MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
SHA3-384 hash: f19c39257d9fd43c13f9c0def39833aff169718a3f2ca773bab13376d96f5e967169a31a2a0dcda5baca8dbeb823977c
SHA1 hash: 0339e2c61f6cdb9e37ca03f9d97e7811593eba23
MD5 hash: 48a8ee49651a74a74baca1f7c94729e5
humanhash: island-november-may-music
File name:48a8ee49651a74a74baca1f7c94729e5.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:12'016'128 bytes
First seen:2024-06-21 02:25:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (41 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 196608:tHHbgJSiavNLVOOHrVB71ZwMFOc3aVeYz4t/+KwgPuZ9RaD:h7gJA3tHMC3a5z4XwgPo9y
Threatray 119 similar samples on MalwareBazaar
TLSH T189C6333ABCD196FFEFBB35F94C4157A495D6CE14A42A31DD12D90FBC99B1B21A002832
TrID 83.6% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.7% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://j282895d.beget.tech/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
625
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992.exe
Verdict:
Malicious activity
Analysis date:
2024-06-21 02:25:55 UTC
Tags:
uac evasion telegram blankgrabber stealer python rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/79d27f49-b4e3-4c25-bd71-f218af41bbe4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6674e5a653600b21d5459400win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Stealth Poison Ivy Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a process
Launching the process to change network settings
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed poison shell32 xorist
Link:
https://www.filescan.io/uploads/6674e4bcef9fdf64aa6d547a/reports/cc540932-4da7-4c82-91ea-eba10cd5b5d5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
Result
Verdict:
MALICIOUS
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6264abc0-3a3c-4f27-b754-a54df4dfec88
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460520
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executable to a common third party application directory
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460520 Sample: QIjBj1l8We.exe Startdate: 21/06/2024 Architecture: WINDOWS Score: 100 109 api.telegram.org 2->109 111 206.23.85.13.in-addr.arpa 2->111 113 3 other IPs or domains 2->113 119 Snort IDS alert for network traffic 2->119 121 Antivirus detection for URL or domain 2->121 123 Antivirus detection for dropped file 2->123 127 17 other signatures 2->127 15 QIjBj1l8We.exe 9 2->15         started        signatures3 125 Uses the Telegram API (likely for C&C communication) 109->125 process4 file5 105 C:\Users\user\AppData\Local\Temp\x12.exe, PE32 15->105 dropped 18 x12.exe 9 15->18         started        21 Built.exe 15->21         started        process6 dnsIp7 85 C:\Users\user\AppData\Local\Temp\x11.exe, PE32 18->85 dropped 25 x11.exe 9 18->25         started        115 api.telegram.org 149.154.167.220, 443, 49747 TELEGRAMRU United Kingdom 21->115 117 ip-api.com 208.95.112.1, 49746, 80 TUT-ASUS United States 21->117 129 Very long command line found 21->129 131 Tries to harvest and steal browser information (history, passwords, etc) 21->131 133 Modifies Windows Defender protection settings 21->133 135 6 other signatures 21->135 28 cmd.exe 21->28         started        31 cmd.exe 21->31         started        33 cmd.exe 21->33         started        35 20 other processes 21->35 file8 signatures9 process10 file11 95 C:\Users\user\AppData\Local\Temp\x10.exe, PE32 25->95 dropped 37 x10.exe 9 25->37         started        143 Wscript starts Powershell (via cmd or directly) 28->143 145 Very long command line found 28->145 147 Uses cmd line tools excessively to alter registry or file data 28->147 157 3 other signatures 28->157 40 powershell.exe 28->40         started        43 conhost.exe 28->43         started        149 Encrypted powershell cmdline option found 31->149 45 powershell.exe 31->45         started        47 conhost.exe 31->47         started        151 Modifies Windows Defender protection settings 33->151 49 powershell.exe 33->49         started        51 conhost.exe 33->51         started        153 Adds a directory exclusion to Windows Defender 35->153 155 Tries to harvest and steal WLAN passwords 35->155 53 getmac.exe 35->53         started        55 39 other processes 35->55 signatures12 process13 file14 91 C:\Users\user\AppData\Local\Temp\x9.exe, PE32 37->91 dropped 57 x9.exe 9 37->57         started        137 Loading BitLocker PowerShell Module 40->137 93 C:\Users\user\AppData\...\gkfhm5n3.cmdline, Unicode 45->93 dropped 60 csc.exe 45->60         started        139 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 53->139 141 Writes or reads registry keys via WMI 53->141 62 Conhost.exe 55->62         started        64 Conhost.exe 55->64         started        66 Conhost.exe 55->66         started        signatures15 process16 file17 97 C:\Users\user\AppData\Local\Temp\x8.exe, PE32 57->97 dropped 68 x8.exe 9 57->68         started        99 C:\Users\user\AppData\Local\...\gkfhm5n3.dll, PE32 60->99 dropped 71 cvtres.exe 60->71         started        process18 file19 89 C:\Users\user\AppData\Local\Temp\x7.exe, PE32 68->89 dropped 73 x7.exe 9 68->73         started        process20 file21 101 C:\Users\user\AppData\Local\Temp\x6.exe, PE32 73->101 dropped 76 x6.exe 9 73->76         started        process22 file23 103 C:\Users\user\AppData\Local\Temp\x5.exe, PE32 76->103 dropped 79 x5.exe 9 76->79         started        process24 file25 107 C:\Users\user\AppData\Local\Temp\x4.exe, PE32 79->107 dropped 82 x4.exe 79->82         started        process26 file27 87 C:\Users\user\AppData\...\CheatLauncherV2.exe, PE32 82->87 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2024-06-15 11:43:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tttzkdn5jg4mqkzf35apvfhiraydmg4gexjpsequ7j2yhi2g7gja._file
Verdict:
malicious
Similar samples:
215fbdf1d0e7183bda896248c954a58d05b15e0e39e9e00d3814f4362fcff0ad
BlankGrabber
508075a8994ffd1ef7715fc69e2615c54f819dc5066f6ad78b55b9076f8e56d8
BlankGrabber
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
BlankGrabber
a879fcea4ce6f6041ffc6271c261cf6fc09ec21ac118db277572ddf7b08e8708
BlankGrabber
c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a
BlankGrabber
d08f2dae436ff4721e146a253bf7e69d4b448ebf24d129668a85f40fc5e46981
BlankGrabber
db700864811a1de2e51bcd01a28b480f4b3cf97d903134a5fe4ab9f8d38f3a35
BlankGrabber
ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9
BlankGrabber
+ 109 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat defense_evasion evasion execution infostealer persistence privilege_escalation rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/240621-cwvjfswcrd/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops file in Program Files directory
Hide Artifacts: Hidden Files and Directories
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
UPX packed file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
DCRat payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c3f1acbf-a3d6-4f35-b216-c00a73157b66
Unpacked files
SH256 hash:
f3ee0a31d29b515d2e0bf776507897ca3ef5605d0470adcc4163209ba78e3445
MD5 hash:
6cf5f23f1c8ca3bc6342506baac300da
SHA1 hash:
18affb87f0e996d202f0be3b8109701120ea3995
Link:
https://www.unpac.me/results/59e37254-8301-49a4-b942-8adb6dafe9ac/
SH256 hash:
bb2f60d4a25646a84b4de1025467dd1d25d33bd419601ad04e926c62becc8d7b
MD5 hash:
37297cdcc290c6a29fa58fbbbe84ac2c
SHA1 hash:
8d94e0de79742727ea60db260180910e30677627
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/59e37254-8301-49a4-b942-8adb6dafe9ac/
SH256 hash:
9ce7950dbd49b8c82b25df40fa94e88830361b8625d2f91214fa7583a346f992
MD5 hash:
48a8ee49651a74a74baca1f7c94729e5
SHA1 hash:
0339e2c61f6cdb9e37ca03f9d97e7811593eba23
Link:
https://www.unpac.me/results/59e37254-8301-49a4-b942-8adb6dafe9ac/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments