MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
SHA3-384 hash: a8736c6897e782f878c692a3e16040aa1a138b24dbeacdbb2fd6a9e31b3f7b456be8e01806bce6bf56b8458146a320f7
SHA1 hash: 4dbb508778ba7186eeb70ada2e6e1a4a4068bfcf
MD5 hash: fda9d96925c1bfa66b27b644a53e1f47
humanhash: red-violet-comet-montana
File name:fda9d969_aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:9'694'890 bytes
First seen:2023-06-02 08:29:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:vxohafMjFt58OjmFj24M6P9BYXPmSEh1LVIFC9WWMs6+R1LNW:mhafA5LKBMIBYXPTal9jMFa1LNW
Threatray 32 similar samples on MalwareBazaar
TLSH T156A633DA22D108E8E97B5739D047D057D636BC2603A8CAEF177496924E732E25C3EF18
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter pmmkowalczyk1111
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fda9d969_aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
Verdict:
Malicious activity
Analysis date:
2023-06-02 08:32:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf55a23a-5586-4f84-bffb-ea746c972ba2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394713/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89031/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6479a88bfaa640ca1b239d50/reports/1d922d11-cdd2-485b-b68c-13bb195ca571/overview
Verdict:
Malicious
Labled as:
Packed.PyInstaller
Link:
https://www.hybrid-analysis.com/sample/aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/be63b9c3-ce7e-48ce-8ea5-ccc18f9ec475
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1247476
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
DLL reload attack detected
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 880495 Sample: T4WajEw5pW.exe Startdate: 02/06/2023 Architecture: WINDOWS Score: 88 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Blank Grabber 2->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 2->65 9 T4WajEw5pW.exe 67 2->9         started        process3 file4 47 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 9->47 dropped 49 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->49 dropped 51 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->51 dropped 53 59 other files (none is malicious) 9->53 dropped 67 DLL reload attack detected 9->67 69 May check the online IP address of the machine 9->69 71 Adds a directory exclusion to Windows Defender 9->71 13 T4WajEw5pW.exe 9->13         started        signatures5 process6 dnsIp7 55 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 13->55 73 Adds a directory exclusion to Windows Defender 13->73 17 cmd.exe 1 13->17         started        20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 2 other processes 13->24 signatures8 process9 signatures10 57 Adds a directory exclusion to Windows Defender 17->57 26 net.exe 1 17->26         started        28 conhost.exe 17->28         started        30 WMIC.exe 1 20->30         started        33 conhost.exe 20->33         started        35 powershell.exe 17 22->35         started        37 conhost.exe 22->37         started        39 powershell.exe 17 24->39         started        41 conhost.exe 24->41         started        43 2 other processes 24->43 process11 signatures12 45 net1.exe 1 26->45         started        75 DLL side loading technique detected 30->75 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-01 19:20:47 UTC
File Type:
PE+ (Exe)
Extracted files:
299
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vl4lvs2qgn4yd3x3ityqsmv3z7vxjhzaxlb73d4azhtyguvkw7ya._file
Verdict:
unknown
Similar samples:
04068045a1e383d70522914bfd3ac40b0203d0cd13687ad217b92eca44450f86
BlankGrabber
12dce304f7dd9fbe88d7d8bfe943540c3fd0121fb5fb471ea080c5b4f182d39c
BlankGrabber
59ef23e21bac9718fd2d57ff8779ebc1cd2fd4ce606472c71c2f73b68b9c8fac
BlankGrabber
5ce9df04ac0b2241af1e7d9f95406dbfb628fdb0b1998667894c6e5812bcbffe
BlankGrabber
5d17781561881f8c412498515db843561d6a8971009431f390de99b3a46ec4bc
BlankGrabber
b5e6b887d6175aab915bdadee6b804a8815e9cd43ad208eedea464b338cf8c3c
BlankGrabber
d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
BlankGrabber
e274063b7b6fc1e3646ffe18975060ec8c5aab36c7cc2c87ea991499995d22f6
BlankGrabber
ed99d62d3aed5dd968c143d9369dcf8ae903fc3eb17fe2fbb7fc3e1794e3d7dc
BlankGrabber
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/230602-kd5wgaaf22/
Behaviour
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0
MD5 hash:
fda9d96925c1bfa66b27b644a53e1f47
SHA1 hash:
4dbb508778ba7186eeb70ada2e6e1a4a4068bfcf
Link:
https://www.unpac.me/results/8a43d548-db27-454c-9402-645086688870/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aaf8bacb50337981eefb44f10932bbcfeb749f20bac3fd8f80c9e78352aab7f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/394713/

Comments