MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 13


Intelligence 13 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
SHA3-384 hash: 63afaec377aa499bcb2a4bbf2410dbfae2f16413b9b4c4b5c44707710f2d6ad15287c8b5da0b08b94838ac6050d6d9a3
SHA1 hash: 08cdc5d4d0628c619897bf465f279f7d30d42b9f
MD5 hash: 2f3b5b60129dc43350bc54e67d59a4ac
humanhash: coffee-massachusetts-shade-july
File name:iostream.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:11'955'200 bytes
First seen:2024-01-30 15:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 196608:+XeSEzpCQdLjv+bhqNVoB8Ck5c7GpNlpq41J2mrl0bk9qtlDfJpNZYXz:q4PL+9qz88Ck+7q3p91JNRqfg
Threatray 421 similar samples on MalwareBazaar
TLSH T1DEC6F11437F84E27E1BBE27795B0441667F1FC1AB363E74B219167BA1C53B809802BA7
TrID 33.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
26.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
14.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter smica83
Tags:BlankGrabber exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473609/
Detection(s):
Sanesecurity.Malware.28946.BadP.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Msilheracles-9900242-0
Create hunting rule

Win.Malware.Tedy-9965181-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm certreq cmd expand explorer fingerprint hacktool hook infostealer keylogger lolbin lolbin netsh packed packed quasarrat rat remote schtasks schtasks shell32 stealer stealer
Link:
https://www.filescan.io/uploads/65b91280bc91f83c80724f29/reports/ddc85847-7965-49bf-9d71-61197c1e3e13/overview
Verdict:
Malicious
Labled as:
Mal/Vbinder
Link:
https://www.hybrid-analysis.com/sample/268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
Result
Verdict:
MALICIOUS
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f09ffa29-44d3-451f-97ec-4bd28bc4cf9f
Result
Threat name:
Binder HackTool, Blank Grabber, Dicrord
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383391
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to disable the Task Manager (.Net Source)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes or reads registry keys via WMI
Yara detected Binder HackTool
Yara detected Blank Grabber
Yara detected Dicrord Rat
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383391 Sample: iostream.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 97 discord.com 2->97 99 ip-api.com 2->99 101 gateway.discord.gg 2->101 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus detection for URL or domain 2->115 117 21 other signatures 2->117 12 iostream.exe 4 2->12         started        16 Shadow.exe 2->16         started        signatures3 process4 file5 91 C:\Users\user\AppData\Local\Temp\P1.EXE, PE32 12->91 dropped 93 C:\Users\user\AppData\Local\Temp\DIS.EXE, PE32+ 12->93 dropped 95 C:\Users\user\AppData\Local\Temp\BUILT.EXE, PE32+ 12->95 dropped 171 Found many strings related to Crypto-Wallets (likely being stolen) 12->171 18 BUILT.EXE 61 12->18         started        22 P1.EXE 5 12->22         started        24 DIS.EXE 14 2 12->24         started        signatures6 process7 dnsIp8 77 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 18->77 dropped 79 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 18->79 dropped 81 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 18->81 dropped 85 55 other malicious files 18->85 dropped 119 Multi AV Scanner detection for dropped file 18->119 121 Very long command line found 18->121 123 Machine Learning detection for dropped file 18->123 133 4 other signatures 18->133 27 BUILT.EXE 1 108 18->27         started        83 C:\Windows\System32\SubDir\Shadow.exe, PE32 22->83 dropped 125 Antivirus detection for dropped file 22->125 127 Drops executables to the windows directory (C:\Windows) and starts them 22->127 129 Uses schtasks.exe or at.exe to add and modify task schedules 22->129 131 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->131 31 Shadow.exe 22->31         started        33 schtasks.exe 1 22->33         started        103 gateway.discord.gg 162.159.135.234, 443, 49700 CLOUDFLARENETUS United States 24->103 35 WerFault.exe 19 16 24->35         started        file9 signatures10 process11 dnsIp12 105 discord.com 162.159.128.233, 443, 49723 CLOUDFLARENETUS United States 27->105 107 ip-api.com 208.95.112.1, 49722, 80 TUT-ASUS United States 27->107 157 Very long command line found 27->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 27->159 161 Tries to harvest and steal browser information (history, passwords, etc) 27->161 169 6 other signatures 27->169 37 cmd.exe 27->37         started        40 cmd.exe 27->40         started        42 cmd.exe 27->42         started        48 21 other processes 27->48 109 96.42.209.236, 1111 CHARTER-20115US United States 31->109 163 Multi AV Scanner detection for dropped file 31->163 165 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->165 167 Installs a global keyboard hook 31->167 44 schtasks.exe 31->44         started        46 conhost.exe 33->46         started        signatures13 process14 signatures15 141 Suspicious powershell command line found 37->141 143 Very long command line found 37->143 145 Uses cmd line tools excessively to alter registry or file data 37->145 155 2 other signatures 37->155 66 2 other processes 37->66 147 Encrypted powershell cmdline option found 40->147 50 powershell.exe 40->50         started        54 conhost.exe 40->54         started        149 Modifies Windows Defender protection settings 42->149 56 powershell.exe 42->56         started        58 conhost.exe 42->58         started        60 conhost.exe 44->60         started        151 Adds a directory exclusion to Windows Defender 48->151 153 Tries to harvest and steal WLAN passwords 48->153 62 getmac.exe 48->62         started        64 systeminfo.exe 48->64         started        68 40 other processes 48->68 process16 file17 87 C:\Users\user\AppData\...\5gzuqdzc.cmdline, Unicode 50->87 dropped 135 Potential dropper URLs found in powershell memory 50->135 70 csc.exe 50->70         started        137 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 62->137 139 Writes or reads registry keys via WMI 62->139 73 Conhost.exe 68->73         started        signatures18 process19 file20 89 C:\Users\user\AppData\Local\...\5gzuqdzc.dll, PE32 70->89 dropped 75 cvtres.exe 70->75         started        process21
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0/
Threat name:
Win32.Ransomware.DarkyLock
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 15:15:08 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2etjt42yq3rvvhiv7oh4nkmzyuh5hzm4am56b4xzq2uworo7sqa._file
Verdict:
malicious
Similar samples:
02f0a7f184fcdaaa4d9a46ca29712c8daae0a46d2038bd362dc818025df8d553
BlankGrabber
1fea532c75a33209f094f835261b4f579613a7b2ece7f046a11309d34537f8d5
BlankGrabber
55ee6d07a394ce9e4f48bf5c3bb2a56a6321d6b2c664bf17683e75196db3a9e5
BlankGrabber
5abb3690139201632ca77d335dc003268eaf58f2fa0736fb187d843e597a2c9b
BlankGrabber
73cccea9d49d5ce21d970cae4a15f1b91cf60958b14bf073fe74a001320b9792
BlankGrabber
+ 411 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber family:discordrat family:quasar botnet:r3 persistence rat rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240130-smw9paadar/
Behaviour
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Drops file in Drivers directory
Discord RAT
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
96.42.209.236:1111
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Diff_QuasarRAT_01
Create hunting rule
Author:schmidtsz
Description:Identify QuasarRAT samples
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Discord_APIs
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MALWARE_Win_CelestyBinderLoader
Create hunting rule
Author:ditekSHen
Description:Detects Celesty Binder loader
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473609/

Comments