MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 18


Intelligence 18 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
SHA3-384 hash: 36ac3d5df01b887559f140dde9f2d3c8d9686f3b074d9654e98f6c75d753d2568e94bc0bf66ad9605f59801704b57533
SHA1 hash: 2dda0df9f567c7632984699d1b36a3ca9ef924e9
MD5 hash: f44528aca7c9801a21ff8697db13a435
humanhash: aspen-helium-fish-uranus
File name:silverbullet 1.1.4.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:12'482'337 bytes
First seen:2025-09-19 18:35:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (39 x BlankGrabber, 16 x PythonStealer, 16 x SalatStealer)
ssdeep 196608:V1d+NTwhLmLQocCJ/IwfI9jUCOORird1Kf7LOYck0ax82Pg0uc+wit4e5jkhMg7U:VnLVo9/XIHxQ767EaxBg5wC5jkhw
TLSH T167C63352694180E9EAE39D3E9622E615C7F334516320D2EB03E897B97C670F51C3DBB2
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vobfus
Create hunting rule
ID:
1
File name:
silverbullet1.1.4.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 18:35:16 UTC
Tags:
blankgrabber uac anti-evasion vobfus worm evasion auto-startup stealer screenshot telegram pyinstaller susp-powershell generic ims-api
Link:
https://app.any.run/tasks/2bdbe0c8-7dcf-4f74-a075-74718059a6cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlankStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28379/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cda2656b621794b130f6c3
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
DNS request
Launching a process
Creating a process from a recently created file
Loading a suspicious library
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Enabling the 'hidden' option for analyzed file
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand invalid-signature lolbin microsoft_visual_cc obfuscated overlay signed threat
Link:
https://www.filescan.io/uploads/68cda28df224aeb809c90947/reports/ccbce9e2-ac0e-44ea-91f6-30d4c4b8bc18/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-19T15:42:00Z UTC
Last seen:
2025-09-19T15:42:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Python.Blank.gen Trojan-Spy.Win32.Agent.dffz Trojan-PSW.Python.Blank.sb Trojan.Win32.Dizemp.sb Trojan.Python.Agent.gen Trojan-PSW.Win32.Greedy.sb Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/deb17253-5b18-4743-99fc-da8895d0129b
Result
Threat name:
Python Stealer, Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780943
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Yara detected Blank Grabber
Yara detected Generic Python Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780943 Sample: silverbullet 1.1.4.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 62 ip-api.com 2->62 64 blank-hbd8f.in 2->64 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected Blank Grabber 2->78 80 Check if machine is in data center or colocation facility 2->80 82 9 other signatures 2->82 10 silverbullet 1.1.4.exe 85 2->10         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 52 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 10->52 dropped 54 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->54 dropped 56 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 10->56 dropped 58 65 other files (none is malicious) 10->58 dropped 16 silverbullet 1.1.4.exe 1 10->16         started        66 127.0.0.1 unknown unknown 13->66 file6 process7 dnsIp8 60 ip-api.com 208.95.112.1, 49687, 80 TUT-ASUS United States 16->60 68 Found many strings related to Crypto-Wallets (likely being stolen) 16->68 70 Modifies Windows Defender protection settings 16->70 72 Adds a directory exclusion to Windows Defender 16->72 74 Removes signatures from Windows Defender 16->74 20 cmd.exe 1 16->20         started        23 cmd.exe 1 16->23         started        25 cmd.exe 1 16->25         started        27 3 other processes 16->27 signatures9 process10 signatures11 84 Modifies Windows Defender protection settings 20->84 86 Adds a directory exclusion to Windows Defender 20->86 88 Removes signatures from Windows Defender 20->88 29 powershell.exe 23 20->29         started        32 conhost.exe 20->32         started        34 powershell.exe 23 23->34         started        36 conhost.exe 23->36         started        38 MpCmdRun.exe 23->38         started        40 powershell.exe 22 25->40         started        42 conhost.exe 25->42         started        44 bound.exe 27->44         started        46 5 other processes 27->46 process12 signatures13 90 Loading BitLocker PowerShell Module 34->90 48 WmiPrvSE.exe 34->48         started        50 WerFault.exe 44->50         started        process14
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f44528aca7c9801a21ff8697db13a435
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
Threat name:
Win64.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 18:35:17 UTC
File Type:
PE+ (Exe)
Extracted files:
910
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqir6mcnciindrn7fa7h7mbp2ackilcnnzlkchqrddmapqcs6foq._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/250919-w8qwkser3w/
Behaviour
Detects videocard installed
Gathers system information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/06935db9-e5a2-4ae1-bd22-c28aecb64fa4
Unpacked files
SH256 hash:
ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
MD5 hash:
f44528aca7c9801a21ff8697db13a435
SHA1 hash:
2dda0df9f567c7632984699d1b36a3ca9ef924e9
Link:
https://www.unpac.me/results/83d3efa1-2255-4b44-8d50-528e89b1434d/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac111f304d12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28379/

Comments