MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d
SHA3-384 hash: 0605e4fd615cc3106707f591cee635756f66aa9fd611b25103648d5d3f439591b9c2544f6217ee17ffbd4f4dc91e9517
SHA1 hash: ab0a6eef509e901c3006519f04f3785b2fb8922b
MD5 hash: 35e0f4d4ca75d215732131013d3a6485
humanhash: steak-oklahoma-early-october
File name:BeamRUSTLoader.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:8'618'819 bytes
First seen:2026-02-04 14:51:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (43 x BlankGrabber, 22 x Efimer, 18 x PythonStealer)
ssdeep 196608:T8PmPU3xcdALjv+bhqNVoB0SEsucQZ41JBEPIFA1DRw:T8PauL+9qz80SJHQK1JKaA5u
TLSH T13E963390E3E809E6E823D23C4605D466DBB379215B68D2DF53B843391F178E1D93BB26
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
BlankGrabber BlankOBF PyInstaller
Details
Archives
extracted contents of the ZIP archive
BlankGrabber
a c2 url, a mutex, an archive password, and flags
BlankGrabber
AES-GCM decryption parameters, and, if the parent PyInstaller is available, a decrypted component
BlankOBF
an LZMA decompressed component
BlankOBF
a deobfuscated component
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/9831f582-353a-4260-87c0-c8c737498a8c/
Malware family:
n/a
ID:
1
File name:
BeamRUSTLoader.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 14:51:00 UTC
Tags:
blankgrabber uac anti-evasion python stealer pyinstaller susp-powershell generic upx evasion
Link:
https://app.any.run/tasks/31f3ce86-2ba5-4520-85af-53ff1d28a99d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlankStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51700/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69835cd46b1af47db72cd247
Tags:
shell virus sage
Verdict:
Malicious
Labled as:
Znyonm.A.8E263231;Generic.Znyonm.B.Generic
Link:
https://www.hybrid-analysis.com/sample/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Spy.Win32.Agent.dffz Trojan-PSW.Python.Blank.sb HEUR:Trojan-PSW.Python.Blank.gen
Link:
https://opentip.kaspersky.com/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b8d9836e-46a2-4169-b24e-6fad45b49246
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863335
Signature
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863335 Sample: BeamRUSTLoader.exe Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 56 ip-api.com 2->56 58 blank-z297v.in 2->58 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected Blank Grabber 2->72 74 Check if machine is in data center or colocation facility 2->74 76 3 other signatures 2->76 10 BeamRUSTLoader.exe 62 2->10         started        signatures3 process4 file5 48 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 10->48 dropped 50 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->50 dropped 52 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 10->52 dropped 54 56 other files (none is malicious) 10->54 dropped 78 Modifies Windows Defender protection settings 10->78 80 Adds a directory exclusion to Windows Defender 10->80 82 Removes signatures from Windows Defender 10->82 84 2 other signatures 10->84 14 BeamRUSTLoader.exe 10->14         started        signatures6 process7 dnsIp8 60 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 14->60 88 Found many strings related to Crypto-Wallets (likely being stolen) 14->88 90 Modifies Windows Defender protection settings 14->90 92 Adds a directory exclusion to Windows Defender 14->92 94 2 other signatures 14->94 18 cmd.exe 1 14->18         started        21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        signatures9 process10 signatures11 62 Modifies Windows Defender protection settings 18->62 64 Adds a directory exclusion to Windows Defender 18->64 66 Removes signatures from Windows Defender 18->66 27 powershell.exe 23 18->27         started        30 conhost.exe 18->30         started        32 powershell.exe 23 21->32         started        34 MpCmdRun.exe 2 21->34         started        36 conhost.exe 21->36         started        68 Uses WMIC command to query system information (often done to detect virtual machines) 23->68 38 WMIC.exe 1 23->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 tasklist.exe 1 25->44         started        process12 signatures13 86 Loading BitLocker PowerShell Module 27->86 46 WmiPrvSE.exe 27->46         started        process14
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/35e0f4d4ca75d215732131013d3a6485
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 14:51:02 UTC
File Type:
PE+ (Exe)
Extracted files:
580
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qchjmvfos6nlwsdg5dy7drlhy5kvlwbntehhykbs5b6fdid5a2gq._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber defense_evasion discovery execution upx
Link:
https://tria.ge/reports/260204-r8w1daat3c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
UPX packed file
Looks up external IP address via web service
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Unpacked files
SH256 hash:
808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d
MD5 hash:
35e0f4d4ca75d215732131013d3a6485
SHA1 hash:
ab0a6eef509e901c3006519f04f3785b2fb8922b
Link:
https://www.unpac.me/results/ef13b85c-e310-426f-b929-5e38da88a731/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/808e9654ae97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/808e9654ae979abb4866e8f1f1c567c75555d82d990e7c2832e87c51a07d068d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51700/

Comments