MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 13


Intelligence 13 IOCs YARA 30 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
SHA3-384 hash: 8526c8884555b3b5ee39f2118a6e6f4ac0ddb312c6c037bbf9390f6afdd67d3fb821e1380fd141d06b785843f1fb0dc8
SHA1 hash: 5bae148e9a1865370d25d805439e60f057806a04
MD5 hash: 4ce7dec7f0af15277eec727a9e20142e
humanhash: solar-muppet-edward-winner
File name:TS-240605-Millenium1.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:38'730'377 bytes
First seen:2024-06-05 01:54:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4f2e2b03fe5666a721620fcea3aea9b (15 x BlankGrabber, 10 x PythonStealer, 6 x CrealStealer)
ssdeep 786432:xRaNrdmuVZJW4j1B6O7WfE1StERPeJSu/6jsdbOr4q:xR0rEuTJWSfbyfEItERPeguAsd
TLSH T19487338023021932F6A94179E79C640AEFF5F636A7D5666357E043B32F43B92C628F53
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter kafan_shengui
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402.exe
Verdict:
Malicious activity
Analysis date:
2024-06-05 01:56:44 UTC
Tags:
blankgrabber python evasion telegram stealer exfiltration miner
Link:
https://app.any.run/tasks/5cb8177b-8b6c-463f-b856-0d65d47819a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665fe71899632c3f7488a141win7simulatehigh_evasion
Tags:
Stealth Drop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand fingerprint lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/665fc5786b8dba248b3c7449/reports/b3e1008d-ca64-41e0-b24e-8a3d8dc0bc75/overview
Verdict:
Malicious
Labled as:
Multiple_detections
Link:
https://www.hybrid-analysis.com/sample/fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
Result
Verdict:
MALICIOUS
Result
Threat name:
Blank Grabber, Discord Token Stealer, Mi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1452142
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Stop multiple services
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
Stops critical windows services
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Blank Grabber
Yara detected Costura Assembly Loader
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1452142 Sample: TS-240605-Millenium1.exe Startdate: 05/06/2024 Architecture: WINDOWS Score: 100 159 api.telegram.org 2->159 161 raw.githubusercontent.com 2->161 163 2 other IPs or domains 2->163 189 Snort IDS alert for network traffic 2->189 191 Multi AV Scanner detection for domain / URL 2->191 193 Malicious sample detected (through community Yara rule) 2->193 197 29 other signatures 2->197 15 TS-240605-Millenium1.exe 13 2->15         started        19 powershell.exe 2->19         started        21 powershell.exe 2->21         started        23 cmd.exe 2->23         started        signatures3 195 Uses the Telegram API (likely for C&C communication) 159->195 process4 file5 135 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->135 dropped 137 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->137 dropped 139 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 15->139 dropped 141 8 other malicious files 15->141 dropped 173 Found pyInstaller with non standard icon 15->173 25 TS-240605-Millenium1.exe 15->25         started        175 Loading BitLocker PowerShell Module 19->175 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 sc.exe 23->33         started        35 sc.exe 23->35         started        37 3 other processes 23->37 signatures6 process7 process8 39 cmd.exe 1 25->39         started        signatures9 199 Modifies Windows Defender protection settings 39->199 201 Adds a directory exclusion to Windows Defender 39->201 203 Stops critical windows services 39->203 42 Build.exe 6 39->42         started        45 conhost.exe 39->45         started        process10 file11 115 C:\ProgramData\Microsoft\hacn.exe, PE32+ 42->115 dropped 117 C:\ProgramData\Microsoft\based.exe, PE32+ 42->117 dropped 47 hacn.exe 13 42->47         started        51 based.exe 22 42->51         started        process12 file13 143 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 47->143 dropped 145 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 47->145 dropped 147 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 47->147 dropped 155 8 other files (7 malicious) 47->155 dropped 177 Antivirus detection for dropped file 47->177 179 Multi AV Scanner detection for dropped file 47->179 181 Machine Learning detection for dropped file 47->181 53 hacn.exe 47->53         started        149 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 51->149 dropped 151 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 51->151 dropped 153 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 51->153 dropped 157 16 other malicious files 51->157 dropped 183 Modifies Windows Defender protection settings 51->183 185 Adds a directory exclusion to Windows Defender 51->185 187 Removes signatures from Windows Defender 51->187 55 based.exe 7 51->55         started        signatures14 process15 dnsIp16 59 cmd.exe 1 53->59         started        61 Conhost.exe 53->61         started        169 api.telegram.org 149.154.167.220, 443, 49754, 49755 TELEGRAMRU United Kingdom 55->169 205 Found many strings related to Crypto-Wallets (likely being stolen) 55->205 207 Tries to harvest and steal browser information (history, passwords, etc) 55->207 209 Modifies Windows Defender protection settings 55->209 211 2 other signatures 55->211 63 cmd.exe 1 55->63         started        66 cmd.exe 55->66         started        68 cmd.exe 55->68         started        70 4 other processes 55->70 signatures17 process18 signatures19 72 s.exe 6 59->72         started        76 conhost.exe 59->76         started        245 Adds a directory exclusion to Windows Defender 63->245 78 powershell.exe 63->78         started        80 conhost.exe 63->80         started        247 Modifies Windows Defender protection settings 66->247 82 powershell.exe 66->82         started        84 conhost.exe 66->84         started        86 rar.exe 68->86         started        88 conhost.exe 68->88         started        90 7 other processes 70->90 process20 file21 107 C:\ProgramData\svchost.exe, PE32+ 72->107 dropped 109 C:\ProgramData\setup.exe, PE32+ 72->109 dropped 111 C:\ProgramData\main.exe, PE32 72->111 dropped 221 Drops PE files with benign system names 72->221 92 svchost.exe 72->92         started        96 setup.exe 72->96         started        98 main.exe 72->98         started        223 Loading BitLocker PowerShell Module 82->223 113 C:\Users\user\AppData\Local\Temp\wpNXr.zip, RAR 86->113 dropped 101 conhost.exe 90->101         started        signatures22 process23 dnsIp24 119 C:\Users\...\_wrappers.cp310-win_amd64.pyd, PE32+ 92->119 dropped 121 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 92->121 dropped 123 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 92->123 dropped 133 60 other files (56 malicious) 92->133 dropped 225 Antivirus detection for dropped file 92->225 227 Multi AV Scanner detection for dropped file 92->227 229 Machine Learning detection for dropped file 92->229 231 Queries Google from non browser process on port 80 92->231 103 svchost.exe 92->103         started        125 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 96->125 dropped 127 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 96->127 dropped 233 Writes to foreign memory regions 96->233 235 Modifies the context of a thread in another process (thread injection) 96->235 237 Found hidden mapped module (file has been removed from disk) 96->237 243 3 other signatures 96->243 165 raw.githubusercontent.com 185.199.109.133, 443, 49746, 49749 FASTLYUS Netherlands 98->165 167 ip-api.com 208.95.112.1, 49745, 49750, 49752 TUT-ASUS United States 98->167 129 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 98->129 dropped 131 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 98->131 dropped 239 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 98->239 241 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 98->241 file25 signatures26 process27 dnsIp28 171 www.google.com 216.58.212.132, 49748, 49757, 49775 GOOGLEUS United States 103->171 213 System process connects to network (likely due to code injection or exploit) 103->213 215 Creates autostart registry keys with suspicious names 103->215 217 Modifies the context of a thread in another process (thread injection) 103->217 219 Hides threads from debuggers 103->219 signatures29
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
Gathering data
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-06-03 17:40:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1454
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7thsxzblvna7hupyxn3xq5sxfhg7l3iquc6wlby3uo6sxat4eqba._file
Verdict:
unknown
Result
Malware family:
milleniumrat
Create hunting rule
Score:
  10/10
Tags:
family:milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
Link:
https://tria.ge/reports/240605-cb5hxsag8w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Detects videocard installed
Enumerates processes with tasklist
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Contacts a large (1184) amount of remote hosts
Stops running service(s)
MilleniumRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:PyInstaller_Packed_April_2024
Create hunting rule
Author:NDA0N
Description:Detects files packed with PyInstaller
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments