MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlankGrabber

Vendor detections: 19

Intelligence 19 IOCs YARA 31 File information Comments

SHA256 hash:	5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774
SHA3-384 hash:	ee81006004bf9b5d0d809e3a23b3b6c9c7bff84df80cb71141a4e745c5ee64e42ad993ed8ba15577666500324664c37a
SHA1 hash:	2641f306f1a766f26595b837754a5f04a7852e1c
MD5 hash:	5e3da9cb266b107730f517d0f7db4954
humanhash:	freddie-single-nineteen-washington
File name:	1111.exe
Download:	download sample
Signature	BlankGrabber Create hunting rule
File size:	6'652'576 bytes
First seen:	2025-04-29 20:09:08 UTC
Last seen:	2025-06-03 18:06:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (486 x NirCmd, 393 x DCRat, 52 x RedLineStealer)
ssdeep	196608:TmPbXblfzTugTiVCAfmRc7oYXneo4Z0Hkfw/in:4fzTugTKfocxeo4SkfwKn
Threatray	2'267 similar samples on MalwareBazaar
TLSH	T11366121665E25E3BC2A05B715497013D92E5DB323E61EF4B365F10E6AA037F0CB321AB
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10522/11/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	9494b494d4aeaeac (904 x DCRat, 486 x NirCmd, 172 x RedLineStealer)
Reporter	skocherhan
Tags:	BlankGrabber exe github-penivai3sdfs1

skocherhan

https://github.com/penivai3sdfs1/1/raw/refs/heads/main/1111.exe

Intelligence

File Origin

# of uploads :

# of downloads :

587

Origin country :

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

https://raw.githubusercontent.com/penivai3sdfs1/1/refs/heads/main/24321.exe

Verdict:

Malicious activity

Analysis date:

2025-04-28 20:52:38 UTC

Tags:

github evasion stealer dcrat rat remote darkcrystal umbralstealer discord exfiltration zerotrace xor-url generic arch-doc winring0x64-sys vuln-driver xworm gotfucked

Link:

https://app.any.run/tasks/62b6d165-9333-4bd4-88e2-b592fe683287

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

UmbralStealer

Link:

https://www.capesandbox.com/analysis/5052/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681135e5c8b2e86d0ac4add8

Tags:

vmdetect asyncrat phishing

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Loading a suspicious library

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm asyncrat backdoor cmd config-extracted crypt dcrat explorer fingerprint fingerprint hacktool installer lolbin lolbin microsoft_visual_cc njrat obfuscated overlay overlay packed packed packer_detected rat reconnaissance schtasks sfx wmic xworm

Link:

https://www.filescan.io/uploads/681131eb218c4a98ade7ed9d/reports/51f59429-b8ac-4390-aed1-315ecbeb8a23/overview

Verdict:

Malicious

Labled as:

Trojan.Uztuby

Link:

https://www.hybrid-analysis.com/sample/5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774

Malware family:

Sharp Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca788904-cc15-4adb-9824-34fa82477cee

Result

Threat name:

Blank Grabber, DCRat, PureLog Stealer, U

Detection:

malicious

Classification:

troj.adwa.spyw.expl.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1677601

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for dropped file

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Modifies Windows Defender protection settings

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Disable power options

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Stop EventLog

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Blank Grabber

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected Umbral Stealer

Yara detected Xmrig cryptocurrency miner

Yara detected XWorm

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774/

Threat name:

Win32.Trojan.Uztuby

Status:

Malicious

First seen:

2025-04-10 20:29:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=l7rui3to2cp7rog4bciircxszj53j6q2zrjidlhwjnpplvsca52a._file

Verdict:

malicious

Label(s):

umbral

xworm

BlankGrabber

366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4

BlankGrabber

3de249327fe29b3c86cffc8beb92a566d12cc4304ebca1920d49bb466f415fcf

BlankGrabber

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

BlankGrabber

c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207

BlankGrabber

+ 2'257 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:dcrat family:umbral family:xmrig family:xworm defense_evasion discovery execution infostealer miner persistence rat stealer trojan upx

Link:

https://tria.ge/reports/250429-yxrd3sxsbz/

Behaviour

Modifies data under HKEY_USERS

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Looks up external IP address via web service

Power Settings

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

XMRig Miner payload

DcRat

Dcrat family

Detect Umbral payload

Detect Xworm Payload

Umbral

Umbral family

Xmrig family

Xworm

Xworm family

xmrig

Malware Config

C2 Extraction:

89.39.121.169:9000

Verdict:

Malicious

Tags:

Win.Trojan.Uztuby-9855059-0 external_ip_lookup dcrat

YARA:

n/a

Link:

https://app.threat.zone/submission/0ea315e2-5b4b-4feb-929d-933e1e252237

Unpacked files

SH256 hash:

5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774

MD5 hash:

5e3da9cb266b107730f517d0f7db4954

SHA1 hash:

2641f306f1a766f26595b837754a5f04a7852e1c

Link:

https://www.unpac.me/results/218bee8a-de98-4642-a35e-8b8f54098909/

SH256 hash:

08128d203d7b2ad934c65c6a3a37f682420413f37bbd69892cb5c415a19cef9a

MD5 hash:

06a902cd756a573dc09bf76f3957195c

SHA1 hash:

86f40cab568ea69b3c0f46ba0400a222f5fb9dd6

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/218bee8a-de98-4642-a35e-8b8f54098909/

SH256 hash:

4fec95956088ca7dd2a5ff7f78d700e6a295cb3b5d1b4ac501b3b4055387b1dc

MD5 hash:

01183343f06cc6c92b270d6868b429c7

SHA1 hash:

c90b4e3d7355ce3b961f88a9c43ff75373300e91

Link:

https://www.unpac.me/results/218bee8a-de98-4642-a35e-8b8f54098909/

SH256 hash:

67112216d099fbbbabb3ed3c59b4f7cca1c27bb99d8bd21941972e39c83888a2

MD5 hash:

a454094c7940f4389689cc7972619524

SHA1 hash:

77eb11200e3e6e7579e75c2fd1d15f4b0f169269

Detections:

UmbralStealer

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

MALWARE_Win_UmbralStealer

Link:

https://www.unpac.me/results/218bee8a-de98-4642-a35e-8b8f54098909/

SH256 hash:

f1080146b6b4f53e2e9d46ffa8f17f1afefec5a982d25f1a49f8df4e33e0554d

MD5 hash:

cdfd2bee9fa26ef44ddac261cb0b83a9

SHA1 hash:

64aa0818a172d24e00c20dd1f223b4883e1f8dd4

Detections:

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/218bee8a-de98-4642-a35e-8b8f54098909/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5fe3446e6ed0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DotNet_Reactor Create hunting rule
Author:	@bartblaze
Description:	Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	xmrig_v1 Create hunting rule
Author:	RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhemedroneStealer

exe 9145705f16a5c8ce8128315cab3d882efc609231b64a6ff335482ad511a250a3

BlankGrabber

exe 5fe3446e6ed09ff8b8dc0890888af2ca7bb4fa1acc5281acf64b5ef5d6420774

(this sample)

Dropped by

MD5 a44e7983d18166149c75b3511896467b

Cape

https://www.capesandbox.com/analysis/5052/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample