MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 10


Intelligence 10 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813
SHA3-384 hash: 9da283da557cde61838eb437d5a942ac39abbef687d9ca9e65b24b69b64949ba994e35f7efde99c7e516a0e187c4a94b
SHA1 hash: 65cec22442755c017edbb006635f6dc620c1e467
MD5 hash: 6bd9fe79acd2195733924d708d02c5e2
humanhash: ten-vermont-wolfram-floor
File name:Blank Grabber.zip
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:915'664 bytes
First seen:2025-12-09 00:51:00 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:GY2oAQemAMGocvm6qeFQw02dY6rR+04RXjS9APwIAFJZ2hM1kcvBh:GXmCocJIH6dV9APwnFbkMbb
TLSH T1B815337A4EC03702D5529767F66A9FBFF99C1E1B6F49720C0212D1B44AC336C910E7AA
Magika zip
Reporter smica83
Tags:BlankGrabber HUN zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
HU HU
File Archive Information

This file archive contains 18 file(s), sorted by their relevance:

File name:process.py
File size:8'500 bytes
SHA256 hash: 72f2b7cbcc38b79ce96d12e6fdd9a45874728a1abd49eed00438069ba8006f21
MD5 hash: 8cc1b499d73f3fc2140a5b0c97afd6f2
MIME type:text/x-python
Signature BlankGrabber
File name:requirements.txt
File size:40 bytes
SHA256 hash: c835fa03bbf8b1fea4dfea6001146028562a6716f42e3a8aa33e5a22d130350d
MD5 hash: 0717875d7e142fac144ac1e71d4ac6a0
MIME type:text/plain
Signature BlankGrabber
File name:loader.py
File size:634 bytes
SHA256 hash: e7dbfe873c719006f28e6526ef54215d7b7598bce5566734c552dab9f1f487e6
MD5 hash: ca35548638710a32f6d4bc1a61a103c5
MIME type:text/x-python
Signature BlankGrabber
File name:config.json
File size:976 bytes
SHA256 hash: 28eb749c0057fa28835c64032e1bee33f42494168dc4d21f93383020eccc5a82
MD5 hash: 17c98daace9d0baf81f6b9856c719c36
MIME type:application/json
Signature BlankGrabber
File name:stub.py
File size:102'065 bytes
SHA256 hash: 7602997372de338fbe45cb16f6bfe6d0c5bb57634ac7cf64e098a709c939d22c
MD5 hash: 6dc9bbb14ef14c45d4d5d4128dbeb5ef
MIME type:text/x-python
Signature BlankGrabber
File name:unblock_sites.py
File size:1'702 bytes
SHA256 hash: bf5c32f73990a16835b5b91f08647617dce973a68626ee4921bc5e2c5a07cafe
MD5 hash: 0d1019573b112545f9fd41a4e0acc342
MIME type:text/x-python
Signature BlankGrabber
File name:upx.exe
File size:537'600 bytes
SHA256 hash: a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b
MD5 hash: 8a98406e32ed6139bd9e75342d452948
MIME type:application/x-dosexec
Signature BlankGrabber
File name:hash
File size:49 bytes
SHA256 hash: a3a0bcb8bec1eaad047e69983080754930ef816d707cfb0c79bde28914d1c58c
MD5 hash: cc56774b629cd17fe887ccabf5461161
MIME type:application/json
Signature BlankGrabber
File name:run.bat
File size:1'339 bytes
SHA256 hash: ceade703cb46e78226dc0331ea37f3ed9f681b5969b56ddd15ca5a39e8c067d3
MD5 hash: 5beaf38a2e57c2813f6b19b3fb08aca3
MIME type:text/x-msdos-batch
Signature BlankGrabber
File name:postprocess.py
File size:2'497 bytes
SHA256 hash: 72eefc2defd861c48721f235717a0f8de430ea8f2bc290b429cfbdc906ba539c
MD5 hash: bbed9f3d87c4927b2b2bc16a6ec4da51
MIME type:text/x-python
Signature BlankGrabber
File name:rarreg.key
File size:456 bytes
SHA256 hash: 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
MD5 hash: 4531984cad7dacf24c086830068c4abe
MIME type:text/plain
Signature BlankGrabber
File name:rar.exe
File size:630'736 bytes
SHA256 hash: 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
MD5 hash: 9c223575ae5b9544bc3d69ac6364f75e
MIME type:application/x-dosexec
Signature BlankGrabber
File name:READme.txt
File size:170 bytes
SHA256 hash: b30d3a21941310b108baf1dddfc8b363a81a033025ef045d267142eb9f9e78af
MD5 hash: 10a5016f49ef1acacd6998ace35d85e6
MIME type:text/plain
Signature BlankGrabber
File name:cert
File size:9'288 bytes
SHA256 hash: 090b03e1ff82d53fb90c3776be756465d6bc4dc04b164348eeab703a72bb2243
MD5 hash: b769e370f66299bca7f86932bc24925f
MIME type:application/octet-stream
Signature BlankGrabber
File name:sigthief.py
File size:10'782 bytes
SHA256 hash: caf899aedb2b0fe154de2223d86604380d2cf4a47406f881cca680c8a4b063bf
MD5 hash: 57156b83bcfa0c8cbc0fc36aa02a1617
MIME type:text/x-python
Signature BlankGrabber
File name:Builder.bat
File size:1'107 bytes
SHA256 hash: 79e1377ac17e6aece067d4cf6a202d8baf43a9906cea353de7188c43b20500c8
MD5 hash: 69f3538d09da509b93329b22fd59a956
MIME type:text/x-msdos-batch
Signature BlankGrabber
File name:BlankOBF.py
File size:5'945 bytes
SHA256 hash: 73bd45bbbf96aa84a2abf5eef93513126bd3adbbbb5ebd5272776643d99c1fb8
MD5 hash: b3d2f59792b99d98107717d6b7100cf3
MIME type:text/x-python
Signature BlankGrabber
File name:gui.py
File size:39'438 bytes
SHA256 hash: 2541224e02dea793417cb301ee3de7097641b376df779041ff105cdf79692f1b
MD5 hash: d4516f5f779e1f422bb4fd3f204e1f2e
MIME type:text/x-python
Signature BlankGrabber
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8b5c000e-17fa-4797-b67f-798bea67281b/
Detection(s):
Sanesecurity.Foxhole.Zip_rar.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.37755.6369.530.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.37755.15565.1685.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.37754.1606.8224.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Telegrambot-21.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69377288881313558a2ba880
Tags:
virus shell core
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
First seen:
2025-12-08T19:30:00Z UTC
Last seen:
2025-12-09T02:00:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813/results?tab=lookup
Score:
67%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813
Verdict:
Malware
YARA:
4 match(es)
Tags:
DeObfuscated Executable PDB Path PE (Portable Executable) PE File Layout PowerShell Zip Archive
Link:
https://app.malva.re/file/6bd9fe79acd2195733924d708d02c5e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813/
Threat name:
Win32.Hacktool.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-09 00:51:20 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
11 of 24 (45.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42mwdxzev3met2cswtuvmz7d3fath3gna7tiptgrv3k6eqb2najq._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber linux macos upx
Link:
https://tria.ge/reports/251209-grm12adq7x/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/e69961df24aed849e852b4e95667e3d94133eccd07e687ccd1aed5e2403a6813

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_decoding
Create hunting rule
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:blankgrabber_v1
Create hunting rule
Author:RandomMalware
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_BlankStealer
Create hunting rule
Author:ditekSHen
Description:Detects BlankStealer / BlankGrabber / Blank-c Stealer
Rule name:MALW_JS_PirateStealerPKG
Create hunting rule
Author:skyeto
Description:PirateStealer Malware
Reference:https://twitter.com/skyetothefox/status/1444442313367998467
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments