MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
SHA3-384 hash: 460286824210ebd2dbadfec81e811b0305f81d32de3f6baafca1ff449960dc7f52f6050e2807f03905f14379f802025d
SHA1 hash: ce40934e8be5b9538b39e29a071df219ea259d21
MD5 hash: 338a02ff68c87c2e7d097b380656d773
humanhash: missouri-high-cup-nebraska
File name:338A02FF68C87C2E7D097B380656D773.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:68'157'440 bytes
First seen:2024-05-23 03:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 393216:9Om3Gy/7I4ro5jnVT5Xjbu8Y1l1zbg8i:om57IYis8m1b
TLSH T19EE733D100F9FD45DCC26AB95AAAEB684C694F1FC3DB8F01C04AE3C3D12E425653A57A
TrID 35.7% (.EXE) Win32 Executable (generic) (4504/4/1)
16.3% (.ICL) Windows Icons Library (generic) (2059/9)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://mikilo39.beget.tech/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed.exe
Verdict:
Malicious activity
Analysis date:
2024-05-23 03:11:06 UTC
Tags:
evasion blankgrabber stealer discord discordgrabber generic growtopia python
Link:
https://app.any.run/tasks/b183a152-ed15-4ea3-bc99-564645c84bd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664eb49b02cf134c1c7f8265win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Stealth Msil Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Searching for synchronization primitives
Reading critical registry keys
Launching a process
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Searching for the window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/664eb3cbfce7975594f6ae1d/reports/bc833c35-44c3-4d98-865d-4927da17aff4/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
Result
Verdict:
MALICIOUS
Result
Threat name:
Blank Grabber, DCRat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1446275
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Schedule system process
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446275 Sample: NTgo4SxmS3.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 118 ip-api.com 2->118 120 discord.com 2->120 128 Found malware configuration 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 18 other signatures 2->134 12 NTgo4SxmS3.exe 4 2->12         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 114 C:\Users\user\AppData\...\discord pro+.exe, PE32 12->114 dropped 116 C:\Users\user\AppData\Local\Temp\Built.exe, PE32 12->116 dropped 18 Built.exe 22 12->18         started        22 discord pro+.exe 3 12->22         started        24 conhost.exe 12->24         started        26 tasklist.exe 12->26         started        126 127.0.0.1 unknown unknown 15->126 file6 process7 file8 94 C:\Users\user\AppData\...\unicodedata.pyd, PE32 18->94 dropped 96 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->96 dropped 98 C:\Users\user\AppData\Local\...\select.pyd, PE32 18->98 dropped 102 16 other malicious files 18->102 dropped 136 Multi AV Scanner detection for dropped file 18->136 138 Very long command line found 18->138 140 Modifies Windows Defender protection settings 18->140 142 3 other signatures 18->142 28 Built.exe 1 107 18->28         started        100 C:\Users\user\AppData\Local\...\antiriser.bat, PE32 22->100 dropped 32 antiriser.bat 3 7 22->32         started        signatures9 process10 dnsIp11 122 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 28->122 124 discord.com 162.159.135.232, 443, 49719 CLOUDFLARENETUS United States 28->124 174 Very long command line found 28->174 176 Found many strings related to Crypto-Wallets (likely being stolen) 28->176 178 Tries to harvest and steal browser information (history, passwords, etc) 28->178 182 6 other signatures 28->182 35 cmd.exe 28->35         started        38 cmd.exe 28->38         started        40 cmd.exe 28->40         started        46 16 other processes 28->46 88 C:\chainwebwinref\Monitorcommon.exe, PE32 32->88 dropped 90 C:\chainwebwinref\PkXKubhHOUD.bat, ASCII 32->90 dropped 180 Multi AV Scanner detection for dropped file 32->180 42 wscript.exe 32->42         started        44 wscript.exe 32->44         started        file12 signatures13 process14 signatures15 144 Suspicious powershell command line found 35->144 146 Very long command line found 35->146 148 Encrypted powershell cmdline option found 35->148 158 3 other signatures 35->158 64 2 other processes 35->64 48 powershell.exe 38->48         started        51 conhost.exe 38->51         started        150 Modifies Windows Defender protection settings 40->150 53 powershell.exe 40->53         started        56 conhost.exe 40->56         started        152 Wscript starts Powershell (via cmd or directly) 42->152 154 Windows Scripting host queries suspicious COM object (likely to drop second stage) 42->154 58 cmd.exe 42->58         started        156 Tries to harvest and steal WLAN passwords 46->156 60 systeminfo.exe 46->60         started        62 getmac.exe 46->62         started        66 27 other processes 46->66 process16 file17 92 C:\Users\user\AppData\...\aiai0xsk.cmdline, Unicode 48->92 dropped 68 csc.exe 48->68         started        160 Loading BitLocker PowerShell Module 53->160 71 Conhost.exe 53->71         started        73 Monitorcommon.exe 58->73         started        76 conhost.exe 58->76         started        162 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 60->162 164 Writes or reads registry keys via WMI 60->164 signatures18 process19 file20 104 C:\Users\user\AppData\Local\...\aiai0xsk.dll, PE32 68->104 dropped 78 cvtres.exe 68->78         started        106 C:\chainwebwinref\WmiPrvSE.exe, PE32 73->106 dropped 108 C:\chainwebwinref\RuntimeBroker.exe, PE32 73->108 dropped 110 C:\...\AqhUaMVnPfwzAiSzNEtDvnt.exe, PE32 73->110 dropped 112 12 other malicious files 73->112 dropped 166 Multi AV Scanner detection for dropped file 73->166 168 Drops PE files to the user root directory 73->168 170 Uses schtasks.exe or at.exe to add and modify task schedules 73->170 172 3 other signatures 73->172 80 schtasks.exe 73->80         started        82 schtasks.exe 73->82         started        84 schtasks.exe 73->84         started        86 7 other processes 73->86 signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1f90346558652d404562975e6398d69e7f35ececc367f030f9d0bd817f2535ed
Gathering data
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-05-19 19:37:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6idizkymuwuarlcs5pghggwtz7tl3hmynt7amhz2c6yc7zfgxwq._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion execution infostealer rat spyware stealer trojan upx
Link:
https://tria.ge/reports/240523-dpmqpsbg5s/
Behaviour
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Gathers system information
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
DCRat payload
DcRat
Process spawned unexpected child process
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/48f2a317-6474-40bb-9f9a-06efc33cc813
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments