MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
SHA3-384 hash: 0b0e857a4747269927ba2c9f53bbd07f8b4c082d563989ccfa9e0310d0dfd62ebec0835760d476801c03feb6a93b2242
SHA1 hash: 3ae4ec10990ff35a466328f1bc0e8ece616df3c3
MD5 hash: 7aa4185295ab3f4f896704aed05c0795
humanhash: ceiling-oscar-fourteen-quebec
File name:7AA4185295AB3F4F896704AED05C0795.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:22'314'496 bytes
First seen:2024-08-01 08:55:21 UTC
Last seen:2024-08-01 09:21:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 393216:jVymy1SvjN1GnU7s1/aRUFWYbyemyzgnfpyyxlj3OMddmZceVUJA9OhBI1Hs7:Em+SvZs+sldbzgRhFldmZceX9OP7
TLSH T16727339BF9236CEAD5D6ACB01D1F4C016518F79158006EECA18CFEE5D7ACB0C6E16A70
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:BlankGrabber exe


Avatar
abuse_ch
BlankGrabber C2:
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php https://threatfox.abuse.ch/ioc/1305630/

Intelligence

File Origin
# of uploads :
2
# of downloads :
429
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
7AA4185295AB3F4F896704AED05C0795.exe
Verdict:
Malicious activity
Analysis date:
2024-08-01 09:19:58 UTC
Tags:
pyinstaller stealer discord evasion blankgrabber telegram susp-powershell python rat dcrat remote darkcrystal miner netreactor api-base64 wmi-base64
Link:
https://app.any.run/tasks/222de416-7847-449d-ab85-3b7160da452c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ab4da7b7a04efc74398915
Tags:
Discovery Execution Generic Network Stealth Trojan Variant
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% subdirectories
Running batch commands
DNS request
Connection attempt
Sending a custom TCP request
Searching for the window
Creating a window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Launching the process to change network settings
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
Result
Verdict:
MALICIOUS
Result
Threat name:
Blank Grabber, DCRat, Discord Rat, PureL
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485949
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to disable the Task Manager (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found pyInstaller with non standard icon
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Discord Rat
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1485949 Sample: 87Bym0x4Fy.exe Startdate: 01/08/2024 Architecture: WINDOWS Score: 100 149 gateway.discord.gg 2->149 173 Antivirus detection for dropped file 2->173 175 Antivirus / Scanner detection for submitted sample 2->175 177 Sigma detected: Capture Wi-Fi password 2->177 179 26 other signatures 2->179 15 87Bym0x4Fy.exe 6 2->15         started        19 powershell.exe 2->19         started        21 cscript.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 file5 143 C:\Users\user\...\RuntimeBroker2.0.exe, PE32+ 15->143 dropped 145 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 15->145 dropped 147 C:\Users\user\AppData\...\87Bym0x4Fy.exe.log, CSV 15->147 dropped 153 Encrypted powershell cmdline option found 15->153 25 RuntimeBroker.exe 13 15->25         started        29 powershell.exe 23 15->29         started        31 RuntimeBroker2.0.exe 14 2 15->31         started        34 powershell.exe 15 15->34         started        155 Loading BitLocker PowerShell Module 19->155 36 conhost.exe 19->36         started        157 Found direct / indirect Syscall (likely to bypass EDR) 21->157 38 WerFault.exe 23->38         started        signatures6 process7 dnsIp8 119 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->119 dropped 121 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 25->121 dropped 123 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 25->123 dropped 125 8 other files (7 malicious) 25->125 dropped 211 Found pyInstaller with non standard icon 25->211 40 RuntimeBroker.exe 25->40         started        213 Loading BitLocker PowerShell Module 29->213 42 conhost.exe 29->42         started        151 gateway.discord.gg 162.159.130.234, 443, 49730 CLOUDFLARENETUS United States 31->151 44 WerFault.exe 31->44         started        46 conhost.exe 34->46         started        file9 signatures10 process11 process12 48 cmd.exe 40->48         started        51 SIHClient.exe 40->51         started        signatures13 159 Wscript starts Powershell (via cmd or directly) 48->159 161 Very long command line found 48->161 163 Encrypted powershell cmdline option found 48->163 165 5 other signatures 48->165 53 Build.exe 48->53         started        57 conhost.exe 48->57         started        process14 file15 109 C:\ProgramData\Microsoft\hacn.exe, PE32+ 53->109 dropped 111 C:\ProgramData\Microsoft\based.exe, PE32+ 53->111 dropped 189 Multi AV Scanner detection for dropped file 53->189 191 Machine Learning detection for dropped file 53->191 59 hacn.exe 53->59         started        63 based.exe 53->63         started        signatures16 process17 file18 127 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 59->127 dropped 129 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 59->129 dropped 131 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 59->131 dropped 139 8 other files (7 malicious) 59->139 dropped 215 Multi AV Scanner detection for dropped file 59->215 217 Machine Learning detection for dropped file 59->217 65 hacn.exe 59->65         started        133 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 63->133 dropped 135 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 63->135 dropped 137 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 63->137 dropped 141 16 other files (15 malicious) 63->141 dropped 219 Very long command line found 63->219 221 Modifies Windows Defender protection settings 63->221 223 Adds a directory exclusion to Windows Defender 63->223 225 2 other signatures 63->225 67 based.exe 63->67         started        signatures19 process20 signatures21 70 cmd.exe 65->70         started        181 Very long command line found 67->181 183 Tries to harvest and steal browser information (history, passwords, etc) 67->183 185 Modifies Windows Defender protection settings 67->185 187 5 other signatures 67->187 72 cmd.exe 67->72         started        75 cmd.exe 67->75         started        77 cmd.exe 67->77         started        79 12 other processes 67->79 process22 signatures23 81 s.exe 70->81         started        85 conhost.exe 70->85         started        199 Wscript starts Powershell (via cmd or directly) 72->199 201 Very long command line found 72->201 203 Encrypted powershell cmdline option found 72->203 97 2 other processes 72->97 205 Adds a directory exclusion to Windows Defender 75->205 87 powershell.exe 75->87         started        89 conhost.exe 75->89         started        207 Modifies Windows Defender protection settings 77->207 91 powershell.exe 77->91         started        93 conhost.exe 77->93         started        209 Tries to harvest and steal WLAN passwords 79->209 95 powershell.exe 79->95         started        99 22 other processes 79->99 process24 file25 105 C:\ProgramData\svchost.exe, PE32 81->105 dropped 107 C:\ProgramData\setup.exe, PE32+ 81->107 dropped 167 Drops PE files with benign system names 81->167 101 svchost.exe 81->101         started        169 Loading BitLocker PowerShell Module 91->169 171 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 99->171 signatures26 process27 file28 113 C:\Users\user\...\ChainComServermonitor.exe, PE32 101->113 dropped 115 pFG3Duil1NAbFHoInF...Rvb98S0ewJA0VkW.vbe, data 101->115 dropped 117 C:\Users\user\...\oGgyulsi03j6EO3sjCC.bat, ASCII 101->117 dropped 193 Antivirus detection for dropped file 101->193 195 Multi AV Scanner detection for dropped file 101->195 197 Machine Learning detection for dropped file 101->197 signatures29
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
Gathering data
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 16:10:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmya6ehdsgvbqxvjkvozcixzdxfi5mw7wbspcqmagqhurob34yrq._file
Verdict:
malicious
Result
Malware family:
discordrat
Create hunting rule
Score:
  10/10
Tags:
family:discordrat collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat rootkit spyware stealer upx
Link:
https://tria.ge/reports/240801-kv1m3ssekn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Discord RAT
Modifies WinLogon for persistence
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5152336a-e5b9-481d-ae4d-c0e371801809
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments