MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
SHA3-384 hash: 2be789e0d118b28370d48b74adf09fac97ddbc2d23c32b38146530405c80b507599fd05bb07ceeb0452dc66843a5d50d
SHA1 hash: 1634a9e1759962db670bf244b1b3f5a9e71a25d7
MD5 hash: a0936899fbf31493bbe5e34dc18a9341
humanhash: river-juliet-white-glucose
File name:A0936899FBF31493BBE5E34DC18A9341.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:8'422'912 bytes
First seen:2024-08-05 12:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 98304:ppzdbM+Q2y+aq02EPzxjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbiEJ1nL2hBnI:pDf07JOjmFQR4MVGFtwLPsnL2hVGBZ
TLSH T1138612017F408EA1F0195677C1DF82048B74A9112BA6D71FBAA9337D5A233937C1EADB
TrID 63.6% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
13.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
10.3% (.EXE) InstallShield setup (43053/19/16)
3.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.1% (.SCR) Windows screen saver (13097/50/3)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://a1009150.xsph.ru/L1nc0In.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://a1009150.xsph.ru/L1nc0In.php https://threatfox.abuse.ch/ioc/1307138/

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
A0936899FBF31493BBE5E34DC18A9341.exe
Verdict:
Malicious activity
Analysis date:
2024-08-05 12:37:55 UTC
Tags:
github uac evasion xworm rat dcrat remote darkcrystal blankgrabber stealer discord susp-powershell python
Link:
https://app.any.run/tasks/f657e3cb-9117-4f84-8d2c-35543650bbf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b0c60fb7a04efc7439f616
Tags:
Discovery Execution Infostealer Network Other Static Stealth Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Enabling autorun
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Dropper.Generic.Malware.SFL
Link:
https://www.hybrid-analysis.com/sample/b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10c90cb0-fc79-4cc2-ae50-d69a0b30534a
Result
Threat name:
Blank Grabber, DCRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1487977
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487977 Sample: Vjy8d2EoqK.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 108 ip-api.com 2->108 110 discordapp.com 2->110 112 4 other IPs or domains 2->112 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for dropped file 2->136 138 25 other signatures 2->138 11 Vjy8d2EoqK.exe 4 2->11         started        15 Built.exe 73 2->15         started        18 Built.exe 22 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 94 C:\Users\user\AppData\Local\...\svchosts.exe, PE32 11->94 dropped 96 C:\Users\user\AppData\Local\Temp\S l r .exe, PE32 11->96 dropped 98 C:\Users\user\AppData\Local\Temp\Built.exe, PE32+ 11->98 dropped 166 Found many strings related to Crypto-Wallets (likely being stolen) 11->166 22 svchosts.exe 3 6 11->22         started        26 S l r .exe 3 11->26         started        120 ip-api.com 208.95.112.1, 49734, 49743, 80 TUT-ASUS United States 15->120 122 discordapp.com 162.159.135.233, 443, 49744 CLOUDFLARENETUS United States 15->122 168 Tries to harvest and steal browser information (history, passwords, etc) 15->168 170 Modifies Windows Defender protection settings 15->170 172 Modifies the hosts file 15->172 180 2 other signatures 15->180 28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        32 cmd.exe 15->32         started        34 10 other processes 15->34 100 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 18->100 dropped 102 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 18->102 dropped 104 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 18->104 dropped 106 16 other malicious files 18->106 dropped 174 Multi AV Scanner detection for dropped file 18->174 176 Adds a directory exclusion to Windows Defender 18->176 178 Removes signatures from Windows Defender 18->178 file6 signatures7 process8 file9 82 C:\Brokercrt\comReviewsession.exe, PE32 22->82 dropped 84 C:\Brokercrt\oqZ1ERFvWaUzYBP9Lou79Kq.bat, ASCII 22->84 dropped 86 C:\Brokercrt\aIVfHknoFLGNu6gLK6xZar0.vbe, data 22->86 dropped 154 Multi AV Scanner detection for dropped file 22->154 36 wscript.exe 1 22->36         started        88 C:\Users\user\AppData\Local\...\XClient.exe, PE32 26->88 dropped 90 C:\Users\user\...\SolaraBootstrapper.exe, PE32 26->90 dropped 39 XClient.exe 26->39         started        43 SolaraBootstrapper.exe 26->43         started        156 Wscript starts Powershell (via cmd or directly) 28->156 158 Uses cmd line tools excessively to alter registry or file data 28->158 160 Modifies Windows Defender protection settings 28->160 45 powershell.exe 28->45         started        47 conhost.exe 28->47         started        162 Adds a directory exclusion to Windows Defender 30->162 53 3 other processes 30->53 49 powershell.exe 32->49         started        51 conhost.exe 32->51         started        55 17 other processes 34->55 signatures10 process11 dnsIp12 140 Wscript starts Powershell (via cmd or directly) 36->140 142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->142 57 cmd.exe 36->57         started        114 cash-spoken.gl.at.ply.gg 147.185.221.21, 27573, 49745, 49748 SALSGIVERUS United States 39->114 92 C:\Users\user\AppData\Roaming\XClient.exe, PE32 39->92 dropped 144 Antivirus detection for dropped file 39->144 146 Multi AV Scanner detection for dropped file 39->146 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->148 152 5 other signatures 39->152 59 powershell.exe 39->59         started        116 github.com 140.82.121.4, 443, 49730, 49733 GITHUBUS United States 43->116 118 raw.githubusercontent.com 185.199.108.133, 443, 49732 FASTLYUS Netherlands 43->118 62 conhost.exe 43->62         started        150 Loading BitLocker PowerShell Module 49->150 file13 signatures14 process15 signatures16 64 comReviewsession.exe 57->64         started        68 conhost.exe 57->68         started        164 Loading BitLocker PowerShell Module 59->164 70 conhost.exe 59->70         started        process17 file18 74 C:\Windows\apppatch\en-US\conhost.exe, PE32 64->74 dropped 76 C:\Windows\addins\cmd.exe, PE32 64->76 dropped 78 C:\Windows\SysWOW64\it-IT\dasHost.exe, PE32 64->78 dropped 80 6 other malicious files 64->80 dropped 124 Antivirus detection for dropped file 64->124 126 Multi AV Scanner detection for dropped file 64->126 128 Creates an undocumented autostart registry key 64->128 130 6 other signatures 64->130 72 Conhost.exe 64->72         started        signatures19 process20
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627/
Threat name:
Win32.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 09:01:52 UTC
File Type:
PE (Exe)
Extracted files:
577
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wj6nxvlqlrlagsmzaemrdglvlhk65s3g4lqnrogjvkcd7yc5cytq._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber family:dcrat family:xworm collection credential_access defense_evasion discovery execution infostealer persistence privilege_escalation rat spyware stealer trojan upx
Link:
https://tria.ge/reports/240805-pp2qeawcjr/
Behaviour
Detects videocard installed
Gathers system information
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Credentials from Password Stores: Credentials from Web Browsers
DCRat payload
DcRat
Detect Xworm Payload
Modifies WinLogon for persistence
Process spawned unexpected child process
Xworm
Malware Config
C2 Extraction:
cash-spoken.gl.at.ply.gg:27573
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/64364f9b-8b93-44d0-887b-a7d5ac14e864
Unpacked files
SH256 hash:
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
MD5 hash:
6557bd5240397f026e675afb78544a26
SHA1 hash:
839e683bf68703d373b6eac246f19386bb181713
Detections:
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
Parent samples :
902f94aa7222739a873f8f2805428e89822fc34842a0d731828ca0d6fce69dd6
eb52dc8ab4ec5557c2353624b8ff2f01548662ec194432470c7148828d879bba
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
4289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39
SH256 hash:
a7f98d3361874ac82332fbb9cded7be12ef8cb6699305351e27247a2b464272c
MD5 hash:
bf19d4a22f47eea6dd1db1c98a5aac07
SHA1 hash:
384506bf1e83df03d48cdc59e7efb03d8087d3c5
Detections:
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
SH256 hash:
0ec6a4a4d08b835bfbd7a9fc1ac6c4d5df57cd34f69100bff12bad050b8d6773
MD5 hash:
24dafeb85b4c72d29606adf2a59da04c
SHA1 hash:
82903e26c42111b5cbc0214bcd710b487b6c4b21
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
SH256 hash:
dfa20714b2f1dc7ac80f14e3f8a963310a5696e6450beb5ff3ad8f125a9c6590
MD5 hash:
8d9506eae43f59fcb680aab8ad001420
SHA1 hash:
5753ab6f572e96e64fd2cd5aa2d7800dc18e95ed
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
Parent samples :
6ade40b71ee50ca95629aaa593bc8f48335ff0eee6c47c3a1dcaacbd9f1eaf42
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
ba61b838a6b159d1d8f6fbbd1c80016fe7277225d1847de9ae50d0d83b29f9f1
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
e9f868d54dc0cda5bd4e13ad4fb6c7861b339024cd28daf0dc8eb9ee69a405fe
f14e979398839caddd543261a8e9773bcd5a95d9f433e113ecdc8605cd3b2393
647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274
ee9e68394df17b14d2190d46257445f427bc43d4e02be9f26bf6236b17fe0052
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
SH256 hash:
7d514f08d71ef5f37f1330ac320fd0d0cac3c60bb3229d94109b71ef0acb62bf
MD5 hash:
16e5fb57d5df6a8c866d104e6c48d687
SHA1 hash:
61dcbb37ccb3c6258473373319ac8a6a1f84ea38
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
SH256 hash:
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
MD5 hash:
a0936899fbf31493bbe5e34dc18a9341
SHA1 hash:
1634a9e1759962db670bf244b1b3f5a9e71a25d7
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a59221aa-3bbd-47a9-a65b-31a0e3e101d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments