MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92c474f765393d37a0cbf81b9c2961ed8eb2ce749fc7ef26c4d6d000dc6945df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs YARA 35 File information Comments

SHA256 hash: 92c474f765393d37a0cbf81b9c2961ed8eb2ce749fc7ef26c4d6d000dc6945df
SHA3-384 hash: ef8991ac255e8ba18524716ec5a789e360b686ce92a5097031940f8c58e092cdbeeb0f3597edf585de0119ab3cfd9fc4
SHA1 hash: 7cfb7359f01ebd3c50fad6980e6f3f6be7ef5f89
MD5 hash: f793b51c2a84b9f791e08ba6c5e63b08
humanhash: march-pluto-blossom-victor
File name:bw8OQF8A9vA.exe
Download: download sample
Signature BlankGrabber
File size:31'259'136 bytes
First seen:2026-06-05 20:22:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d0bcf2f15f1b6c754d506661e259968 (1 x BlankGrabber)
ssdeep 393216:6mU2YkUOshouIkPftRL54huBopYkUOshouIkPftRL54huBoPYkUOshouIkPftRLI:q2YCwouTtRLOYCwouTtRLqYCwouTtRL
TLSH T14D6701217A9A98ADD05AC474C3468B725A3130DB0B35BAFF448896793F6DAF41F3C358
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:BlankGrabber exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
160
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
bw8OQF8A9vA.exe
Verdict:
No threats detected
Analysis date:
2026-06-05 20:27:01 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Changing a file
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Launching the process to change network settings
Reading critical registry keys
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Launching a service
Launching a process
Loading a suspicious library
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context adaptive-context anti-debug crypto overlay packed packed reconnaissance rust
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-05T11:51:00Z UTC
Last seen:
2026-06-06T21:47:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Dizemp.sb Trojan.Script.Poweliks.sb Trojan-PSW.Win64.Pyborg.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.Python.Blank.sb PDM:Trojan.Win32.Generic Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb Trojan.Python.Agent.gen Trojan-PSW.Win64.Stealer.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.Python.Blank.gen Trojan.Win32.Poweliks.a
Result
Threat name:
Blank Grabber
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Unusual module load detection (module proxying)
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Blank Grabber
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923872 Sample: bw8OQF8A9vA.exe Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 58 discord.com/api/webhooks/1512447703274225704/8hgzdxolyafb_drnlhyirll5rwls6ifqpevuf1ej5hwhm36np9c4d0_sb78ioph34gh6 unknown unknown 2->58 60 ip-api.com 2->60 62 blank-52g6z.in 2->62 66 Found malware configuration 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Blank Grabber 2->70 72 5 other signatures 2->72 10 bw8OQF8A9vA.exe 63 2->10         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 10->50 dropped 52 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->52 dropped 54 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 10->54 dropped 56 56 other files (none is malicious) 10->56 dropped 82 Modifies Windows Defender protection settings 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Removes signatures from Windows Defender 10->86 88 2 other signatures 10->88 14 bw8OQF8A9vA.exe 1 10->14         started        18 conhost.exe 10->18         started        signatures6 process7 dnsIp8 64 ip-api.com 208.95.112.1, 49695, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 14->64 92 Found many strings related to Crypto-Wallets (likely being stolen) 14->92 94 Modifies Windows Defender protection settings 14->94 96 Adds a directory exclusion to Windows Defender 14->96 98 2 other signatures 14->98 20 cmd.exe 1 14->20         started        23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        27 2 other processes 14->27 signatures9 process10 signatures11 74 Modifies Windows Defender protection settings 20->74 76 Adds a directory exclusion to Windows Defender 20->76 78 Removes signatures from Windows Defender 20->78 29 powershell.exe 23 20->29         started        32 conhost.exe 20->32         started        34 powershell.exe 23 23->34         started        36 conhost.exe 23->36         started        38 MpCmdRun.exe 23->38         started        80 Uses WMIC command to query system information (often done to detect virtual machines) 25->80 40 WMIC.exe 25->40         started        42 mshta.exe 27->42         started        44 conhost.exe 27->44         started        46 tasklist.exe 1 27->46         started        process12 signatures13 90 Loading BitLocker PowerShell Module 34->90 48 WmiPrvSE.exe 34->48         started        process14
Gathering data
Threat name:
Win64.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-06-05 16:45:48 UTC
File Type:
PE+ (Exe)
Extracted files:
1740
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
blankgrabber
Score:
  10/10
Tags:
family:blankgrabber defense_evasion discovery execution stealer upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
UPX packed file
Looks up external IP address via web service
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Malware family:
BlankGrabber
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:command_and_control
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Author:k3nr9
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026
Author:SixHands
Description:Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments