MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f
SHA3-384 hash: dd25adaac0ba80683160027d60b66806ab075cd3165b451b41cf331027397ebfe0aef18246598349fd24171a900cd90e
SHA1 hash: 11e80251f14902a18b9b0786fd82f293760afa52
MD5 hash: 22f04c393c9030f346c45ba75a73b6fc
humanhash: monkey-summer-pennsylvania-solar
File name:22f04c393c9030f346c45ba75a73b6fc.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:48'257'024 bytes
First seen:2025-12-14 20:55:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'861 x AgentTesla, 19'793 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 786432:vDVZW39o4Z1ORWHOdXP9jZH5jUNlHgYy8qcbP2BCNL7kIemW+OrHlgRVZ2HNTBwX:vDV4ye0WudXPh95j2AYfhR7kIe7rHiZ8
TLSH T1C6B72357E3C150898EB056F22E0D2E9CDC207957D14980FA6D6BB4177E7B8BC1C73A8A
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
132.145.75.68:6597

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
132.145.75.68:6597 https://threatfox.abuse.ch/ioc/1679079/

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/01493c76-eb4b-4c6a-a0e5-027f96cae054/
Malware family:
n/a
ID:
1
File name:
22f04c393c9030f346c45ba75a73b6fc.exe
Verdict:
Malicious activity
Analysis date:
2025-12-14 20:57:50 UTC
Tags:
python blankgrabber uac stealer screenshot anti-evasion auto-startup delphi evasion telegram xworm susp-powershell
Link:
https://app.any.run/tasks/de7c4524-653a-429b-b9aa-b2a8f1160ad0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693f2473039c1dfc73393de9
Tags:
asyncrat dropper virus msil
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-08T08:14:00Z UTC
Last seen:
2025-12-14T21:53:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Donut.sb Trojan.Win64.Inject.sb Trojan.MSIL.Miner.sb HEUR:Trojan.MSIL.APosT.gen Trojan.Win64.Donut.sb Trojan.Win32.Inject.sb HEUR:Backdoor.MSIL.XWorm.gen Trojan-PSW.Win32.Stealer.sb Trojan.Win64.DonutInjector.sb HEUR:Trojan-PSW.Python.Blank.gen Backdoor.MSIL.XWorm.b HEUR:Trojan.Win32.Generic Trojan.MSIL.Inject.sb Backdoor.Agent.TCP.C&C HEUR:Trojan-Dropper.MSIL.Dapato.gen HEUR:Backdoor.MSIL.Crysan.gen Trojan-Ransom.MSIL.Encoder.gen Trojan-Spy.Win32.Agent.dffz Trojan.Win32.Shellcode.jgm HEUR:Trojan.Win64.Donut.pef Trojan.Agent.UDP.C&C HEUR:Trojan.MSIL.Zapchast.gen Backdoor.XWorm.HTTP.C&C Trojan-PSW.Python.Blank.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Shellcode.sb Trojan.MSIL.Agent.sba Backdoor.MSIL.XWorm.a Trojan.Win32.Agent.sb RiskTool.BitCoinMiner.TCP.C&C RiskTool.Miner.UDP.C&C
Link:
https://opentip.kaspersky.com/639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f/results?tab=lookup
Result
Threat name:
Blank Grabber, SheetRat, XWorm, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832642
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Uses WMIC command to query system information (often done to detect virtual machines)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Blank Grabber
Yara detected SheetRat
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832642 Sample: 5z1K7BPqCm.exe Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 164 api.telegram.org 2->164 166 pool.supportxmr.com 2->166 168 2 other IPs or domains 2->168 190 Sigma detected: Xmrig 2->190 192 Suricata IDS alerts for network traffic 2->192 194 Found malware configuration 2->194 198 28 other signatures 2->198 14 5z1K7BPqCm.exe 5 2->14         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 Everything.exe 2->21         started        signatures3 196 Uses the Telegram API (likely for C&C communication) 164->196 process4 file5 156 C:\Users\...\shellbag_analyzer_cleaner.exe, PE32 14->156 dropped 158 C:\Users\user\AppData\Roaming\Output.exe, PE32 14->158 dropped 160 C:\Users\user\AppData\...\5z1K7BPqCm.exe.log, CSV 14->160 dropped 162 C:\...verything-1.4.1.1030.x64-Setup.exe, PE32 14->162 dropped 23 Output.exe 6 14->23         started        27 Everything-1.4.1.1030.x64-Setup.exe 1 35 14->27         started        29 shellbag_analyzer_cleaner.exe 3 14->29         started        31 WerFault.exe 17->31         started        process6 file7 134 C:\Users\user\...\WIN CHANGER 3.9.1.exe, PE32 23->134 dropped 136 C:\Users\user\...\LWIN CHANGER 3.9.1.exe, PE32 23->136 dropped 138 C:\Users\user\AppData\Roaming\FixDATA.exe, PE32+ 23->138 dropped 140 C:\Users\user\AppData\Roaming\FIx.exe, PE32+ 23->140 dropped 220 Multi AV Scanner detection for dropped file 23->220 222 Uses netsh to modify the Windows network and firewall settings 23->222 224 Tries to harvest and steal WLAN passwords 23->224 33 FixDATA.exe 84 23->33         started        37 FIx.exe 23->37         started        39 WIN CHANGER 3.9.1.exe 14 2 23->39         started        50 3 other processes 23->50 142 C:\Users\user\AppData\Local\...\System.dll, PE32 27->142 dropped 144 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 27->144 dropped 146 C:\Users\user\AppData\...\InstallOptions.dll, PE32 27->146 dropped 148 2 other files (none is malicious) 27->148 dropped 42 everything.exe 27->42         started        44 Everything.exe 27->44         started        46 conhost.exe 31->46         started        48 powershell.exe 31->48         started        signatures8 process9 dnsIp10 116 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 33->116 dropped 118 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 33->118 dropped 120 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 33->120 dropped 126 65 other files (none is malicious) 33->126 dropped 176 Multi AV Scanner detection for dropped file 33->176 178 Modifies Windows Defender protection settings 33->178 180 Adds a directory exclusion to Windows Defender 33->180 188 3 other signatures 33->188 52 FixDATA.exe 33->52         started        182 Writes to foreign memory regions 37->182 184 Allocates memory in foreign processes 37->184 186 Creates a thread in another existing process (thread injection) 37->186 56 conhost.exe 37->56         started        172 ip-api.com 208.95.112.1, 49691, 49715, 80 TUT-ASUS United States 39->172 59 WerFault.exe 39->59         started        122 C:\Program Filesverything\Uninstall.exe, PE32 42->122 dropped 124 C:\Program Filesverythingverything.exe, PE32+ 42->124 dropped 61 Everything.exe 42->61         started        file11 signatures12 process13 dnsIp14 170 api.telegram.org 149.154.167.220, 443, 49716 TELEGRAMRU United Kingdom 52->170 208 Tries to harvest and steal browser information (history, passwords, etc) 52->208 210 Modifies Windows Defender protection settings 52->210 212 Adds a directory exclusion to Windows Defender 52->212 218 5 other signatures 52->218 63 cmd.exe 52->63         started        66 cmd.exe 52->66         started        68 cmd.exe 52->68         started        74 19 other processes 52->74 150 C:\Users\user\services64.exe, PE32+ 56->150 dropped 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->214 216 Drops PE files to the user root directory 56->216 70 cmd.exe 56->70         started        72 cmd.exe 56->72         started        file15 signatures16 process17 signatures18 254 Modifies Windows Defender protection settings 63->254 256 Removes signatures from Windows Defender 63->256 87 3 other processes 63->87 258 Adds a directory exclusion to Windows Defender 66->258 76 powershell.exe 66->76         started        79 conhost.exe 66->79         started        89 2 other processes 68->89 81 services64.exe 70->81         started        83 conhost.exe 70->83         started        260 Suspicious powershell command line found 72->260 262 Encrypted powershell cmdline option found 72->262 264 Bypasses PowerShell execution policy 72->264 266 Uses schtasks.exe or at.exe to add and modify task schedules 72->266 91 2 other processes 72->91 268 Tries to harvest and steal WLAN passwords 74->268 270 Uses WMIC command to query system information (often done to detect virtual machines) 74->270 85 getmac.exe 74->85         started        93 32 other processes 74->93 process19 file20 240 Loading BitLocker PowerShell Module 76->240 96 WmiPrvSE.exe 76->96         started        242 Multi AV Scanner detection for dropped file 81->242 244 Writes to foreign memory regions 81->244 246 Allocates memory in foreign processes 81->246 248 Creates a thread in another existing process (thread injection) 81->248 98 conhost.exe 81->98         started        250 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 85->250 252 Writes or reads registry keys via WMI 85->252 152 C:\Users\user\AppData\Local\Temp\lC2g3.zip, RAR 93->152 dropped 154 C:\Users\user\AppData\...\dfaninme.cmdline, Unicode 93->154 dropped 102 csc.exe 93->102         started        104 Conhost.exe 93->104         started        signatures21 process22 file23 128 C:\Users\user\AppData\...\sihost64.exe, PE32+ 98->128 dropped 130 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 98->130 dropped 200 Injects code into the Windows Explorer (explorer.exe) 98->200 202 Writes to foreign memory regions 98->202 204 Modifies the context of a thread in another process (thread injection) 98->204 206 2 other signatures 98->206 106 sihost64.exe 98->106         started        109 explorer.exe 98->109         started        132 C:\Users\user\AppData\Local\...\dfaninme.dll, PE32 102->132 dropped 112 cvtres.exe 102->112         started        signatures24 process25 dnsIp26 226 Multi AV Scanner detection for dropped file 106->226 228 Writes to foreign memory regions 106->228 230 Allocates memory in foreign processes 106->230 238 2 other signatures 106->238 114 conhost.exe 106->114         started        174 104.243.33.118, 443, 49713 RELIABLESITEUS United States 109->174 232 System process connects to network (likely due to code injection or exploit) 109->232 234 Query firmware table information (likely to detect VMs) 109->234 236 Unusual module load detection (module proxying) 109->236 signatures27 process28
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f
Gathering data
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 01:30:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mopay2smnjegjrz62wbwxskxrs2solmu2cythvz3goopz6hm5vpq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
BlankGrabber
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber family:sheetrat family:xmrig family:xworm collection credential_access defense_evasion discovery execution miner persistence privilege_escalation rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251214-zql2fscp6w/
Behaviour
Detects videocard installed
Gathers system information
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
XMRig Miner payload
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Detect Xworm Payload
Detects Sheetrat obfuscated V2.0 and higher
Sheetrat family
Sheetrat, NonEuclid rat
Xmrig family
Xworm
Xworm family
blankgrabber
xmrig
Malware Config
C2 Extraction:
canada-vb.gl.at.ply.gg:37071
eGQfG1Ah2LBHoksjmXz30w==:15
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/006ab9f1-4ae1-434e-9257-4e94012dc453
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/639e0c6a4c6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments