MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36
SHA3-384 hash: c3a57fe74fe7bc6d18e4ab8478a7ac58548d48d5013374d11be06c760275d65f683ed5e77bd8c32eaa1f76317071fc1c
SHA1 hash: 0b3103093ef1302d348ab75e44c33cc679f43093
MD5 hash: 3887ee47a4abe31bced7a3bf81bbd34a
humanhash: cola-video-arizona-vegan
File name:Built.exe
Download: download sample
File size:7'522'186 bytes
First seen:2023-02-05 01:35:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:0+pb7KX/RdKaeNWFJMIDJhgsAGKlRFK/ozu0BH:lYX5gWFqyhgsSc/+Rt
Threatray 286 similar samples on MalwareBazaar
TLSH T1A67633A0275444E0ECAB463ECC9AC819D5B8B81A1364DFEB533052772F33B595E3BB91
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Built.exe
Verdict:
Malicious activity
Analysis date:
2023-02-05 01:37:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f53ce4ee-6ac5-4c4e-b1ce-9660b754d3fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360329/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65357/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63df080589bd67c10fdc94a9/reports/b0740534-d2e1-4382-ba33-47e17091c765/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7990f544-e368-469a-b80e-e1636f4e2066
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165902
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Blank Grabber
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798673 Sample: Built.exe Startdate: 05/02/2023 Architecture: WINDOWS Score: 100 64 Sigma detected: Capture Wi-Fi password 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 2 other signatures 2->70 9 Built.exe 29 2->9         started        process3 file4 48 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 9->48 dropped 50 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 9->52 dropped 54 19 other malicious files 9->54 dropped 84 May check the online IP address of the machine 9->84 86 Self deletion via cmd or bat file 9->86 88 Drops PE files with a suspicious file extension 9->88 90 3 other signatures 9->90 13 Built.exe 24 9->13         started        signatures5 process6 dnsIp7 60 ip-api.com 208.95.112.1, 49700, 49701, 80 TUT-ASUS United States 13->60 62 discord.com 162.159.136.232, 443, 49702, 49703 CLOUDFLARENETUS United States 13->62 56 C:\Users\user\AppData\Local\...\getPass.exe, PE32 13->56 dropped 58 C:\ProgramData\Microsoft\...\?????.scr, PE32+ 13->58 dropped 108 Uses cmd line tools excessively to alter registry or file data 13->108 110 Self deletion via cmd or bat file 13->110 112 Tries to harvest and steal browser information (history, passwords, etc) 13->112 114 2 other signatures 13->114 18 cmd.exe 1 13->18         started        21 cmd.exe 13->21         started        23 cmd.exe 13->23         started        25 31 other processes 13->25 file8 signatures9 process10 signatures11 72 Uses ping.exe to sleep 18->72 74 Uses cmd line tools excessively to alter registry or file data 18->74 76 Uses ping.exe to check the status of other devices and networks 18->76 78 Uses netsh to modify the Windows network and firewall settings 18->78 42 2 other processes 18->42 27 getPass.exe 21->27         started        30 conhost.exe 21->30         started        32 systeminfo.exe 23->32         started        34 conhost.exe 23->34         started        80 Adds a directory exclusion to Windows Defender 25->80 82 Tries to harvest and steal WLAN passwords 25->82 36 WMIC.exe 25->36         started        38 WMIC.exe 25->38         started        40 WMIC.exe 25->40         started        44 56 other processes 25->44 process12 signatures13 92 Multi AV Scanner detection for dropped file 27->92 94 Detected unpacking (changes PE section rights) 27->94 96 Machine Learning detection for dropped file 27->96 98 Tries to harvest and steal browser information (history, passwords, etc) 27->98 100 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->100 102 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->102 104 DLL side loading technique detected 36->104 46 net1.exe 1 42->46         started        106 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->106 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2023-02-05 01:36:14 UTC
File Type:
PE+ (Exe)
Extracted files:
466
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2mzzo7ceycbbf77mtooejzi2njrwrxaatkpvteg5somseiy5i3a._file
Verdict:
unknown
Similar samples:
07ae2a00c878219dff16a32de2296ee69f23c596cde7e802a8deada12d21d982
22cb2fba2dde578f61c82ed450c88c9060629fa7736bb7e27a584c97473c0883
4b09ac7c19c3f9e05fe3e0adf19aef2401378485222e8e234ef006af515e0d6c
75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e
86c91a427bf8efb1a70ff75df43e91dbbd02e895e7b2d4fb7754268fc3e80552
8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0
af0d001164ddf3bdabf5448f715e9b3efb6905e64c224fe2d4078245702519d0
c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77
d33b77def8eff87a0d3068823bdcc3ca042a1045c4797c0c4a094731663b2006
+ 276 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/230205-bz9bcafg69/
Behaviour
Enumerates processes with tasklist
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36
MD5 hash:
3887ee47a4abe31bced7a3bf81bbd34a
SHA1 hash:
0b3103093ef1302d348ab75e44c33cc679f43093
Link:
https://www.unpac.me/results/fe10c8aa-5987-4baa-adcf-4b5ce83408a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360329/

Comments