe 22->28         started        31 conhost.exe 22->31         started        33 WMIC.exe 24->33         started        36 conhost.exe 24->36         started        103 Tries to harvest and steal WLAN passwords 26->103 38 systeminfo.exe 26->38         started        40 WMIC.exe 26->40         started        42 WMIC.exe 26->42         started        46 49 other processes 26->46 process12 file13 63 C:\Users\user\AppData\...\0wu5huhm.cmdline, Unicode 28->63 dropped 48 csc.exe 28->48         started        85 DLL side loading technique detected 33->85 87 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->87 signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\0wu5huhm.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 18:38:07 UTC
File Type:
PE+ (Exe)
Extracted files:
244
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtggiebcwpuvwtvkgm47rwmax4nwa3fi2t2stsmprv6soysrlocq._file
Verdict:
malicious
Similar samples:
271724c5ff157be6c9c596f8728894a3de24a6cbbf23b89afec313f4e6212bf8
BlankGrabber
369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a
BlankGrabber
4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4
BlankGrabber
46ecfef99cca7791e1774532f6cce55d14ff8ead55370c766f8778cf698eef2e
BlankGrabber
56a37956c5f0145b13a41b2e51015385493ed53e1ce31bf090cda90f04b86b6f
BlankGrabber
7f6df82011dde29aec801f3b76a787f2774ee8586b0df091f00c68ac488dc6a7
BlankGrabber
883ef3b2aef3a255ef8610a1cf6810397fb7d35a5b3e5585cb3f283b062ce616
BlankGrabber
a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae
BlankGrabber
aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
BlankGrabber
c6eff3d235c6b6674c16168b1752d95939b1322953ccc409b74eef6fbf3c1820
BlankGrabber
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/230718-f91t6sgd93/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Gathers system information
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Drops file in Drivers directory
Unpacked files
SH256 hash:
1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85
MD5 hash:
092b7f1a2b67de290da755f676763279
SHA1 hash:
1d4e9780b0b5f4a74176bff38ee80815c9eceec1
Link:
https://www.unpac.me/results/3aa53db1-c56b-4943-983c-132adf44079d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlankGrabber

Executable exe 1ccc641022b3e95b4eaa3339f8d980bf1b606ca8d4f529c98f8d7d2762515b85

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/423205/

Comments