blankgrabber | toluen[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

toluen.rar
Size

8.4MB
MD5

06ef32e70b90533b716352712262ec82
SHA1

ac9b93b48b5b7e56fbc2cefee93cc462019c42ec
SHA256

4abd1f773140f086eb51eddd4fdfe6b1ed97ac2a9b84c39cdd7a05cc08469a7a
SHA512

3f24c7f1b710b5ae5bf348f223024a954d241b2c878c23b144f6dc3f47c11dadc78fcbfd7f3ed64e06797abb4e05c76edd03a3b789546991b5675a31d981fc85
SSDEEP

196608:2FAjJxUAPqN0kEAeG150sXPjeKpAfwdF5nNZ3455HrjnoLf3foa6UL4J:2FAjJx5qWnr65DjeKpLdznf45F3oLf3O

Score

10^/10

blankgrabber

Malware Config

Signatures

A stealer written in Python and packaged with Pyinstaller 1 IoCs

resource	yara_rule
static1/unpack002/loader-o.pyc	blankgrabber

Blankgrabber family
blankgrabber

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/17-Tolue.exe
unpack001/UnityPlayer.dll

Files

toluen.rar
.rar

Password: TOLUE17
17-Tolue.exe
.exe windows:5 windows x64

Password: TOLUE17

ba5546933531fafa869b1f86a4e2a959

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
WriteConsoleW
GetProcAddress
GetModuleFileNameW
SetDllDirectoryW
FreeLibrary
GetLastError
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
HeapReAlloc
GetFileAttributesExW
GetStringTypeW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
SetEndOfFile

advapi32

ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW

Sections

.text
Size: 162KB - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader-o.pyc
UnityCrashHandler64.exe
.exe windows:6 windows x64

Password: TOLUE17

5c64b8e3c52925909413e148f250e94c

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29-04-2021 00:00

Not After

28-04-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21-09-2022 00:00

Not After

21-11-2033 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0f:7c:5a:5e:06:2a:bd:ba:fc:be:1e:c6:3d:4c:30:52
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

14-07-2021 00:00

Not After

18-07-2024 23:59

Subject

CN=Unity Technologies ApS,OU=Developer Services,O=Unity Technologies ApS,L=København,C=DK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0f:fc:bb:f2:9a:e2:d0:ab:f6:c4:fa:e5:c4:b6:02:11:70:30:38:46
Signer

Actual PE Digest

0f:fc:bb:f2:9a:e2:d0:ab:f6:c4:fa:e5:c4:b6:02:11:70:30:38:46

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

SetForegroundWindow
SetWindowTextW
InflateRect
UnionRect
SetWindowPos
LookupIconIdFromDirectoryEx
GetDlgItem
SendMessageW
SendDlgItemMessageA
GetWindowLongA
OffsetRect
AdjustWindowRect
EndDialog
CreateIconFromResourceEx
DialogBoxParamA
LoadImageA
GetIconInfo

kernel32

InterlockedPopEntrySList
DuplicateHandle
VirtualProtect
GetVersionExW
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
SignalObjectAndWait
CreateTimerQueue
WriteConsoleW
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapQueryInformation
HeapSize
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
HeapFree
HeapAlloc
FreeLibraryAndExitThread
GetConsoleCP
GetConsoleMode
SetConsoleCtrlHandler
GetFileType
SetStdHandle
GetModuleHandleExW
ExitProcess
InterlockedFlushSList
WaitForSingleObjectEx
CloseHandle
RaiseException
GetLastError
GetCurrentThread
OpenThread
GetThreadTimes
GetModuleHandleA
GetProcAddress
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
DeleteCriticalSection
SwitchToThread
CreateThread
GetCurrentThreadId
SetThreadPriority
GetThreadPriority
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
FreeLibrary
GetModuleFileNameA
GetModuleFileNameW
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcess
SuspendThread
ResumeThread
TlsGetValue
TlsSetValue
GetThreadContext
SetLastError
CreateEventW
CreateFileW
DeleteFileW
FindClose
FindFirstFileW
FindFirstFileExW
QueryDepthSList
FlushFileBuffers
GetFileAttributesA
GetFileAttributesW
ReadFile
SetFilePointerEx
WriteFile
GetEnvironmentVariableA
GetCurrentDirectoryA
OutputDebugStringA
GetSystemTime
ReadProcessMemory
VerSetConditionMask
GetSystemTimeAsFileTime
GetCurrentProcessId
GetModuleHandleW
WaitForSingleObject
LocalFree
FormatMessageW
VerifyVersionInfoW
CreateToolhelp32Snapshot
Thread32First
Thread32Next
GetStdHandle
GetFileSize
GetTempPathW
SetEvent
Sleep
TerminateProcess
GetExitCodeProcess
CreateProcessW
GetProcessId
GetThreadId
OpenProcess
CopyFileExW
AllocConsole
SetErrorMode
GetCommandLineW
InitializeCriticalSection
CreateEventA
TerminateThread
GetExitCodeThread
LoadLibraryExW
LoadResource
LockResource
SizeofResource
FindResourceA
EnumResourceNamesA
GetFileSizeEx
IsDebuggerPresent
QueryPerformanceCounter
QueryPerformanceFrequency
ReleaseSemaphore
TlsAlloc
TlsFree
VirtualAlloc
VirtualFree
InterlockedPushEntrySList
RtlPcToFileHeader
RtlUnwindEx
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTickCount
GetCPInfo
DecodePointer
EncodePointer
GetStringTypeW
InitializeSListHead
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
UnregisterWaitEx
ResetEvent
FindNextFileW
WaitForMultipleObjectsEx

dbghelp

SymRegisterFunctionEntryCallback64
SymLoadModuleEx

shell32

CommandLineToArgvW
SHCreateDirectoryExW

ole32

CoCreateGuid
CoTaskMemFree
CoInitializeEx

psapi

GetModuleFileNameExW

advapi32

GetUserNameA

wininet

InternetOpenA
InternetCloseHandle
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetCrackUrlA

gdi32

GetObjectA

version

GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA

Sections

.text
Size: 530KB - Virtual size: 529KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 349KB - Virtual size: 349KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
UnityPlayer.dll
.dll windows:10 windows x64

Password: TOLUE17

32958480369cebb74256d975884cd863

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

malloc
__C_specific_handler
_amsg_exit
free
_XcptFilter
_initterm
memset

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage
EtwUnregisterTraceGuids

rpcrt4

RpcAsyncCancelCall
RpcBindingSetAuthInfoExW
RpcAsyncCompleteCall
NdrClientCall3
RpcAsyncInitializeHandle
RpcStringFreeW
Ndr64AsyncClientCall
RpcBindingFree
RpcStringBindingComposeW
RpcBindingSetOption
RpcBindingFromStringBindingW

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-security-base-l1-1-0

CreateWellKnownSid

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolWait
SetThreadpoolWait
CreateThreadpoolWait
WaitForThreadpoolWaitCallbacks

api-ms-win-core-synch-l1-1-0

CreateEventW
WaitForSingleObject

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW

Exports

Exports

AdhEngineClose
AdhEngineOpen
AdhGetConfig
AdhGetEvidenceCollectorResult
AdhStatusEventSubscribe
AdhStatusEventUnsubscribe
DllMain

Sections

.text
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
data.win
information.txt
options.ini

Sharing

General

Malware Config

Signatures

Files

Password: TOLUE17

Password: TOLUE17

ba5546933531fafa869b1f86a4e2a959

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

Sections

.text Size: 162KB - Virtual size: 162KB

.rdata Size: 74KB - Virtual size: 73KB

.data Size: 3KB - Virtual size: 64KB

.pdata Size: 8KB - Virtual size: 8KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 53KB - Virtual size: 53KB

.reloc Size: 2KB - Virtual size: 1KB

Password: TOLUE17

5c64b8e3c52925909413e148f250e94c

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

0f:7c:5a:5e:06:2a:bd:ba:fc:be:1e:c6:3d:4c:30:52Certificate

Extended Key Usages

Key Usages

0f:fc:bb:f2:9a:e2:d0:ab:f6:c4:fa:e5:c4:b6:02:11:70:30:38:46Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

dbghelp

shell32

ole32

psapi

advapi32

wininet

gdi32

version

Sections

.text Size: 530KB - Virtual size: 529KB

.rdata Size: 160KB - Virtual size: 159KB

.data Size: 11KB - Virtual size: 21KB

.pdata Size: 29KB - Virtual size: 29KB

_RDATA Size: 512B - Virtual size: 148B

.rsrc Size: 349KB - Virtual size: 349KB

.reloc Size: 5KB - Virtual size: 5KB

Password: TOLUE17

32958480369cebb74256d975884cd863

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

rpcrt4

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

.text
Size: 162KB - Virtual size: 162KB

.rdata
Size: 74KB - Virtual size: 73KB

.data
Size: 3KB - Virtual size: 64KB

.pdata
Size: 8KB - Virtual size: 8KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 53KB - Virtual size: 53KB

.reloc
Size: 2KB - Virtual size: 1KB

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

0f:7c:5a:5e:06:2a:bd:ba:fc:be:1e:c6:3d:4c:30:52
Certificate

0f:fc:bb:f2:9a:e2:d0:ab:f6:c4:fa:e5:c4:b6:02:11:70:30:38:46
Signer

.text
Size: 530KB - Virtual size: 529KB

.rdata
Size: 160KB - Virtual size: 159KB

.data
Size: 11KB - Virtual size: 21KB

.pdata
Size: 29KB - Virtual size: 29KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 349KB - Virtual size: 349KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 11KB - Virtual size: 11KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 552B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 168B