MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
SHA3-384 hash: 250c097875e44ac2c7ec722bf25e04c28a12bb10fe2f3f43ad898137245bfc2ef60da722120c2d27c4c6f9a2527b646a
SHA1 hash: d7f0d639d943aeee3f98442eec744ca0e78a07d1
MD5 hash: 4fec8faf6590f62034ad44a54175b9e9
humanhash: delaware-johnny-fourteen-mobile
File name:4FEC8FAF6590F62034AD44A54175B9E9.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:17'830'453 bytes
First seen:2024-08-01 02:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 393216:ToNLbkNj0zztkKxXziCnbvCyHPSh5NzQSRAgS+aCBtd:TohLzht3nZHY59RRAP0d
TLSH T1A2073323B7E6E473E4376C315D694F4AF0A838311B584ADB03B6ADFDAED05F24295281
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php https://threatfox.abuse.ch/ioc/1305630/

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
4FEC8FAF6590F62034AD44A54175B9E9.exe
Verdict:
Malicious activity
Analysis date:
2024-08-01 02:28:11 UTC
Tags:
pyinstaller susp-powershell discordgrabber generic stealer growtopia umbralstealer upx discord blankgrabber evasion telegram rat dcrat remote darkcrystal python miner netreactor wmi-base64 api-base64
Link:
https://app.any.run/tasks/6459dc43-957c-4733-a4d8-f82bc0f2b695

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aaf23fb7a04efc74397e43
Tags:
Discovery Execution Generic Infostealer Network Stealth Trojan Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66aaf23c3ba51bb345a4640b/reports/ea86b8d8-c3b1-4d7e-91de-a507e9641f1f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/516d2f00-180d-4b8b-9366-60a0efa9efb5
Result
Threat name:
Blank Grabber, DCRat, PureLog Stealer, X
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485736
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop multiple services
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Stops critical windows services
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1485736 Sample: 8Ck8T5qRcC.exe Startdate: 01/08/2024 Architecture: WINDOWS Score: 100 158 api.telegram.org 2->158 160 discord.com 2->160 162 ip-api.com 2->162 200 Found malware configuration 2->200 202 Antivirus detection for dropped file 2->202 204 Sigma detected: Capture Wi-Fi password 2->204 208 29 other signatures 2->208 15 8Ck8T5qRcC.exe 6 2->15         started        18 HpQPPZazcv.exe 2->18         started        22 powershell.exe 2->22         started        24 2 other processes 2->24 signatures3 206 Uses the Telegram API (likely for C&C communication) 158->206 process4 dnsIp5 134 C:\ProgramData\Microsoft\hacn.exe, PE32+ 15->134 dropped 136 C:\ProgramData\Microsoft\based.exe, PE32+ 15->136 dropped 26 hacn.exe 13 15->26         started        30 based.exe 22 15->30         started        164 194.58.42.154, 49739, 49740, 49741 AS-REGRU Russian Federation 18->164 138 C:\Users\user\Desktop\xiBLBWku.log, PE32 18->138 dropped 140 C:\Users\user\Desktop\tcMmcUQx.log, PE32 18->140 dropped 142 C:\Users\user\Desktop\tKFUOyWv.log, PE32 18->142 dropped 144 19 other malicious files 18->144 dropped 210 Antivirus detection for dropped file 18->210 212 Multi AV Scanner detection for dropped file 18->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->214 220 3 other signatures 18->220 216 Loading BitLocker PowerShell Module 22->216 32 conhost.exe 22->32         started        218 Found direct / indirect Syscall (likely to bypass EDR) 24->218 34 conhost.exe 24->34         started        36 sc.exe 24->36         started        38 sc.exe 24->38         started        40 3 other processes 24->40 file6 signatures7 process8 file9 106 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 26->106 dropped 108 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 26->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 26->110 dropped 118 8 other files (7 malicious) 26->118 dropped 228 Multi AV Scanner detection for dropped file 26->228 230 Machine Learning detection for dropped file 26->230 42 hacn.exe 26->42         started        112 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->112 dropped 114 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 30->114 dropped 116 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->116 dropped 120 16 other files (15 malicious) 30->120 dropped 232 Very long command line found 30->232 234 Modifies Windows Defender protection settings 30->234 236 Adds a directory exclusion to Windows Defender 30->236 238 2 other signatures 30->238 44 based.exe 1 101 30->44         started        signatures10 process11 dnsIp12 48 cmd.exe 1 42->48         started        166 api.telegram.org 149.154.167.220, 443, 49748 TELEGRAMRU United Kingdom 44->166 168 discord.com 162.159.136.232, 443, 49747 CLOUDFLARENETUS United States 44->168 170 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 44->170 250 Found many strings related to Crypto-Wallets (likely being stolen) 44->250 252 Tries to harvest and steal browser information (history, passwords, etc) 44->252 254 Modifies Windows Defender protection settings 44->254 256 5 other signatures 44->256 51 cmd.exe 44->51         started        53 cmd.exe 44->53         started        55 cmd.exe 44->55         started        57 14 other processes 44->57 signatures13 process14 signatures15 172 Wscript starts Powershell (via cmd or directly) 48->172 174 Very long command line found 48->174 176 Encrypted powershell cmdline option found 48->176 184 3 other signatures 48->184 59 s.exe 5 48->59         started        63 conhost.exe 48->63         started        73 2 other processes 51->73 178 Adds a directory exclusion to Windows Defender 53->178 65 powershell.exe 53->65         started        67 conhost.exe 53->67         started        180 Modifies Windows Defender protection settings 55->180 75 2 other processes 55->75 182 Tries to harvest and steal WLAN passwords 57->182 69 getmac.exe 57->69         started        71 powershell.exe 57->71         started        77 23 other processes 57->77 process16 file17 122 C:\ProgramData\svchost.exe, PE32 59->122 dropped 124 C:\ProgramData\setup.exe, PE32+ 59->124 dropped 240 Multi AV Scanner detection for dropped file 59->240 242 Drops PE files with benign system names 59->242 79 svchost.exe 59->79         started        83 setup.exe 59->83         started        244 Loading BitLocker PowerShell Module 65->244 246 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 69->246 248 Writes or reads registry keys via WMI 69->248 85 csc.exe 73->85         started        signatures18 process19 file20 146 C:\Users\user\...\ChainComServermonitor.exe, PE32 79->146 dropped 148 pFG3Duil1NAbFHoInF...Rvb98S0ewJA0VkW.vbe, data 79->148 dropped 150 C:\Users\user\...\oGgyulsi03j6EO3sjCC.bat, ASCII 79->150 dropped 186 Antivirus detection for dropped file 79->186 188 Multi AV Scanner detection for dropped file 79->188 190 Machine Learning detection for dropped file 79->190 87 wscript.exe 79->87         started        152 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 83->152 dropped 154 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 83->154 dropped 192 Writes to foreign memory regions 83->192 194 Modifies the context of a thread in another process (thread injection) 83->194 196 Found hidden mapped module (file has been removed from disk) 83->196 198 3 other signatures 83->198 156 C:\Users\user\AppData\Local\...\eodmidm4.dll, PE32 85->156 dropped 90 cvtres.exe 85->90         started        signatures21 process22 signatures23 224 Wscript starts Powershell (via cmd or directly) 87->224 226 Windows Scripting host queries suspicious COM object (likely to drop second stage) 87->226 92 cmd.exe 87->92         started        process24 process25 94 ChainComServermonitor.exe 92->94         started        98 conhost.exe 92->98         started        file26 126 C:\Windows\Prefetch\HpQPPZazcv.exe, PE32 94->126 dropped 128 C:\Users\user\Desktop\xnytOABw.log, PE32 94->128 dropped 130 C:\Users\user\Desktop\xGttiZnp.log, PE32 94->130 dropped 132 26 other malicious files 94->132 dropped 258 Multi AV Scanner detection for dropped file 94->258 260 Creates an undocumented autostart registry key 94->260 262 Creates autostart registry keys with suspicious values (likely registry only malware) 94->262 264 5 other signatures 94->264 100 csc.exe 94->100         started        signatures27 process28 file29 104 C:\Windows\...\SecurityHealthSystray.exe, PE32 100->104 dropped 222 Infects executable files (exe, dll, sys, html) 100->222 signatures30
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 08:43:04 UTC
File Type:
PE (Exe)
Extracted files:
986
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=narrzgyzli4yppbgxonpevb7jgqeye2dxoyxtav4mmbkeejy4m5a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/240801-cwvjfsxarj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Modifies WinLogon for persistence
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7f125b9-4c6c-418c-b2a3-8c4b90bdbf2a
Unpacked files
SH256 hash:
75afaae3d0fba0ecb6e25be065b68a7d199186714dc6c615311491e66b781fa9
MD5 hash:
838a5bd59de32f425938cba6c119cbee
SHA1 hash:
3a789dd47202c524f4c10cf37b245174cf02a2f1
Link:
https://www.unpac.me/results/abccf975-b916-43ff-8373-d90f521e304a/
SH256 hash:
68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
MD5 hash:
4fec8faf6590f62034ad44a54175b9e9
SHA1 hash:
d7f0d639d943aeee3f98442eec744ca0e78a07d1
Link:
https://www.unpac.me/results/abccf975-b916-43ff-8373-d90f521e304a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments