MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 15


Intelligence 15 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f
SHA3-384 hash: 7915f82b43bdc9f11530ba4a60cd719cf99b39f34745b2e5dddd563473f6fd7bed9f2efdc5f130f96293848f20ab9d72
SHA1 hash: 081254bdf361951c728ec2c9d299e877db953cb1
MD5 hash: d2ff3e2da68a6344a8d425d3b2f07cf2
humanhash: fish-apart-zulu-butter
File name:Crypter.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:8'401'408 bytes
First seen:2025-11-04 18:19:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 23 x njrat, 18 x SalatStealer)
ssdeep 196608:lV1z7iHLwrEB6ylnlPzf+JiJCsmFMveHn62qnjZ:F7bwBRlnlPSa7mmveHKnjZ
TLSH T1018633816620C5DAE0B2833DB402D9F2A271BD25A3D4D69772FCBE173F232915D7A781
TrID 38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.2% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 003068d4c4603000 (1 x BlankGrabber)
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Crypter.exe
Verdict:
Malicious activity
Analysis date:
2025-11-04 18:18:23 UTC
Tags:
uac anti-evasion python stealer screenshot telegram blankgrabber evasion
Link:
https://app.any.run/tasks/e48db693-fb64-4b6a-bebf-706d28a11e33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35338/
Detection(s):
Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Win.Trojan.Agent-1345782
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a43a29942f1282ecc115a
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a service
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a process
Launching the process to change network settings
Enabling the 'hidden' option for files in the %temp% directory
Loading a suspicious library
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Stealing user critical data
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T12:38:00Z UTC
Last seen:
2025-11-04T15:33:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Agent.sb Trojan-Spy.Win32.Agent.dffz Trojan-PSW.Python.Blank.sb Trojan-Dropper.Win32.Agent.gen HEUR:Trojan-PSW.Python.Blank.gen HEUR:Trojan.Python.Agent.gen Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Dizemp.sb Trojan.Win32.Agent.sba Trojan.Python.Agent.gen PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Delfea.sb Trojan-Dropper.Win32.Delf.eimp
Link:
https://opentip.kaspersky.com/5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfe9b447-0ee3-466e-ad93-0e6a1e68b73f
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1808004
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Self deletion via cmd or bat file
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Uses WMIC command to query system information (often done to detect virtual machines)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1808004 Sample: Crypter.exe Startdate: 04/11/2025 Architecture: WINDOWS Score: 100 77 api.telegram.org 2->77 79 api.telegram.org/bot8317195665 unknown unknown 2->79 81 ip-api.com 2->81 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 111 16 other signatures 2->111 12 Crypter.exe 3 3 2->12         started        15 OpenWith.exe 18 9 2->15         started        signatures3 109 Uses the Telegram API (likely for C&C communication) 77->109 process4 file5 73 C:\Users\user\AppData\Local\...\Crypter.exe, PE32+ 12->73 dropped 75 C:\Users\user\AppData\...\CrypterBetaTest.py, Python 12->75 dropped 17 Crypter.exe 62 12->17         started        process6 file7 59 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 17->59 dropped 61 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 17->61 dropped 63 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->63 dropped 65 56 other files (none is malicious) 17->65 dropped 87 Self deletion via cmd or bat file 17->87 89 Modifies Windows Defender protection settings 17->89 91 Adds a directory exclusion to Windows Defender 17->91 93 5 other signatures 17->93 21 Crypter.exe 1 69 17->21         started        signatures8 process9 dnsIp10 83 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 21->83 85 api.telegram.org 149.154.167.220, 443, 49724 TELEGRAMRU United Kingdom 21->85 113 Found many strings related to Crypto-Wallets (likely being stolen) 21->113 115 Self deletion via cmd or bat file 21->115 117 Tries to harvest and steal browser information (history, passwords, etc) 21->117 119 7 other signatures 21->119 25 cmd.exe 1 21->25         started        28 cmd.exe 1 21->28         started        30 cmd.exe 21->30         started        32 26 other processes 21->32 signatures11 process12 signatures13 121 Suspicious powershell command line found 25->121 123 Uses ping.exe to sleep 25->123 125 Encrypted powershell cmdline option found 25->125 137 4 other signatures 25->137 34 conhost.exe 25->34         started        37 powershell.exe 25->37         started        127 Modifies Windows Defender protection settings 28->127 129 Removes signatures from Windows Defender 28->129 39 powershell.exe 23 28->39         started        49 2 other processes 28->49 131 Adds a directory exclusion to Windows Defender 30->131 41 powershell.exe 30->41         started        43 conhost.exe 30->43         started        133 Tries to harvest and steal WLAN passwords 32->133 135 Uses WMIC command to query system information (often done to detect virtual machines) 32->135 45 getmac.exe 32->45         started        47 WMIC.exe 32->47         started        51 50 other processes 32->51 process14 file15 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->95 97 Loading BitLocker PowerShell Module 39->97 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 45->99 101 Writes or reads registry keys via WMI 45->101 67 C:\Users\user\AppData\Local\Temp\vOIrO.zip, RAR 51->67 dropped 69 C:\Users\user\AppData\...\teytgbas.cmdline, Unicode 51->69 dropped 54 csc.exe 51->54         started        signatures16 process17 file18 71 C:\Users\user\AppData\Local\...\teytgbas.dll, PE32 54->71 dropped 57 cvtres.exe 54->57         started        process19
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d2ff3e2da68a6344a8d425d3b2f07cf2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 18:19:14 UTC
File Type:
PE (Exe)
Extracted files:
590
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2koe7hlaij6bpi77txplfx3fz53f2fhmnxqk4eawyfizzq3l4hq._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber discovery stealer
Link:
https://tria.ge/reports/251104-wymq6swrer/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
System Location Discovery: System Language Discovery
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
blankgrabber
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1
YARA:
n/a
Link:
https://app.threat.zone/submission/0178829d-fb11-4d74-b3c3-64c29d9f6971
Unpacked files
SH256 hash:
5694e27ceb0213e0bd1ffceef596fb2e7bb2e8a7636f057080b60a8ce61b5f0f
MD5 hash:
d2ff3e2da68a6344a8d425d3b2f07cf2
SHA1 hash:
081254bdf361951c728ec2c9d299e877db953cb1
Link:
https://www.unpac.me/results/8838e390-0b2a-4372-b145-0f1906a194df/
SH256 hash:
6458fa2b852f15aa7b6ba4606fe53c8ff709d786d7d2ef6299e4560a3fb1fc0c
MD5 hash:
06788cb8689018e8b82ab5c328392ec8
SHA1 hash:
2784ec4f1f0955a2ab870f6d100d0bae15001f63
Link:
https://www.unpac.me/results/8838e390-0b2a-4372-b145-0f1906a194df/
SH256 hash:
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
MD5 hash:
870fea4e961e2fbd00110d3783e529be
SHA1 hash:
a948e65c6f73d7da4ffde4e8533c098a00cc7311
Link:
https://www.unpac.me/results/8838e390-0b2a-4372-b145-0f1906a194df/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5694e27ceb02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_decoding
Create hunting rule
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35338/

Comments