MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGrabber


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f
SHA3-384 hash: 47b297bdb235572a73da60074d5aa12e5844c8159c1eac22ab93e6346b03f6591da4738afd76983b80eefaba76b24b54
SHA1 hash: 9c0eb843839f201c5d87dfa6c9b7b795d29b449e
MD5 hash: c36f10074bd560df1341aeb405b23641
humanhash: mockingbird-beer-fillet-fix
File name:c36f10074bd560df1341aeb405b23641
Download: download sample
Signature BlackGrabber
Create hunting rule
File size:849'920 bytes
First seen:2023-07-28 04:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 66 x LummaStealer, 61 x Rhadamanthys)
ssdeep 6144:547p0yN90QEV/E9DuLVoF99OHkWOIzDtZ:5Jy90nVoFmnOGDtZ
Threatray 136 similar samples on MalwareBazaar
TLSH T1850525C273949053D8635A704EA3838A5B29FCD1EE70759B3364F71F1B3AAC26D29712
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:64 BlackGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
899756f47edd02727fca00b607b6f955.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 23:48:36 UTC
Tags:
rat redline amadey trojan loader lumma stealer
Link:
https://app.any.run/tasks/2e987ca8-ca62-44c2-981b-848d3d2d5fdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/435806/
Detection(s):
SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7be8af5c-94d5-44b6-9221-cdeb1ff8d621
Result
Threat name:
Blank Grabber, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281597
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1281597 Sample: RN2ZDnNaVx.exe Startdate: 28/07/2023 Architecture: WINDOWS Score: 100 122 Snort IDS alert for network traffic 2->122 124 Found malware configuration 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 10 other signatures 2->128 13 RN2ZDnNaVx.exe 1 3 2->13         started        16 rundll32.exe 2->16         started        process3 file4 110 C:\Users\user\AppData\Local\...\payload.exe, PE32+ 13->110 dropped 18 cmd.exe 1 13->18         started        process5 signatures6 130 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->130 132 Very long command line found 18->132 134 Encrypted powershell cmdline option found 18->134 136 6 other signatures 18->136 21 payload.exe 6 18->21         started        25 conhost.exe 18->25         started        process7 dnsIp8 120 101.99.92.134, 49690, 9008 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 21->120 78 C:\Users\user\AppData\Local\Temp\lxuiof.exe, PE32+ 21->78 dropped 80 C:\Users\user\AppData\Local\Temp\bedpvu.exe, PE32+ 21->80 dropped 27 bedpvu.exe 105 21->27         started        30 lxuiof.exe 23 21->30         started        33 notepad.exe 21->33         started        file9 process10 file11 94 C:\Users\...\backend_c.cp311-win_amd64.pyd, PE32+ 27->94 dropped 96 C:\Users\user\...\_cffi.cp311-win_amd64.pyd, PE32+ 27->96 dropped 98 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 27->98 dropped 106 74 other malicious files 27->106 dropped 35 bedpvu.exe 3 27->35         started        100 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->100 dropped 102 C:\Users\user\...\tinyaes.cp311-win_amd64.pyd, PE32+ 30->102 dropped 104 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 30->104 dropped 108 16 other malicious files 30->108 dropped 160 Very long command line found 30->160 162 May check the online IP address of the machine 30->162 164 Drops PE files with a suspicious file extension 30->164 166 4 other signatures 30->166 38 lxuiof.exe 1 101 30->38         started        signatures12 process13 dnsIp14 112 rentry.co 198.251.88.130 PONYNETUS United States 35->112 42 cmd.exe 35->42         started        114 ip-api.com 208.95.112.1 TUT-ASUS United States 38->114 116 discordapp.com 162.159.133.233 CLOUDFLARENETUS United States 38->116 118 192.168.2.1 unknown unknown 38->118 82 C:\ProgramData\Microsoft\...\?  ??.scr, PE32+ 38->82 dropped 84 C:\Users\user\AppData\...behaviorgraphIGIYTFFYT.xlsx, ASCII 38->84 dropped 86 C:\Users\user\AppData\...OWRVPQCCS.pdf, ASCII 38->86 dropped 88 C:\Users\user\AppData\...IVQSAOTAQ.png, ASCII 38->88 dropped 138 Very long command line found 38->138 140 Tries to harvest and steal browser information (history, passwords, etc) 38->140 142 Adds a directory exclusion to Windows Defender 38->142 144 3 other signatures 38->144 44 cmd.exe 38->44         started        47 cmd.exe 38->47         started        49 cmd.exe 38->49         started        51 21 other processes 38->51 file15 signatures16 process17 signatures18 53 conhost.exe 42->53         started        146 Very long command line found 44->146 148 Encrypted powershell cmdline option found 44->148 55 powershell.exe 44->55         started        58 conhost.exe 44->58         started        60 getmac.exe 47->60         started        63 conhost.exe 47->63         started        150 Adds a directory exclusion to Windows Defender 49->150 69 2 other processes 49->69 152 Tries to harvest and steal WLAN passwords 51->152 65 WMIC.exe 51->65         started        67 systeminfo.exe 51->67         started        71 41 other processes 51->71 process19 file20 90 C:\Users\user\AppData\...\qpunaddu.cmdline, Unicode 55->90 dropped 73 csc.exe 55->73         started        154 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 60->154 156 Writes or reads registry keys via WMI 60->156 158 DLL side loading technique detected 65->158 signatures21 process22 file23 92 C:\Users\user\AppData\Local\...\qpunaddu.dll, PE32 73->92 dropped 76 cvtres.exe 73->76         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 23:21:48 UTC
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5wdmvxxjrx47krfxwrx3qog7bugo7airfj4oixpiwk67zapbr7q._file
Verdict:
malicious
Similar samples:
11206a9fa78626e149a374311542494bd0b438896091cd6e5011f7e11c074ea7
BlackGrabber
3313e6d16aabacfe4f6891408f9e8d3d9005d885e5bd0e8349c2a3dbe9352017
BlackGrabber
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a
BlackGrabber
36abe27bcbb62b55ae16b931477592c389a138d4cceea546b4ab80addaf9c4ac
BlackGrabber
8204bce8fd8bc3f634b995eb974c31971950014b47dedd928c80bd92869519ac
BlackGrabber
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
BlackGrabber
946d9ec39b7777e08822488fd6dbd0671ada4da55e8383c80c4744a876cd4dec
BlackGrabber
e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2
BlackGrabber
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
BlackGrabber
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/230728-fkpevacc8v/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f
MD5 hash:
c36f10074bd560df1341aeb405b23641
SHA1 hash:
9c0eb843839f201c5d87dfa6c9b7b795d29b449e
Link:
https://www.unpac.me/results/d569fc3e-eb4b-4a52-905b-046b418c2c42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlackGrabber

Executable exe 876c3656f74c6fcfaa25bda37dc1c6f868677c088953c722ef4595efe40f0c7f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2691380/
Cape
Cape
https://www.capesandbox.com/analysis/435806/

Comments


Avatar
zbet commented on 2023-07-28 04:55:22 UTC

url : hxxp://5.42.92.67/lend/new.EXE