MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63
SHA3-384 hash: 70c3b5c1d105650845ff09b567241885a0004aadcc7d1ba9d73eafee7b949874a7ce007bb20035bff1da09691f155eef
SHA1 hash: 059dc993dace11614e1077fb0eb36c602ff347f1
MD5 hash: 21dd41d299117fe5c556afc317f9fcbf
humanhash: seventeen-mountain-oven-snake
File name:21dd41d299117fe5c556afc317f9fcbf.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:22'154'667 bytes
First seen:2024-08-01 22:05:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 456e8615ad4320c9f54e50319a19df9c (18 x SVCStealer, 10 x BlankGrabber, 5 x CoinMiner)
ssdeep 393216:38zTb8tvKrX7QsFLVQAV/JqolX6vrN/04LaUaWYCVxysGt7G/yF7D:383ZrrXlVFlYrRDLaT4r
TLSH T15E273325B3B919A6F87798788CD24E4EF49174760744C6DF03B18BF25FE3AF1499A280
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php https://threatfox.abuse.ch/ioc/1305630/

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
21dd41d299117fe5c556afc317f9fcbf.exe
Verdict:
Malicious activity
Analysis date:
2024-08-01 22:06:10 UTC
Tags:
susp-powershell pyinstaller umbralstealer discordgrabber generic stealer growtopia blankgrabber python discord evasion telegram upx rat dcrat remote darkcrystal miner netreactor api-base64 wmi-base64
Link:
https://app.any.run/tasks/a73f76c0-e8cd-443a-862a-7a3727bc0bff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ac06cfb7a04efc743998a7
Tags:
Discovery Execution Generic Network Stealth Trojan Multiple
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a process
Enabling the 'hidden' option for recently created files
Launching the process to change network settings
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/66ac06cd4c5c17942a81662a/reports/60498037-def1-4a24-8a33-17918a090d31/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63
Result
Verdict:
MALICIOUS
Result
Threat name:
Blank Grabber, DCRat, PureLog Stealer, X
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1486327
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop multiple services
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1486327 Sample: VaTlw2kNGc.exe Startdate: 02/08/2024 Architecture: WINDOWS Score: 100 147 api.telegram.org 2->147 149 discord.com 2->149 151 ip-api.com 2->151 177 Found malware configuration 2->177 179 Antivirus detection for dropped file 2->179 181 Sigma detected: Capture Wi-Fi password 2->181 185 28 other signatures 2->185 15 VaTlw2kNGc.exe 13 2->15         started        19 dasHost.exe 2->19         started        21 dasHost.exe 2->21         started        23 cmd.exe 2->23         started        signatures3 183 Uses the Telegram API (likely for C&C communication) 147->183 process4 file5 139 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->139 dropped 141 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->141 dropped 143 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 15->143 dropped 145 8 other files (7 malicious) 15->145 dropped 159 Found pyInstaller with non standard icon 15->159 25 VaTlw2kNGc.exe 15->25         started        161 Found direct / indirect Syscall (likely to bypass EDR) 19->161 27 conhost.exe 23->27         started        signatures6 process7 process8 29 cmd.exe 1 25->29         started        signatures9 211 Wscript starts Powershell (via cmd or directly) 29->211 213 Very long command line found 29->213 215 Encrypted powershell cmdline option found 29->215 217 5 other signatures 29->217 32 Build.exe 6 29->32         started        36 based.exe 1 72 29->36         started        39 conhost.exe 29->39         started        process10 dnsIp11 101 C:\ProgramData\Microsoft\hacn.exe, PE32+ 32->101 dropped 103 C:\ProgramData\Microsoft\based.exe, PE32+ 32->103 dropped 163 Multi AV Scanner detection for dropped file 32->163 41 hacn.exe 13 32->41         started        45 based.exe 22 32->45         started        153 api.telegram.org 149.154.167.220, 443, 49745 TELEGRAMRU United Kingdom 36->153 155 discord.com 162.159.138.232, 443, 49743 CLOUDFLARENETUS United States 36->155 157 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 36->157 165 Very long command line found 36->165 167 Found many strings related to Crypto-Wallets (likely being stolen) 36->167 169 Tries to harvest and steal browser information (history, passwords, etc) 36->169 171 6 other signatures 36->171 47 cmd.exe 36->47         started        49 cmd.exe 36->49         started        51 cmd.exe 36->51         started        53 16 other processes 36->53 file12 signatures13 process14 file15 109 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 41->109 dropped 111 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 41->111 dropped 113 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 41->113 dropped 121 8 other files (7 malicious) 41->121 dropped 191 Multi AV Scanner detection for dropped file 41->191 193 Machine Learning detection for dropped file 41->193 55 hacn.exe 41->55         started        115 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 45->115 dropped 117 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 45->117 dropped 119 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 45->119 dropped 123 16 other files (15 malicious) 45->123 dropped 195 Very long command line found 45->195 197 Modifies Windows Defender protection settings 45->197 199 Adds a directory exclusion to Windows Defender 45->199 201 Removes signatures from Windows Defender 45->201 203 Wscript starts Powershell (via cmd or directly) 47->203 205 Encrypted powershell cmdline option found 47->205 57 powershell.exe 47->57         started        60 conhost.exe 47->60         started        71 2 other processes 49->71 62 powershell.exe 51->62         started        65 conhost.exe 51->65         started        207 Tries to harvest and steal WLAN passwords 53->207 209 Loading BitLocker PowerShell Module 53->209 67 getmac.exe 53->67         started        69 powershell.exe 53->69         started        73 30 other processes 53->73 signatures16 process17 file18 75 cmd.exe 55->75         started        125 C:\Users\user\AppData\...\4kug0kj4.cmdline, Unicode 57->125 dropped 77 csc.exe 57->77         started        233 Loading BitLocker PowerShell Module 62->233 235 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 67->235 237 Writes or reads registry keys via WMI 67->237 80 Conhost.exe 73->80         started        82 Conhost.exe 73->82         started        signatures19 process20 file21 84 s.exe 75->84         started        88 conhost.exe 75->88         started        137 C:\Users\user\AppData\Local\...\4kug0kj4.dll, PE32 77->137 dropped 90 cvtres.exe 77->90         started        process22 file23 105 C:\ProgramData\svchost.exe, PE32 84->105 dropped 107 C:\ProgramData\setup.exe, PE32+ 84->107 dropped 187 Multi AV Scanner detection for dropped file 84->187 189 Drops PE files with benign system names 84->189 92 svchost.exe 84->92         started        96 setup.exe 84->96         started        signatures24 process25 file26 127 C:\Users\user\...\ChainComServermonitor.exe, PE32 92->127 dropped 129 pFG3Duil1NAbFHoInF...Rvb98S0ewJA0VkW.vbe, data 92->129 dropped 131 C:\Users\user\...\oGgyulsi03j6EO3sjCC.bat, ASCII 92->131 dropped 219 Antivirus detection for dropped file 92->219 221 Multi AV Scanner detection for dropped file 92->221 223 Machine Learning detection for dropped file 92->223 98 wscript.exe 92->98         started        133 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 96->133 dropped 135 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 96->135 dropped 225 Writes to foreign memory regions 96->225 227 Modifies the context of a thread in another process (thread injection) 96->227 229 Found hidden mapped module (file has been removed from disk) 96->229 231 3 other signatures 96->231 signatures27 process28 signatures29 173 Wscript starts Powershell (via cmd or directly) 98->173 175 Windows Scripting host queries suspicious COM object (likely to drop second stage) 98->175
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 08:43:04 UTC
File Type:
PE+ (Exe)
Extracted files:
1427
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uthtvwvj6rdfh5523e6lv27zstzzrtfl6zhjnc2ccjtkpcbltjrq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/240801-1z2nyaycmn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Modifies WinLogon for persistence
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c96180c-35a1-41c2-ad9d-da540d588c07
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4cf3adaa9f44653f7bad93cbaebf994f398ccabf64e968b421266a7882b9a63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments