MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
SHA3-384 hash: ee95abe49d5adc9e97669e51f37e69918756105d64b5324c39a19f71f0937073bdf3cf438208bb347d84ad91f38b9688
SHA1 hash: 5aad252412a5923438f30cb9c397731a9b020121
MD5 hash: e4897ef7419e128b1f7473119ce0bd07
humanhash: louisiana-network-black-fruit
File name:DevxExecutor.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:46'285'824 bytes
First seen:2024-05-09 15:45:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo
TLSH T137A733429A917DE172450DF1C5C8C6AC62E2CED81B8D9720F11BCFDF4689FB4992BA4C
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JaffaCakes118
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DevxExecutor.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 15:46:54 UTC
Tags:
evasion discordgrabber generic stealer waspstealer python blankgrabber miner telegram exfiltration discord growtopia
Link:
https://app.any.run/tasks/11d46d0c-ae68-41d0-b04d-2c9f2e9a585f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a window
Searching for the window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Reading critical registry keys
Launching the process to change network settings
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
Result
Threat name:
Python Stealer, Blank Grabber, CStealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439028
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found pyInstaller with non standard icon
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Blank Grabber
Yara detected Costura Assembly Loader
Yara detected CStealer
Yara detected Discord Token Stealer
Yara detected Generic Python Stealer
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439028 Sample: DevxExecutor.exe Startdate: 09/05/2024 Architecture: WINDOWS Score: 100 165 api.telegram.org 2->165 167 raw.githubusercontent.com 2->167 169 2 other IPs or domains 2->169 197 Multi AV Scanner detection for domain / URL 2->197 199 Antivirus detection for URL or domain 2->199 201 Antivirus detection for dropped file 2->201 205 26 other signatures 2->205 15 DevxExecutor.exe 4 2->15         started        18 powershell.exe 2->18         started        signatures3 203 Uses the Telegram API (likely for C&C communication) 165->203 process4 file5 161 C:\Users\user\AppData\Local\Temp\main.exe, PE32+ 15->161 dropped 163 C:\Users\user\AppData\Local\...\cstealer.exe, PE32+ 15->163 dropped 21 main.exe 13 15->21         started        25 cstealer.exe 25 15->25         started        175 Loading BitLocker PowerShell Module 18->175 27 conhost.exe 18->27         started        29 WmiPrvSE.exe 18->29         started        signatures6 process7 file8 125 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->125 dropped 127 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->127 dropped 129 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 21->129 dropped 137 8 other malicious files 21->137 dropped 225 Found pyInstaller with non standard icon 21->225 31 main.exe 21->31         started        131 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->131 dropped 133 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 25->133 dropped 135 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 25->135 dropped 139 16 other malicious files 25->139 dropped 227 Potentially malicious time measurement code found 25->227 33 cstealer.exe 25->33         started        signatures9 process10 process11 35 cmd.exe 1 31->35         started        37 cmd.exe 1 33->37         started        signatures12 40 Build.exe 6 35->40         started        43 conhost.exe 35->43         started        217 Very long command line found 37->217 219 Encrypted powershell cmdline option found 37->219 221 Bypasses PowerShell execution policy 37->221 223 4 other signatures 37->223 45 cstealer.exe 25 37->45         started        47 conhost.exe 37->47         started        process13 file14 141 C:\ProgramData\Microsoft\hacn.exe, PE32+ 40->141 dropped 143 C:\ProgramData\Microsoft\based.exe, PE32+ 40->143 dropped 49 hacn.exe 40->49         started        53 based.exe 40->53         started        145 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 45->145 dropped 147 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 45->147 dropped 149 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 45->149 dropped 151 16 other malicious files 45->151 dropped 55 cstealer.exe 45->55         started        process15 file16 103 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 49->103 dropped 105 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 49->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 49->107 dropped 115 8 other files (7 malicious) 49->115 dropped 177 Multi AV Scanner detection for dropped file 49->177 179 Machine Learning detection for dropped file 49->179 57 hacn.exe 49->57         started        109 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 53->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 53->111 dropped 113 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 53->113 dropped 117 16 other malicious files 53->117 dropped 181 Very long command line found 53->181 183 Modifies Windows Defender protection settings 53->183 185 Adds a directory exclusion to Windows Defender 53->185 187 2 other signatures 53->187 59 based.exe 53->59         started        63 cmd.exe 1 55->63         started        signatures17 process18 dnsIp19 65 cmd.exe 57->65         started        171 api.telegram.org 149.154.167.220, 443, 49746 TELEGRAMRU United Kingdom 59->171 173 discord.com 162.159.138.232, 443, 49742 CLOUDFLARENETUS United States 59->173 229 Very long command line found 59->229 231 Tries to harvest and steal browser information (history, passwords, etc) 59->231 233 Modifies Windows Defender protection settings 59->233 235 5 other signatures 59->235 67 cmd.exe 59->67         started        70 cmd.exe 59->70         started        72 cmd.exe 59->72         started        79 16 other processes 59->79 74 cstealer.exe 25 63->74         started        77 conhost.exe 63->77         started        signatures20 process21 file22 81 s.exe 65->81         started        85 conhost.exe 65->85         started        207 Adds a directory exclusion to Windows Defender 67->207 87 powershell.exe 67->87         started        89 conhost.exe 67->89         started        209 Modifies Windows Defender protection settings 70->209 95 2 other processes 70->95 97 2 other processes 72->97 153 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 74->153 dropped 155 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 74->155 dropped 157 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 74->157 dropped 159 16 other malicious files 74->159 dropped 91 cstealer.exe 74->91         started        211 Very long command line found 79->211 213 Encrypted powershell cmdline option found 79->213 215 Tries to harvest and steal WLAN passwords 79->215 93 getmac.exe 79->93         started        99 29 other processes 79->99 signatures23 process24 file25 119 C:\ProgramData\svchost.exe, PE32+ 81->119 dropped 121 C:\ProgramData\setup.exe, PE32+ 81->121 dropped 123 C:\ProgramData\main.exe, PE32 81->123 dropped 189 Drops PE files with benign system names 81->189 191 Loading BitLocker PowerShell Module 87->191 101 cmd.exe 91->101         started        193 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 93->193 195 Writes or reads registry keys via WMI 93->195 signatures26 process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
Gathering data
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-05-08 22:55:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvn2hcs6tpphsonmlxfy7xfzobybc2agjuykxt2rrt4ne4va6waq._file
Verdict:
malicious
Result
Malware family:
milleniumrat
Create hunting rule
Score:
  10/10
Tags:
family:milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
Link:
https://tria.ge/reports/240509-s7m7hshf6w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Detects videocard installed
Enumerates processes with tasklist
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Contacts a large (1133) amount of remote hosts
Stops running service(s)
MilleniumRat
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d5ba38a5e9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlankGrabber

Executable exe 6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments