MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50
SHA3-384 hash: ade60a09282d653703aa9f890418e74df9b6904875c885e2171280b7457f8c6389b7337bc3dd9660e633b0229b06c8ce
SHA1 hash: 59654109e146b733db11b95ab12582066dc22970
MD5 hash: 4e9131c8ae4ae8da5af15fcb190eaa7f
humanhash: emma-avocado-arkansas-wisconsin
File name:283.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:78'805'344 bytes
First seen:2025-12-10 12:26:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 1572864:CjqEL/s/8+VPyAiF5R7mP9daWnp+AJvZlxq7OW7/Eoc2PyW+eb:Ip/s/fV0lm/lIAJvZlk7p/nhPR
TLSH T1070833A280E10856E0B2D47AA5A3CD79DE529C964759C7F7CBCD97823E331C2A43DBC4
TrID 64.5% (.EXE) InstallShield setup (43053/19/16)
15.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.0% (.ICL) Windows Icons Library (generic) (2059/9)
3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d46046fa-019a-4207-9d4a-f8dc0d1fe5d5/
Malware family:
n/a
ID:
1
File name:
283.exe
Verdict:
Malicious activity
Analysis date:
2025-12-10 12:24:38 UTC
Tags:
python auto-sch nuitka telegram pyinstaller
Link:
https://app.any.run/tasks/9a24d26d-a603-4b24-980a-58e5cd77a98d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69396687a675b653bd0fb4e3
Tags:
autorun extens shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand installer-heuristic lolbin microsoft_visual_cc overlay overlay packed pyinstaller
Link:
https://www.filescan.io/uploads/693966f1cf690d27f3db1c4f/reports/0bf5e791-b12f-4b12-b149-97e83003c732/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-10T09:26:00Z UTC
Last seen:
2025-12-10T10:00:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Win32.Disco.gen Backdoor.Win64.Stelega.alq PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1830195
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to infect the boot sector
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Python Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830195 Sample: 283.exe Startdate: 10/12/2025 Architecture: WINDOWS Score: 92 89 api.telegram.org 2->89 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected Python Downloader 2->97 101 2 other signatures 2->101 9 InformerUpdate.exe 56 2->9         started        13 283.exe 20 2->13         started        signatures3 99 Uses the Telegram API (likely for C&C communication) 89->99 process4 file5 69 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->69 dropped 71 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->71 dropped 73 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->73 dropped 81 50 other files (none is malicious) 9->81 dropped 103 Contains functionality to infect the boot sector 9->103 15 InformerUpdate.exe 3 9->15         started        75 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->75 dropped 77 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 13->77 dropped 79 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 13->79 dropped 83 14 other malicious files 13->83 dropped 105 Uses schtasks.exe or at.exe to add and modify task schedules 13->105 107 Adds a directory exclusion to Windows Defender 13->107 17 283.exe 7 13->17         started        signatures6 process7 file8 21 SysSettingSvc.exe 132 15->21         started        47 C:\Users\user\AppData\...\InformerUpdate.exe, PE32+ 17->47 dropped 49 C:\Users\user\AppData\...\contentIndex.exe, PE32+ 17->49 dropped 91 Adds a directory exclusion to Windows Defender 17->91 24 InformerUpdate.exe 56 17->24         started        26 powershell.exe 23 17->26         started        29 schtasks.exe 1 17->29         started        31 schtasks.exe 1 17->31         started        signatures9 process10 file11 53 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 21->53 dropped 55 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 21->55 dropped 57 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 21->57 dropped 65 90 other malicious files 21->65 dropped 33 SysSettingSvc.exe 1 21->33         started        59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 24->59 dropped 61 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 24->61 dropped 63 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 24->63 dropped 67 50 other files (none is malicious) 24->67 dropped 36 InformerUpdate.exe 4 24->36         started        109 Loading BitLocker PowerShell Module 26->109 39 WmiPrvSE.exe 26->39         started        41 conhost.exe 26->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        signatures12 process13 dnsIp14 85 api.telegram.org 149.154.167.220, 443, 49698, 49699 TELEGRAMRU United Kingdom 33->85 87 127.0.0.1 unknown unknown 33->87 51 C:\Users\user\AppData\...\SysSettingSvc.exe, PE32+ 36->51 dropped file15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50
Gathering data
Verdict:
Malicious
Threat:
Backdoor.Win64.Stelega
Link:
https://tip.neiki.dev/file/669a1bace11b71fe0e25eedf67346e283bd4f06b1a901dea1b18716afbb4ff50
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 12:24:38 UTC
File Type:
PE+ (Exe)
Extracted files:
957
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2nbxlhbdny74drf53pwondofa55j4dldkib32q3dbywv65u75ia._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber execution persistence pyinstaller stealer
Link:
https://tria.ge/reports/251210-pmwrdaxmbl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
blankgrabber
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9b519d1-f8dc-4506-a992-46f6f48fd864
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments