MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 18


Intelligence 18 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
SHA3-384 hash: ec7bd73be49ddd6c7df142f22e618334354c3df1f360cc9a163540f402b54f25be76e9f2caa35d6362f27c0f37366c56
SHA1 hash: 742b2b50f2bb16e03b342ebf866017320bb3de32
MD5 hash: 905203c5f78f82d73b795975aa02d429
humanhash: double-yellow-bacon-jersey
File name:Ocho_Spoofer.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:16'293'376 bytes
First seen:2025-12-12 18:49:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 393216:oLGr5Es7FvscTquke+s+qXjkjQ2Ic01Cp:oLU2spvzquke8qXiQJY
Threatray 617 similar samples on MalwareBazaar
TLSH T1B4F623B26BFE2F1AFE4B583F8B296F75568D1B4068840BF1E5940F51BE61CE31026127
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
BlankGrabber BlankOBF SilentCryptoMiner UnamBinder
Details
Archives
extracted contents of the ZIP archive
BlankGrabber
BlankGrabber Loader Assembly and an encrypted component
BlankGrabber
a c2 url, a mutex, an archive password, and flags
BlankGrabber
AES-GCM decryption parameters, and, if the parent PyInstaller is available, a decrypted component
BlankOBF
a deobfuscated component
BlankOBF
an LZMA decompressed component
PEPacker
a UPX version number and an unpacked binary
SilentCryptoMiner
AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address
UnamBinder
XOR decrypted component(s)
Link:
https://research.acce.ciphertechsolutions.com/results/b791e230-e2ce-4767-8af4-8255a8abbf39/
Malware family:
n/a
ID:
1
File name:
Ocho_Spoofer.exe
Verdict:
Malicious activity
Analysis date:
2025-12-12 18:49:41 UTC
Tags:
evasion python screenshot anti-evasion blankgrabber auto-startup stealer telegram susp-powershell winring0-sys vuln-driver uac amsi-bypass
Link:
https://app.any.run/tasks/aa0dfd8d-b615-4966-bf7c-b1821f7d40ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44474/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693c63c6a675b653bd108a31
Tags:
vmdetect xmrig
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm installer-heuristic packed
Link:
https://www.filescan.io/uploads/693c63e5900ee247e8431942/reports/17b3e42b-4e2f-4ad9-81fd-7f1398720388/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-12T15:53:00Z UTC
Last seen:
2025-12-12T16:15:00Z UTC
Hits:
~10
Detections:
Trojan-GameThief.MSIL.Worgtop.c Trojan-Spy.Win32.Agent.dffz Trojan-PSW.Python.Blank.sb HEUR:Trojan-PSW.Python.Blank.gen HEUR:Trojan.Win32.Agent.pef Trojan-PSW.Win32.Greedy.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Dizemp.sb Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.Win32.Generic Trojan-Dropper.Win32.Agent.sb Trojan-PSW.Win32.Disco.sb Trojan-GameThief.MSIL.Worgtop.b Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win32.Hosts2.gen HEUR:Trojan.Multi.Agent.gen Trojan-PSW.MSIL.Mercurial.sb Trojan.Python.Agent.gen Trojan-GameThief.Win32.Worgtop.f RiskTool.BitCoinMiner.TCP.C&C RiskTool.BitCoinMiner.UDP.C&C
Link:
https://opentip.kaspersky.com/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae158566-69e8-486d-819a-b1f36cea9772
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1831840
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Obfuscated command line found
Removes signatures from Windows Defender
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Uses WMIC command to query system information (often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1831840 Sample: Ocho_Spoofer.exe Startdate: 12/12/2025 Architecture: WINDOWS Score: 100 108 blank-zjtaf.in 2->108 110 ip-api.com 2->110 126 Antivirus / Scanner detection for submitted sample 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 Yara detected Blank Grabber 2->130 132 17 other signatures 2->132 10 Ocho_Spoofer.exe 3 2->10         started        14 powershell.exe 2->14         started        16 svchost.exe 2->16         started        18 MicrosoftEdgeSetup.exe 2->18         started        signatures3 process4 file5 102 C:\Users\user\AppData\Local\Temp\Loader.exe, PE32+ 10->102 dropped 104 C:\Users\user\AppData\Local\Temp\Driver.exe, PE32+ 10->104 dropped 168 Encrypted powershell cmdline option found 10->168 20 Loader.exe 41 10->20         started        24 Driver.exe 1 1 10->24         started        26 powershell.exe 15 10->26         started        170 Writes to foreign memory regions 14->170 172 Modifies the context of a thread in another process (thread injection) 14->172 174 Injects a PE file into a foreign processes 14->174 28 dllhost.exe 14->28         started        30 conhost.exe 14->30         started        176 Changes security center settings (notifications, updates, antivirus, firewall) 16->176 178 Unusual module load detection (module proxying) 16->178 signatures6 process7 file8 90 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 20->90 dropped 92 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 20->92 dropped 94 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 20->94 dropped 100 22 other files (none is malicious) 20->100 dropped 142 Modifies Windows Defender protection settings 20->142 144 Adds a directory exclusion to Windows Defender 20->144 146 Removes signatures from Windows Defender 20->146 148 Uses WMIC command to query system information (often done to detect virtual machines) 20->148 32 Loader.exe 20->32         started        96 C:\Windows\System32\drivers\etc\hosts, ASCII 24->96 dropped 98 C:\ProgramData\...\MicrosoftEdgeSetup.exe, PE32+ 24->98 dropped 150 Uses powercfg.exe to modify the power settings 24->150 152 Modifies the context of a thread in another process (thread injection) 24->152 154 Modifies the hosts file 24->154 156 Modifies power options to not sleep / hibernate 24->156 36 powershell.exe 23 24->36         started        38 cmd.exe 24->38         started        48 9 other processes 24->48 40 conhost.exe 26->40         started        158 Injects code into the Windows Explorer (explorer.exe) 28->158 160 Writes to foreign memory regions 28->160 162 Creates a thread in another existing process (thread injection) 28->162 164 2 other signatures 28->164 42 winlogon.exe 28->42 injected 44 lsass.exe 28->44 injected 46 dwm.exe 28->46 injected 50 15 other processes 28->50 signatures9 process10 dnsIp11 106 ip-api.com 208.95.112.1, 49693, 80 TUT-ASUS United States 32->106 112 Modifies Windows Defender protection settings 32->112 114 Adds a directory exclusion to Windows Defender 32->114 116 Removes signatures from Windows Defender 32->116 118 Uses WMIC command to query system information (often done to detect virtual machines) 32->118 52 cmd.exe 1 32->52         started        55 cmd.exe 1 32->55         started        57 cmd.exe 1 32->57         started        59 cmd.exe 1 32->59         started        120 Found suspicious powershell code related to unpacking or dynamic code loading 36->120 122 Loading BitLocker PowerShell Module 36->122 61 conhost.exe 36->61         started        63 conhost.exe 38->63         started        65 wusa.exe 38->65         started        124 Unusual module load detection (module proxying) 42->124 67 conhost.exe 48->67         started        69 7 other processes 48->69 signatures12 process13 signatures14 134 Modifies Windows Defender protection settings 52->134 136 Adds a directory exclusion to Windows Defender 52->136 138 Removes signatures from Windows Defender 52->138 71 powershell.exe 52->71         started        74 conhost.exe 52->74         started        76 powershell.exe 23 55->76         started        78 conhost.exe 55->78         started        80 MpCmdRun.exe 55->80         started        140 Uses WMIC command to query system information (often done to detect virtual machines) 57->140 82 conhost.exe 57->82         started        84 WMIC.exe 57->84         started        86 conhost.exe 59->86         started        88 tasklist.exe 59->88         started        process15 signatures16 166 Loading BitLocker PowerShell Module 76->166
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/905203c5f78f82d73b795975aa02d429
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-12-12 18:49:43 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
30 of 38 (78.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nefqslh4gdj7ts6miem3btrhww2eparplr7mxkl2a4t2tbxt4ja._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
2318eb7e2ab42cdf2c2402646f619945697cd7c60b4d82149fc462a634e4b589
BlankGrabber
31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d
BlankGrabber
3aa0d97eb77f98f9dfda669e86e9993abba50ea995675b9f986a407c4f156e75
BlankGrabber
6e2eb50e40575b545f1cd9c15e2701bb83217ceb8d495c91b3f2b13ba41071cd
BlankGrabber
9393210a9ac6bd52e15a0a1634467fe53d83f5118a002e68e68e81e32c476642
BlankGrabber
9a73947fe502c6200b6e6196f2b55b0a56dfe7646ecfeb23bec4390af6f4accc
BlankGrabber
caf926b4bbcbc68cc8dc3c65411eccbefbff2136456f7e83a8c83a79e49277d0
BlankGrabber
db95ee5eea3d73603b83346a3d1cb05835bc4fe880f2681e1979b7b5e55831d2
BlankGrabber
e96217451524fdb4d1caad9b4ef6f1359d0097b88000de6f861b6bf15e908e58
BlankGrabber
error
BlankGrabber
f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
BlankGrabber
+ 607 additional samples on MalwareBazaar
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber bootkit defense_evasion discovery execution persistence stealer upx
Link:
https://tria.ge/reports/251212-xg2pfavlaw/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
UPX packed file
Enumerates connected drives
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Drops file in Drivers directory
Sets service image path in registry
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
blankgrabber
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/820ae846-81e0-402b-a345-65fe789d080b
Unpacked files
SH256 hash:
f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
MD5 hash:
905203c5f78f82d73b795975aa02d429
SHA1 hash:
742b2b50f2bb16e03b342ebf866017320bb3de32
Link:
https://www.unpac.me/results/6455d399-f49f-41e4-9bea-5d8a95871663/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f348584967e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44474/

Comments