MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71
SHA3-384 hash: 4723b334b09c45bbf2b3b6d7f1294cfb21136b9a6e400a788bf812c1b64b015f7e0fbc758c9f158fb5fc6d861da00717
SHA1 hash: 356e64703c152dfd458bbedecd32d23301e0e7ed
MD5 hash: 3650491e049463513f7d36d0a1f450ae
humanhash: five-ack-gee-mango
File name:cherax.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:17'961'984 bytes
First seen:2024-07-06 03:12:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ac23c52e7647c5bbea38e98bb68c652 (10 x BlankGrabber, 4 x PythonStealer, 3 x CobaltStrike)
ssdeep 393216:pYSj0YePHCv0AW8mb+OshouIkPftRL54lR:pYSj0b/KFFmXwouTtRL
TLSH T1A4073335E3B44DEEF9919A3AC5958A40D7327A061BB0E0DB079443A24F17ACD0D3BB5B
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 782cc69aac6a6c3d (1 x BlankGrabber)
Reporter Anonymous
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71.exe
Verdict:
Malicious activity
Analysis date:
2024-07-06 03:14:28 UTC
Tags:
uac blankgrabber susp-powershell discordgrabber generic stealer growtopia umbralstealer evasion telegram phishing upx python
Link:
https://app.any.run/tasks/0125f6d0-7db2-4476-b24e-890a44eb9265

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Python.Muldrop.20.24206.409.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6688b7773b2ddaaafa496c25win7simulatehigh_evasion
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Creating a process from a recently created file
Launching a process
Launching the process to change network settings
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/6688b63e0bf5978c0b154d7c/reports/bdf9b83f-ed27-4e7a-8ae0-3cfa61a3fb0d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/955fbf04-b984-43e2-8e23-f6ef9178ce66
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1468472
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies Windows Defender protection settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Sigma detected: Capture Wi-Fi password
Sigma detected: Disable power options
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Stop EventLog
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468472 Sample: cherax.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 100 120 api.telegram.org 2->120 122 ip-api.com 2->122 136 Sigma detected: Capture Wi-Fi password 2->136 138 Yara detected Blank Grabber 2->138 140 Yara detected Telegram RAT 2->140 144 10 other signatures 2->144 11 cherax.exe 23 2->11         started        15 updater.exe 2->15         started        signatures3 142 Uses the Telegram API (likely for C&C communication) 120->142 process4 file5 106 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->106 dropped 108 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->108 dropped 110 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->110 dropped 114 16 other files (none is malicious) 11->114 dropped 162 Very long command line found 11->162 164 Modifies Windows Defender protection settings 11->164 166 Adds a directory exclusion to Windows Defender 11->166 174 3 other signatures 11->174 17 cherax.exe 91 11->17         started        112 C:\Windows\Temp\crszzlpvtski.sys, PE32+ 15->112 dropped 168 Injects code into the Windows Explorer (explorer.exe) 15->168 170 Modifies the context of a thread in another process (thread injection) 15->170 172 Sample is not signed and drops a device driver 15->172 21 powershell.exe 15->21         started        23 cmd.exe 15->23         started        25 sc.exe 15->25         started        signatures6 process7 dnsIp8 116 api.telegram.org 149.154.167.220, 443, 49740 TELEGRAMRU United Kingdom 17->116 118 ip-api.com 208.95.112.1, 49739, 80 TUT-ASUS United States 17->118 126 Very long command line found 17->126 128 Found many strings related to Crypto-Wallets (likely being stolen) 17->128 130 Tries to harvest and steal browser information (history, passwords, etc) 17->130 134 7 other signatures 17->134 27 cmd.exe 1 17->27         started        30 cmd.exe 17->30         started        32 cmd.exe 17->32         started        42 24 other processes 17->42 132 Loading BitLocker PowerShell Module 21->132 34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 wusa.exe 23->38         started        40 conhost.exe 25->40         started        signatures9 process10 signatures11 146 Suspicious powershell command line found 27->146 148 Very long command line found 27->148 150 Uses cmd line tools excessively to alter registry or file data 27->150 160 2 other signatures 27->160 44 powershell.exe 23 27->44         started        47 conhost.exe 27->47         started        49 bound.exe 30->49         started        52 conhost.exe 30->52         started        152 Encrypted powershell cmdline option found 32->152 60 2 other processes 32->60 154 Modifies Windows Defender protection settings 42->154 156 Adds a directory exclusion to Windows Defender 42->156 158 Tries to harvest and steal WLAN passwords 42->158 54 getmac.exe 42->54         started        56 powershell.exe 23 42->56         started        58 powershell.exe 42->58         started        62 45 other processes 42->62 process12 file13 100 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 49->100 dropped 176 Uses powercfg.exe to modify the power settings 49->176 178 Adds a directory exclusion to Windows Defender 49->178 180 Modifies power options to not sleep / hibernate 49->180 64 powershell.exe 49->64         started        67 cmd.exe 49->67         started        69 sc.exe 49->69         started        80 12 other processes 49->80 182 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 54->182 184 Writes or reads registry keys via WMI 54->184 186 Loading BitLocker PowerShell Module 56->186 102 C:\Users\user\AppData\...\ra5igykm.cmdline, Unicode 60->102 dropped 71 csc.exe 60->71         started        74 conhost.exe 62->74         started        76 conhost.exe 62->76         started        78 conhost.exe 62->78         started        signatures14 process15 file16 124 Loading BitLocker PowerShell Module 64->124 82 conhost.exe 64->82         started        84 conhost.exe 67->84         started        86 wusa.exe 67->86         started        88 conhost.exe 69->88         started        104 C:\Users\user\AppData\Local\...\ra5igykm.dll, PE32 71->104 dropped 90 cvtres.exe 71->90         started        92 conhost.exe 80->92         started        94 conhost.exe 80->94         started        96 conhost.exe 80->96         started        98 5 other processes 80->98 signatures17 process18
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-07-06 03:13:15 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hngnfxield2jpvnjgnjhklp3xy5gq77zltugmvd44owhrkr6fryq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber family:xmrig evasion execution miner persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/240706-dqq5hstgrk/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Gathers system information
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Power Settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6c814100-ec81-460b-a01d-b71ec2e3e2e5
Unpacked files
SH256 hash:
3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71
MD5 hash:
3650491e049463513f7d36d0a1f450ae
SHA1 hash:
356e64703c152dfd458bbedecd32d23301e0e7ed
Link:
https://www.unpac.me/results/ad186dcf-30ed-42ea-8672-171967aa5987/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b4cd2dd0458f497d5a93352752dfbbe3a687ff95ce866547ce3ac78aa3e2c71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller_Packed_April_2024
Create hunting rule
Author:NDA0N
Description:Detects files packed with PyInstaller

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments