MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 11


Intelligence 11 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342
SHA3-384 hash: 5cc40383c816be5678f3191b0341a829c11ee5f27d1e10b78afd4032515a4c527423882cfc17c3e642b0badfa83fd3e3
SHA1 hash: d7d1eff99524c1329bb2fe30d3c5fb68083bf2d2
MD5 hash: 25c9646884948e295c48b44b5f6b36e3
humanhash: three-hydrogen-muppet-bacon
File name:hacn.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:16'671'647 bytes
First seen:2025-02-08 20:06:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (48 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 393216:kMk90FH7ZZGOymcwO1jfsaysN1Z/7be3RHdwbAlbv8Bmd:kM+Qbqycwnju1Z/7be3UbOLd
TLSH T12AF6335E03C020E8E639A63DC8529415E5B1B4B213F5E7CE43F4B7A69B73FA26660743
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter aachum
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-08 20:16:25 UTC
Tags:
blankgrabber stealer python sfx dropper screenshot discord evasion telegram pyinstaller susp-powershell discordgrabber generic growtopia ims-api upx
Link:
https://app.any.run/tasks/3da4b963-b7a9-46bf-ae4d-698d9a27516b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.22561.28030.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a7b9fad010e522d1b816bc
Tags:
installer asyncrat virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a process
Launching the process to change network settings
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/da3fd999-514b-4d5f-bfe5-531aaab01114
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1610240
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610240 Sample: hacn.exe Startdate: 08/02/2025 Architecture: WINDOWS Score: 100 155 api.telegram.org 2->155 157 ip-api.com 2->157 183 Suricata IDS alerts for network traffic 2->183 185 Sigma detected: Capture Wi-Fi password 2->185 187 Multi AV Scanner detection for submitted file 2->187 191 10 other signatures 2->191 15 hacn.exe 13 2->15         started        signatures3 189 Uses the Telegram API (likely for C&C communication) 155->189 process4 file5 147 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->147 dropped 149 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->149 dropped 151 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 15->151 dropped 153 8 other malicious files 15->153 dropped 163 Found pyInstaller with non standard icon 15->163 19 hacn.exe 15->19         started        21 Conhost.exe 15->21         started        signatures6 process7 process8 23 cmd.exe 1 19->23         started        signatures9 221 Encrypted powershell cmdline option found 23->221 223 Bypasses PowerShell execution policy 23->223 225 Uses netsh to modify the Windows network and firewall settings 23->225 227 3 other signatures 23->227 26 Build.exe 6 23->26         started        30 hacn.exe 23->30         started        33 conhost.exe 23->33         started        process10 dnsIp11 141 C:\ProgramData\Microsoft\hacn.exe, PE32 26->141 dropped 143 C:\ProgramData\Microsoft\based.exe, PE32+ 26->143 dropped 229 Multi AV Scanner detection for dropped file 26->229 231 Machine Learning detection for dropped file 26->231 35 based.exe 22 26->35         started        39 hacn.exe 2 26->39         started        159 ip-api.com 208.95.112.1, 49979, 49981, 80 TUT-ASUS United States 30->159 161 api.telegram.org 149.154.167.220, 443, 49980, 49982 TELEGRAMRU United Kingdom 30->161 233 Found many strings related to Crypto-Wallets (likely being stolen) 30->233 235 Tries to harvest and steal browser information (history, passwords, etc) 30->235 237 Modifies Windows Defender protection settings 30->237 239 5 other signatures 30->239 41 cmd.exe 30->41         started        43 cmd.exe 30->43         started        45 cmd.exe 30->45         started        47 15 other processes 30->47 file12 signatures13 process14 file15 111 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->111 dropped 113 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 35->113 dropped 115 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 35->115 dropped 119 16 other malicious files 35->119 dropped 193 Multi AV Scanner detection for dropped file 35->193 195 Modifies Windows Defender protection settings 35->195 197 Adds a directory exclusion to Windows Defender 35->197 207 2 other signatures 35->207 49 based.exe 90 35->49         started        117 C:\Users\user\AppData\Local\Temp\hacn.exe, PE32+ 39->117 dropped 199 Antivirus detection for dropped file 39->199 201 Machine Learning detection for dropped file 39->201 52 hacn.exe 22 39->52         started        55 hacn.exe 22 39->55         started        203 Encrypted powershell cmdline option found 41->203 57 powershell.exe 41->57         started        59 conhost.exe 41->59         started        63 2 other processes 43->63 65 2 other processes 45->65 205 Tries to harvest and steal WLAN passwords 47->205 61 getmac.exe 47->61         started        67 29 other processes 47->67 signatures16 process17 file18 165 Found many strings related to Crypto-Wallets (likely being stolen) 49->165 167 Modifies Windows Defender protection settings 49->167 169 Adds a directory exclusion to Windows Defender 49->169 181 2 other signatures 49->181 69 cmd.exe 49->69         started        72 cmd.exe 49->72         started        74 cmd.exe 49->74         started        83 15 other processes 49->83 121 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 52->121 dropped 123 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 52->123 dropped 125 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 52->125 dropped 135 16 other malicious files 52->135 dropped 171 Tries to harvest and steal WLAN passwords 52->171 173 Removes signatures from Windows Defender 52->173 127 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 55->127 dropped 129 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 55->129 dropped 131 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 55->131 dropped 137 16 other malicious files 55->137 dropped 76 hacn.exe 55->76         started        133 C:\Users\user\AppData\...\pruyjx1n.cmdline, Unicode 57->133 dropped 78 csc.exe 57->78         started        175 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 61->175 177 Writes or reads registry keys via WMI 61->177 81 Conhost.exe 63->81         started        179 Loading BitLocker PowerShell Module 67->179 signatures19 process20 file21 209 Adds a directory exclusion to Windows Defender 69->209 85 powershell.exe 69->85         started        88 conhost.exe 69->88         started        211 Modifies Windows Defender protection settings 72->211 90 powershell.exe 72->90         started        92 conhost.exe 72->92         started        94 powershell.exe 74->94         started        96 conhost.exe 74->96         started        145 C:\Users\user\AppData\Local\...\pruyjx1n.dll, PE32 78->145 dropped 98 cvtres.exe 78->98         started        213 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 81->213 215 Encrypted powershell cmdline option found 83->215 217 Tries to harvest and steal WLAN passwords 83->217 100 powershell.exe 83->100         started        102 28 other processes 83->102 signatures22 process23 signatures24 219 Loading BitLocker PowerShell Module 90->219 104 csc.exe 100->104         started        107 Conhost.exe 102->107         started        process25 file26 139 C:\Users\user\AppData\Local\...\2bjwhe5h.dll, PE32 104->139 dropped 109 cvtres.exe 104->109         started        process27
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342/
Threat name:
Win64.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-12-03 19:18:38 UTC
File Type:
PE+ (Exe)
Extracted files:
990
AV detection:
27 of 38 (71.05%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkluakow7p7maolw667z6j3svwxsuyc3uvjxjkkmasdhag2ewnba._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/250208-yvlqtatjcq/
Behaviour
Detects videocard installed
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31ffee4b-7ff1-4e13-aec2-d6a0eb0452d7
Unpacked files
SH256 hash:
32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342
MD5 hash:
25c9646884948e295c48b44b5f6b36e3
SHA1 hash:
d7d1eff99524c1329bb2fe30d3c5fb68083bf2d2
Link:
https://www.unpac.me/results/a3951084-60de-4077-8dc7-d37e72ecf966/
SH256 hash:
746a631a0e204c9792e9183ac1fc256a6b13a8dddb9e879d05fc1ccd957f08ea
MD5 hash:
4bc3831e71c066a7a5ac7088d9887c7a
SHA1 hash:
1ea067cc7bfee609f202b57991797e03d0c6d776
Link:
https://www.unpac.me/results/a3951084-60de-4077-8dc7-d37e72ecf966/
SH256 hash:
4163513beb8120dce076b6de115ed892816a07233c0972eaf4d98bf873ae39a1
MD5 hash:
ee29743ba52d31358f5a57fef4bbfe13
SHA1 hash:
ab3f35925298e72a4fefc1bfbe36e802bf5614af
Link:
https://www.unpac.me/results/a3951084-60de-4077-8dc7-d37e72ecf966/
SH256 hash:
bddc7fbbb6ff2e8c50f8374fd878e8686a655253b04de86a7797489c380596ac
MD5 hash:
ec9a06bd4f23eb58f63d5e426d805310
SHA1 hash:
856a8d439870f3e672c9c9af088040c6d8b18759
Link:
https://www.unpac.me/results/a3951084-60de-4077-8dc7-d37e72ecf966/
SH256 hash:
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
MD5 hash:
a87575e7cf8967e481241f13940ee4f7
SHA1 hash:
879098b8a353a39e16c79e6479195d43ce98629e
Link:
https://www.unpac.me/results/a3951084-60de-4077-8dc7-d37e72ecf966/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Emotet
Create hunting rule
Author:kevoreilly
Description:Emotet Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9

BlankGrabber

Executable exe 32974029d6fbfec03976f7bf9f2772adaf2a605ba55374a94c0486701b44b342

(this sample)

  
Link
https://tria.ge/250208-yp6tss1lfx/
  
Dropped by
SHA256 6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9
  
Dropped by
MD5 d83d5ff23292103a65b43fbd42b7f243

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments