MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0
SHA3-384 hash: c5cfe623911fafdec9ca13b485c745e31d9704c40250ef8bc771c6b9648a676fed9ae6cf92ae43d5a241cdb6289c00f1
SHA1 hash: 780b25b4a32965ff73c273ef397b46cbdfd88fb0
MD5 hash: efeec79f2acd5a21103ab053ffab730b
humanhash: nine-hydrogen-shade-west
File name:XD.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:25'293'824 bytes
First seen:2025-06-17 13:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 786432:1zjzzu42knFQjOw+bVbhwG4hpND2DV0T4GhVp+qgK:1XPurijbtN4pQyT4Ghv+qgK
TLSH T18C47339F122309B7D7B874DBD89239A62970D3678154F8F928D5AC899404E5CE3F333A
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
BlankStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9853/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6851683b8496028abe0dc3d8
Tags:
autorun xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Creating a window
Searching for the window
Running batch commands
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0
Result
Threat name:
Python Stealer, Blank Grabber, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1716478
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Generic Python Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1716478 Sample: XD.exe Startdate: 17/06/2025 Architecture: WINDOWS Score: 100 102 api.telegram.org 2->102 104 other-mins.gl.at.ply.gg 2->104 106 ip-api.com 2->106 136 Suricata IDS alerts for network traffic 2->136 138 Antivirus / Scanner detection for submitted sample 2->138 140 Multi AV Scanner detection for submitted file 2->140 144 16 other signatures 2->144 12 XD.exe 4 2->12         started        signatures3 142 Uses the Telegram API (likely for C&C communication) 102->142 process4 file5 82 C:\Users\user\AppData\Local\...\spoofer.exe, PE32+ 12->82 dropped 84 C:\Users\user\AppData\Local\Temp\XD.exe, PE32+ 12->84 dropped 86 C:\Users\user\AppData\...\T-protected.exe, PE32 12->86 dropped 15 spoofer.exe 41 12->15         started        19 T-protected.exe 14 6 12->19         started        22 XD.exe 1 12->22         started        process6 dnsIp7 92 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->92 dropped 94 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 15->94 dropped 96 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->96 dropped 100 22 other malicious files 15->100 dropped 114 Modifies Windows Defender protection settings 15->114 116 Adds a directory exclusion to Windows Defender 15->116 118 Removes signatures from Windows Defender 15->118 24 spoofer.exe 23 15->24         started        108 other-mins.gl.at.ply.gg 147.185.221.29, 18762 SALSGIVERUS United States 19->108 110 api.telegram.org 149.154.167.220, 443, 49693, 49695 TELEGRAMRU United Kingdom 19->110 98 C:\Users\user\AppData\Roaming\System.exe, PE32 19->98 dropped 120 Antivirus detection for dropped file 19->120 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->122 124 Protects its processes via BreakOnTermination flag 19->124 126 Bypasses PowerShell execution policy 19->126 28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        128 Multi AV Scanner detection for dropped file 22->128 130 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->130 132 Query firmware table information (likely to detect VMs) 22->132 134 4 other signatures 22->134 36 conhost.exe 22->36         started        file8 signatures9 process10 dnsIp11 112 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 24->112 162 Found many strings related to Crypto-Wallets (likely being stolen) 24->162 164 Tries to harvest and steal browser information (history, passwords, etc) 24->164 166 Modifies Windows Defender protection settings 24->166 170 3 other signatures 24->170 38 cmd.exe 24->38         started        41 cmd.exe 24->41         started        43 cmd.exe 24->43         started        53 23 other processes 24->53 168 Loading BitLocker PowerShell Module 28->168 45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        signatures12 process13 signatures14 146 Suspicious powershell command line found 38->146 148 Encrypted powershell cmdline option found 38->148 150 Modifies Windows Defender protection settings 38->150 55 powershell.exe 38->55         started        58 conhost.exe 38->58         started        152 Removes signatures from Windows Defender 41->152 60 powershell.exe 41->60         started        71 2 other processes 41->71 62 powershell.exe 43->62         started        65 conhost.exe 43->65         started        154 Adds a directory exclusion to Windows Defender 53->154 67 getmac.exe 53->67         started        69 powershell.exe 53->69         started        73 44 other processes 53->73 process15 file16 156 Loading BitLocker PowerShell Module 60->156 88 C:\Users\user\AppData\...\rh0ya0nm.cmdline, Unicode 62->88 dropped 75 csc.exe 62->75         started        158 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 67->158 160 Writes or reads registry keys via WMI 67->160 90 C:\Users\user\AppData\Local\Temp\hzqJI.zip, RAR 73->90 dropped signatures17 process18 file19 80 C:\Users\user\AppData\Local\...\rh0ya0nm.dll, PE32 75->80 dropped 78 cvtres.exe 75->78         started        process20
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/efeec79f2acd5a21103ab053ffab730b
Gathering data
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 13:05:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zl4snnf3zpdizsg4hrsuchwmx3576ijwivxx5a5iza5htzeso7ia._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber collection credential_access defense_evasion discovery execution spyware stealer upx
Link:
https://tria.ge/reports/250617-qbt9vaxmv8/
Behaviour
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
blankgrabber
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/61dccfcb-bbcc-4b8a-a169-f0bc2e99fe3a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9853/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments