MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
SHA3-384 hash: e8ed716d2740f0a562d2c53bba19defa8f17210956409dcfcd46a8d4bc42df90c7d0aba6f5b346c4a179e3b52078ca91
SHA1 hash: 61bd0dd9ce4efeb881e3a0e968cdebb925c45665
MD5 hash: 6f0e94c80d8b9c98ea75bff456eff5a2
humanhash: black-april-ohio-oregon
File name:6f0e94c80d8b9c98ea75bff456eff5a2
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:12'932'608 bytes
First seen:2023-12-16 17:52:41 UTC
Last seen:2023-12-16 19:28:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 393216:NSCEslyO0f4YXDe6lUvlQtav6iiALTfEMf4EwzhMW:M0lytXD1kl23iiALjQq
TLSH T186D623BC59C5694BCC7911318399EBFC61DD716952D29AEE89F982640F32F1F8003EB8
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 71f4a2cccc8ac461 (2 x BlankGrabber, 1 x CoinMiner)
Reporter zbetcheckin
Tags:32 BlankGrabber exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468073/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.30903.7134.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Running batch commands
DNS request
Reading critical registry keys
Deleting a system file
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
Searching for synchronization primitives
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/657de3ffb855eb3693dfbbe2/reports/99c25bc6-cc24-481c-81fe-004433ed4abd/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e113a14-4a57-4a85-baea-ec13fe4e07c2
Result
Threat name:
Blank Grabber, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363459
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Blank Grabber
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363459 Sample: x8Rh3L1DiO.exe Startdate: 16/12/2023 Architecture: WINDOWS Score: 100 124 pastebin.com 2->124 126 xmr.2miners.com 2->126 128 3 other IPs or domains 2->128 166 Snort IDS alert for network traffic 2->166 168 Multi AV Scanner detection for domain / URL 2->168 170 Malicious sample detected (through community Yara rule) 2->170 174 12 other signatures 2->174 11 x8Rh3L1DiO.exe 3 2->11         started        15 wyukybfpfewl.exe 2->15         started        signatures3 172 Connects to a pastebin service (likely for C&C) 124->172 process4 file5 118 C:\Users\user\AppData\...\bllN556gSa.exe, PE32+ 11->118 dropped 120 C:\Users\user\AppData\Local\...\M2221bnNG.exe, PE32+ 11->120 dropped 202 Encrypted powershell cmdline option found 11->202 17 bllN556gSa.exe 22 11->17         started        21 M2221bnNG.exe 1 2 11->21         started        23 powershell.exe 22 11->23         started        122 C:\Windows\Temp\knekxmgwkkuj.sys, PE32+ 15->122 dropped 204 Antivirus detection for dropped file 15->204 206 Multi AV Scanner detection for dropped file 15->206 208 Protects its processes via BreakOnTermination flag 15->208 210 3 other signatures 15->210 25 dialer.exe 15->25         started        27 dialer.exe 15->27         started        30 cmd.exe 15->30         started        32 7 other processes 15->32 signatures6 process7 dnsIp8 100 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->100 dropped 102 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 17->102 dropped 104 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 17->104 dropped 108 16 other malicious files 17->108 dropped 140 Drops PE files with a suspicious file extension 17->140 142 Drops PE files to the startup folder 17->142 162 3 other signatures 17->162 34 bllN556gSa.exe 91 17->34         started        106 C:\ProgramData\...\wyukybfpfewl.exe, PE32+ 21->106 dropped 144 Antivirus detection for dropped file 21->144 146 Multi AV Scanner detection for dropped file 21->146 148 Uses cmd line tools excessively to alter registry or file data 21->148 150 Modifies the context of a thread in another process (thread injection) 21->150 39 dialer.exe 21->39         started        41 cmd.exe 21->41         started        43 cmd.exe 21->43         started        47 10 other processes 21->47 152 Potential dropper URLs found in powershell memory 23->152 45 conhost.exe 23->45         started        154 Injects code into the Windows Explorer (explorer.exe) 25->154 156 Writes to foreign memory regions 25->156 158 Allocates memory in foreign processes 25->158 164 2 other signatures 25->164 49 3 other processes 25->49 134 94.156.71.160, 49738, 49744, 80 TERASYST-ASBG Bulgaria 27->134 136 pastebin.com 104.20.68.143, 443, 49733 CLOUDFLARENETUS United States 27->136 138 2 other IPs or domains 27->138 160 Query firmware table information (likely to detect VMs) 27->160 51 2 other processes 30->51 53 8 other processes 32->53 file9 signatures10 process11 dnsIp12 130 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 34->130 132 discord.com 162.159.128.233, 443, 49742 CLOUDFLARENETUS United States 34->132 110 C:\ProgramData\Microsoft\Windows\...\??.scr, PE32+ 34->110 dropped 112 C:\Windows\System32\drivers\etc\hosts, ASCII 34->112 dropped 114 C:\Users\user\AppData\...\ONBQCLYSPU.docx, ASCII 34->114 dropped 116 2 other malicious files 34->116 dropped 176 Tries to harvest and steal browser information (history, passwords, etc) 34->176 178 Modifies Windows Defender protection settings 34->178 180 Modifies the hosts file 34->180 188 3 other signatures 34->188 55 cmd.exe 1 34->55         started        58 cmd.exe 1 34->58         started        60 cmd.exe 34->60         started        64 10 other processes 34->64 182 Contains functionality to inject code into remote processes 39->182 184 Writes to foreign memory regions 39->184 186 Allocates memory in foreign processes 39->186 190 3 other signatures 39->190 62 lsass.exe 39->62 injected 66 3 other processes 39->66 68 2 other processes 41->68 70 2 other processes 43->70 72 7 other processes 47->72 file13 signatures14 process15 signatures16 192 Suspicious powershell command line found 55->192 194 Uses cmd line tools excessively to alter registry or file data 55->194 196 Modifies Windows Defender protection settings 55->196 74 powershell.exe 23 55->74         started        76 conhost.exe 55->76         started        78 attrib.exe 58->78         started        80 conhost.exe 58->80         started        82 conhost.exe 60->82         started        84 reg.exe 60->84         started        198 Installs new ROOT certificates 62->198 200 Adds a directory exclusion to Windows Defender 64->200 86 conhost.exe 64->86         started        88 powershell.exe 64->88         started        90 18 other processes 64->90 process17 process18 92 conhost.exe 78->92         started        94 conhost.exe 82->94         started        96 conhost.exe 86->96         started        98 Conhost.exe 88->98         started       
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 18:59:17 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 23 (86.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xq4lmgtbi4yo4bf76ma5aojon77clk6tn2c7h6r6meaqkv7cyda._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer upx
Link:
https://tria.ge/reports/231216-wgaehsdga9/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
MD5 hash:
6f0e94c80d8b9c98ea75bff456eff5a2
SHA1 hash:
61bd0dd9ce4efeb881e3a0e968cdebb925c45665
Link:
https://www.unpac.me/results/e1635b45-5f52-45b9-b1a5-c742a22450af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5e1c5b0d30a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlankGrabber

Executable exe e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2741439/
Cape
Cape
https://www.capesandbox.com/analysis/468073/

Comments


Avatar
zbet commented on 2023-12-16 17:52:42 UTC

url : hxxp://94.156.71.160/updater.exe