MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb072637f15adf01881b15d6be17c943d912816b43cd843ca90089d56e638c0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Techsnab


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb072637f15adf01881b15d6be17c943d912816b43cd843ca90089d56e638c0f
SHA3-384 hash: 6f49db922dc2a92d7e5d97c19d32912c078862bd182cc73d25be7068025c6c23e35d66db0188c30ea2bec806230d23f9
SHA1 hash: e5064f6ff049e859c479dffdb0cbebaeb215c8f4
MD5 hash: 93e7db80fcfa4066a07e96430b300713
humanhash: table-kitten-blossom-lithium
File name:Blank Grabber.exe
Download: download sample
Signature Adware.Techsnab
Create hunting rule
File size:7'541'956 bytes
First seen:2022-10-15 13:30:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d8ee99a42355eedde2d0f35fa2ccad3 (1 x Adware.Techsnab)
ssdeep 196608:tZ5gNjs1xhaRoeUNWeVnY7/s1wIF+zKi3AvRg:mpmhBNRuszeka
Threatray 1'032 similar samples on MalwareBazaar
TLSH T1D976338566B01DE8F9E2507FD8854441EDB8B8AA2730DA4B07A4962BCE53B513C3FF71
TrID 90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
0.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:Adware.Techsnab Blank Grabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
451
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320590/
Detection(s):
SecuriteInfo.com.Variant.Doina.41662.14997.29007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for analyzed file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43239/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/634ab61736b2f81d63844c6f/reports/cbd56077-4533-4dfc-ab83-170e527abc10/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c546307c-9aca-4aa5-a0e0-ed0b95556262
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091198
Signature
Adds a directory exclusion to Windows Defender
Disables Windows Defender (via service or powershell)
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Blank Grabber
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723808 Sample: Blank Grabber.exe Startdate: 15/10/2022 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Sigma detected: Capture Wi-Fi password 2->82 84 Yara detected Blank Grabber 2->84 86 8 other signatures 2->86 9 Blank Grabber.exe 29 2->9         started        process3 file4 48 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 9->48 dropped 50 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->50 dropped 52 C:\Users\user\...\tinyaes.cp310-win_amd64.pyd, PE32+ 9->52 dropped 54 21 other files (19 malicious) 9->54 dropped 12 Blank Grabber.exe 16 9->12         started        process5 dnsIp6 64 ip-api.com 208.95.112.1, 49727, 80 TUT-ASUS United States 12->64 66 discord.com 162.159.135.232, 443, 49752, 49755 CLOUDFLARENETUS United States 12->66 68 2 other IPs or domains 12->68 62 C:\ProgramData\...\ScreenSaver-6kL0u.scr, PE32+ 12->62 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 12->96 98 Adds a directory exclusion to Windows Defender 12->98 100 Tries to harvest and steal WLAN passwords 12->100 102 Disables Windows Defender (via service or powershell) 12->102 17 cmd.exe 1 12->17         started        20 cmd.exe 12->20         started        22 cmd.exe 12->22         started        24 32 other processes 12->24 file7 signatures8 process9 signatures10 70 Uses cmd line tools excessively to alter registry or file data 17->70 72 Uses netsh to modify the Windows network and firewall settings 17->72 74 Adds a directory exclusion to Windows Defender 17->74 41 2 other processes 17->41 26 pm.bam 20->26         started        29 conhost.exe 20->29         started        31 ck.bam 22->31         started        33 conhost.exe 22->33         started        76 Tries to harvest and steal WLAN passwords 24->76 78 Disables Windows Defender (via service or powershell) 24->78 35 WMIC.exe 1 24->35         started        37 WMIC.exe 1 24->37         started        39 WMIC.exe 24->39         started        43 58 other processes 24->43 process11 file12 88 Multi AV Scanner detection for dropped file 26->88 90 Machine Learning detection for dropped file 26->90 92 Tries to harvest and steal browser information (history, passwords, etc) 26->92 94 DLL side loading technique detected 35->94 46 net1.exe 1 41->46         started        56 C:\Users\user\AppData\Local\Temp\...\pm.bam, PE32 43->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\cm.bam, PE32 43->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\ck.bam, PE32 43->60 dropped signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb072637f15adf01881b15d6be17c943d912816b43cd843ca90089d56e638c0f/
Threat name:
Win64.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-10-15 13:31:21 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
9 of 42 (21.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmdsmn7rllpqdca3cxll4f6jipmrfallipgyipfjace5k3tdrqhq._file
Verdict:
malicious
Similar samples:
1a2a1a33841d79dcaf62dfd71becddec0581a725793fb6119f187568ac351794
Adware.Techsnab
29a0ec2958b900db46598043791f3b672c7c62cf3d0ebd44444c208d057d05ce
Adware.Techsnab
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
Adware.Techsnab
7ff666b15df670047eaa593d038013a5ad809aaef174abe50e85bf4962a1366b
Adware.Techsnab
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
Adware.Techsnab
acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376
Adware.Techsnab
b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
Adware.Techsnab
b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b
Adware.Techsnab
c6af2ec456ad02b9eb3faf9fd9384d3dc43a55e7b1a58eec4440ee4bde1e99ce
Adware.Techsnab
+ 1'022 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221015-qsdcnaffc6/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7aabc5b-b98f-4cc3-99c5-5d1a5dc42dd7
Unpacked files
SH256 hash:
bb072637f15adf01881b15d6be17c943d912816b43cd843ca90089d56e638c0f
MD5 hash:
93e7db80fcfa4066a07e96430b300713
SHA1 hash:
e5064f6ff049e859c479dffdb0cbebaeb215c8f4
Link:
https://www.unpac.me/results/6c0363ad-9c69-49f6-9a6f-20a21b93cc27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb072637f15adf01881b15d6be17c943d912816b43cd843ca90089d56e638c0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/320590/

Comments