MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52
SHA3-384 hash: 50d3cdfd5d2f30642f42d82dfaffacfb78ac3918f6d5e2de4d3d2ce898a39a0521354cc025e3d9dfce429c2072d33994
SHA1 hash: 390b339baa457cbea092497c1d78b998837aef3a
MD5 hash: c7605aa6808be099dcd48d800545fa6b
humanhash: october-skylark-grey-juliet
File name:main.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:30'580'992 bytes
First seen:2025-02-08 20:08:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (48 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 786432:JcYpu9iHAvODWBGkeDoqr3EANTYaGVMp6BYiXEW:JcYw9iHFyBGkQoqr3EANsqpaYv
TLSH T19067335AA2D42865F974617DFCC2C90B8A7AF8345B60C6E7022EDB812F737C45AF1720
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter aachum
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
593
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
Everythin.exe
Verdict:
Malicious activity
Analysis date:
2025-02-08 20:07:26 UTC
Tags:
python njrat pyinstaller
Link:
https://app.any.run/tasks/b1ba4f86-b7cf-432a-a90a-7a063c360f59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a7bafbd010e522d1b81885
Tags:
installer asyncrat virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching the process to change network settings
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52
Result
Verdict:
UNKNOWN
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1610246
Signature
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610246 Sample: main.exe Startdate: 08/02/2025 Architecture: WINDOWS Score: 100 120 api.telegram.org 2->120 122 ip-api.com 2->122 130 Suricata IDS alerts for network traffic 2->130 132 Sigma detected: Capture Wi-Fi password 2->132 134 Multi AV Scanner detection for submitted file 2->134 138 7 other signatures 2->138 15 main.exe 13 2->15         started        signatures3 136 Uses the Telegram API (likely for C&C communication) 120->136 process4 file5 112 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->112 dropped 114 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->114 dropped 116 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 15->116 dropped 118 8 other malicious files 15->118 dropped 128 Found pyInstaller with non standard icon 15->128 19 main.exe 15->19         started        signatures6 process7 process8 21 cmd.exe 1 19->21         started        signatures9 140 Suspicious powershell command line found 21->140 142 Uses netsh to modify the Windows network and firewall settings 21->142 144 Modifies Windows Defender protection settings 21->144 146 3 other signatures 21->146 24 Build.exe 6 21->24         started        28 conhost.exe 21->28         started        process10 file11 84 C:\ProgramData\Microsoft\hacn.exe, PE32+ 24->84 dropped 86 C:\ProgramData\Microsoft\based.exe, PE32+ 24->86 dropped 166 Multi AV Scanner detection for dropped file 24->166 30 based.exe 22 24->30         started        34 hacn.exe 13 24->34         started        signatures12 process13 file14 96 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->96 dropped 98 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 30->98 dropped 100 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->100 dropped 108 16 other malicious files 30->108 dropped 176 Multi AV Scanner detection for dropped file 30->176 178 Modifies Windows Defender protection settings 30->178 180 Adds a directory exclusion to Windows Defender 30->180 184 2 other signatures 30->184 36 based.exe 19 30->36         started        102 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 34->102 dropped 104 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 34->104 dropped 106 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 34->106 dropped 110 8 other malicious files 34->110 dropped 182 Found pyInstaller with non standard icon 34->182 40 hacn.exe 34->40         started        signatures15 process16 dnsIp17 124 ip-api.com 208.95.112.1, 49908, 80 TUT-ASUS United States 36->124 126 api.telegram.org 149.154.167.220, 443, 49914, 49921 TELEGRAMRU United Kingdom 36->126 148 Found many strings related to Crypto-Wallets (likely being stolen) 36->148 150 Tries to harvest and steal browser information (history, passwords, etc) 36->150 152 Modifies Windows Defender protection settings 36->152 154 4 other signatures 36->154 42 cmd.exe 36->42         started        45 cmd.exe 36->45         started        47 cmd.exe 36->47         started        51 23 other processes 36->51 49 cmd.exe 1 40->49         started        signatures18 process19 signatures20 168 Modifies Windows Defender protection settings 42->168 53 powershell.exe 42->53         started        66 2 other processes 42->66 170 Adds a directory exclusion to Windows Defender 45->170 56 powershell.exe 45->56         started        58 conhost.exe 45->58         started        68 2 other processes 47->68 60 Build.exe 4 49->60         started        62 conhost.exe 49->62         started        172 Suspicious powershell command line found 51->172 174 Tries to harvest and steal WLAN passwords 51->174 64 getmac.exe 51->64         started        70 45 other processes 51->70 process21 file22 156 Loading BitLocker PowerShell Module 56->156 73 WmiPrvSE.exe 56->73         started        158 Multi AV Scanner detection for dropped file 60->158 160 Machine Learning detection for dropped file 60->160 75 based.exe 60->75         started        78 hacn.exe 60->78         started        162 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 64->162 164 Writes or reads registry keys via WMI 64->164 82 C:\Users\user\AppData\Local\Temp\UUNRQ.zip, RAR 70->82 dropped signatures23 process24 file25 88 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 75->88 dropped 90 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 75->90 dropped 92 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 75->92 dropped 94 16 other malicious files 75->94 dropped 80 based.exe 75->80         started        process26
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52
Gathering data
Threat name:
Win64.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-01-02 00:27:52 UTC
File Type:
PE+ (Exe)
Extracted files:
1719
AV detection:
24 of 38 (63.16%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygrbj7ekyyjhjkcw253kngiev3o3fb3pb3u3dbunp6jtkdqln5ja._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection credential_access discovery execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/250208-yw9t2a1qat/
Behaviour
Detects videocard installed
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1171fcb-efac-4238-83e8-db07b3a9102f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Emotet
Create hunting rule
Author:kevoreilly
Description:Emotet Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9

BlankGrabber

Executable exe c1a214fc8ac61274a856d776a69904aeddb2876f0ee9b1868d7f93350e0b6f52

(this sample)

  
Link
https://tria.ge/250208-yqdvea1lgx/behavioral1
  
Dropped by
SHA256 6df749c99fac5bc1097bdd0566120dbd7f38aa392b06227b66efff14412b80c9
  
Dropped by
MD5 d83d5ff23292103a65b43fbd42b7f243

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments