MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Grandoreiro


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80
SHA3-384 hash: c70a81c59b322412c85a236ee7b14386395370f2a3b38fceb65d20e9cb9192ede82b470102678826fdc6e2d16db66cc5
SHA1 hash: a32c3bf0915c335d251e52f52acb687f66e5c520
MD5 hash: 1c334775e07ed82f659da08e829bf04f
humanhash: south-robert-rugby-berlin
File name:7zxa.dll
Download: download sample
Signature Grandoreiro
Create hunting rule
File size:80'042'496 bytes
First seen:2024-10-31 11:21:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d2f50e6a9c0243660c6da64ab42f5486 (1 x Grandoreiro)
ssdeep 393216:CMu5ZfXcwbl6NcowgToea/MCi6R0ptmU/uEugulZ/W+VWJIa5yJBz7h8zxPtYLx8:YX4u/b6BuVrMIaIp8zxtYd5mYfc
TLSH T11408742038EB502EF073AFB59FE9F9BA8D6EFE211609646A1154370B8B33D41DD12539
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter NDA0E
Tags:dll dllHijack geo Grandoreiro MEX PRT

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6723141849e92a05dde1fed6
Tags:
dropper exploit smtp
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi explorer lolbin
Link:
https://www.filescan.io/uploads/67236862756c933fb11d866d/reports/86cb6af3-6c47-4be4-87f5-22dc426ab4d9/overview
Verdict:
Suspicious
Labled as:
Spy.Grandoreiro
Link:
https://www.hybrid-analysis.com/sample/887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1546049
Signature
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546049 Sample: 7zxa.dll Startdate: 31/10/2024 Architecture: WINDOWS Score: 88 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->61 63 2 other signatures 2->63 9 loaddll32.exe 3 2->9         started        13 loaddll32.exe 2->13         started        process3 file4 55 C:\Users\user\AppData\Local\Temp\hcx.dll, PE32 9->55 dropped 65 Overwrites code with function prologues 9->65 67 Modifies the windows firewall 9->67 69 Contains functionality to detect sleep reduction / modifications 9->69 15 cmd.exe 1 9->15         started        18 rundll32.exe 9->18         started        20 rundll32.exe 9->20         started        24 18 other processes 9->24 22 conhost.exe 13->22         started        signatures5 process6 signatures7 73 Uses netsh to modify the Windows network and firewall settings 15->73 26 rundll32.exe 1 15->26         started        29 schtasks.exe 18->29         started        31 WerFault.exe 18->31         started        33 schtasks.exe 20->33         started        35 WerFault.exe 20->35         started        37 conhost.exe 24->37         started        39 conhost.exe 24->39         started        41 schtasks.exe 24->41         started        43 2 other processes 24->43 process8 signatures9 71 Uses schtasks.exe or at.exe to add and modify task schedules 26->71 45 schtasks.exe 1 26->45         started        47 WerFault.exe 22 16 26->47         started        49 conhost.exe 29->49         started        51 conhost.exe 33->51         started        process10 process11 53 conhost.exe 45->53         started       
Score:
38%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80
Gathering data
Threat name:
Win32.Trojan.Grandoreiro
Create hunting rule
Status:
Malicious
First seen:
2024-10-31 11:20:25 UTC
File Type:
PE (Dll)
Extracted files:
902
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbyyobbua6scfudazz63rthle26tiv5oy5vir2hdddg4izn5x2aa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241031-ngklgsvrcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Grandoreiro

Visual Basic Script (vbs) vbs f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e

Grandoreiro

Visual Basic Script (vbs) vbs 6b16c2a1897f02f6f05f97ffcadd357071dc660708312b5c71341f9bb4bc285a

Grandoreiro

zip ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce

Grandoreiro

DLL dll 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80

(this sample)

  
Dropped by
SHA256 ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce
  
URLhaus
https://urlhaus.abuse.ch/url/3267993/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 22751b6dd47c521bc3f7a32fd7caf288

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipFillRectangle
gdiplus.dll::GdipFillRectangles
gdiplus.dll::GdipFillRectangleI
gdiplus.dll::GdipFillRectanglesI
MULTIMEDIA_APICan Play Multimediawinmm.dll::PlaySoundW
gdi32.dll::StretchDIBits
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExW
shell32.dll::ShellExecuteW
shell32.dll::SHFileOperationW
shell32.dll::SHGetFileInfoW
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
winhttp.dll::WinHttpCloseHandle
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
kernel32.dll::GetConsoleOutputCP
kernel32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::CreateFileMappingW
kernel32.dll::DeleteFileW
kernel32.dll::MoveFileW
kernel32.dll::GetWindowsDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
advapi32.dll::GetUserNameA
kernel32.dll::QueryDosDeviceW
WIN_HTTP_APIUses HTTP serviceswinhttp.dll::WinHttpAddRequestHeaders
winhttp.dll::WinHttpConnect
winhttp.dll::WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll::WinHttpGetProxyForUrl
winhttp.dll::WinHttpOpenRequest
winhttp.dll::WinHttpOpen
WIN_NETWORK_APISupports Windows Networkingmpr.dll::WNetEnumResourceW
mpr.dll::WNetGetUniversalNameW
mpr.dll::WNetOpenEnumW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyA
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegOpenKeyExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::AppendMenuW
user32.dll::CloseDesktop
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW

Comments