MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39c70b63f715a285b8c68c88546b49eb65f799ae3fc78c2c8f1272ac8d5c05ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 39c70b63f715a285b8c68c88546b49eb65f799ae3fc78c2c8f1272ac8d5c05ef
SHA3-384 hash: a42dc6b07f572e7292011975a1688ea03cf32899ec614a195c58f02300e2aa8387852bb99146c82797491985f6ab8f97
SHA1 hash: 7eb0380d4d295b649e1f1c4fc82c2e4dcd4325cc
MD5 hash: e71757443439452b11c05a06d684acb8
humanhash: georgia-uniform-yellow-leopard
File name:grabbot_0.1.4.3.vir
Download: download sample
Signature n/a
File size:495'616 bytes
First seen:2020-07-19 16:46:24 UTC
Last seen:2020-07-19 19:10:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 207be6eb981268330afc3e640b2f8201
ssdeep 12288:vDl1096ZHEZDZj5k8x0f4rYIUiHSamfN8m6kGb:L72OHiDZLx0wkIUaifN87
TLSH 55B41200720E861AF261A93195416BF609FC9DF3F59F621FFB89B91C0474BD960E096F
Reporter @tildedennis
Tags:grabbot


Twitter
@tildedennis
grabbot version 0.1.4.3

Intelligence


File Origin
# of uploads :
3
# of downloads :
18
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247105 Sample: grabbot_0.1.4.3.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 6 other signatures 2->42 10 grabbot_0.1.4.3.exe 2 2->10         started        process3 dnsIp4 34 0.1.4.3 unknown unknown 10->34 30 C:\Users\user\AppData\Roaming\...\system.pif, PE32 10->30 dropped 32 C:\Users\user\...\system.pif:Zone.Identifier, ASCII 10->32 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Detected unpacking (overwrites its own PE header) 10->54 56 Tries to detect sandboxes / dynamic malware analysis system (file name check) 10->56 58 5 other signatures 10->58 15 grabbot_0.1.4.3.exe 10->15         started        file5 signatures6 process7 signatures8 60 Injects code into the Windows Explorer (explorer.exe) 15->60 62 Writes to foreign memory regions 15->62 64 Allocates memory in foreign processes 15->64 66 Injects a PE file into a foreign processes 15->66 18 explorer.exe 3 15->18 injected 20 WerFault.exe 28 10 15->20         started        process9 process10 22 system.pif 18->22         started        signatures11 44 Tries to detect sandboxes / dynamic malware analysis system (file name check) 22->44 25 system.pif 22->25         started        process12 signatures13 46 Writes to foreign memory regions 25->46 48 Allocates memory in foreign processes 25->48 50 Injects a PE file into a foreign processes 25->50 28 WerFault.exe 10 25->28         started        process14
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2015-06-20 04:15:00 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx evasion trojan persistence discovery
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Deletes itself
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments