blankgrabber | fc4dd1f0bc745d3960e6664d594cc7f2063bc41e9c5174b897d07af9543a408d

Sharing

General

Target

exmcrak.rar
Size

16.4MB
Sample

241029-jvtn4axfrj
MD5

de9418ed40a4108b2dafb2795eb5247f
SHA1

1c6188e39fb76c9b8e685507ed48342b3dbe545a
SHA256

fc4dd1f0bc745d3960e6664d594cc7f2063bc41e9c5174b897d07af9543a408d
SHA512

6370f04308695abcbccbdf0b58dc2489e6d32efd88c7b4247b7188f92c249d9df2e5120319438de074160704199a9742b28799668f26e9acd6d962ee7452232a
SSDEEP

393216:L8my6pS0fcMqwlyI/AoaiVtGrvWEn2ttkmqqqFi3wcmH5I:L8US0fcrwsI/HaiVtc+ZttkmqqqaQ2

Score

10^/10

Malware Config

Targets

- Target
  
  EXMPremiumTweakingUtility.dll
- Size
  
  9.4MB
- MD5
  
  7982f668b61468db933f47c6070cdf67
- SHA1
  
  cbe1c9aaf057304083db74c481d14447d5392d43
- SHA256
  
  2e3c177593b57ab54f63738dd1735da0913fc5267db43e8aeb7e3f332a2eb81a
- SHA512
  
  9430d3a951096eb1d16807091a2cac9e6d564b386639f08ef3222d489824a0b2be8bdb9678238037608b535eacf9fd7f251b80a9b9e5557a06b9c3f8072440c0
- SSDEEP
  
  196608:TBtx/R5xriFC5XdxgV7vsAWtDEupleXfMpTo2wIigoQhuxJ4V/D/3J/g6f9H:TzVeuEhvsA5ufBhopIqOu
Score

8^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  EXMPremiumTweakingUtility.exe
- Size
  
  6.2MB
- MD5
  
  2cfd340ad8e3db06594d0c0ed61cce3f
- SHA1
  
  abaec08a14a2a8057415efd7ff02fa68b2ab70ab
- SHA256
  
  d974516318fb9c3efd8c30de1041853f5e3ff1f0d211c1adba78f1ba789db1ad
- SHA512
  
  078359286a9c07a2751529f7322844ad4dd0bafcb07b6e185c44cd7088c1b6cb80e2e996d70d792f3082374289921ee94460a63881098c5dcfefc2c2c08c4610
- SSDEEP
  
  196608:fjBnxDOYjJlpZstQoS9Hf12VKX5brCxVN:LNxBpGt7G/MabuN
Score

8^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  System.Management.dll
- Size
  
  304KB
- MD5
  
  a9d07609f161c1b90ab5ac4f4d11569e
- SHA1
  
  458b9a6ddf85a5f5c8a96de4eb416b5e737bf77e
- SHA256
  
  fff7c1e9f12a99c2c52a6c0ae81075be78dbef7dbc4f1162164990b4ccf6eadd
- SHA512
  
  811bbc018352e144afd2c8ba5d10a379ca058bbcea553431544ac747c654d5d21e3359aca024b26c192d3e6639682a601a173f1624a8e8052539a22caa884fa6
- SSDEEP
  
  3072:KgHBEFyIHS/PsfxJj7TgQq3XZbIkE1HhnDQ/NpydzhI0SFpkFUNygucwycrSB9v5:REHS/PsfzLZ0/DyDnQVVvcA
Score

1^/10
behavioral5 behavioral6
- Target
  
  batchcollect/1server.py
- Size
  
  1KB
- MD5
  
  7ecc4517bf649059b43af820a60fe87a
- SHA1
  
  7b42b1ead4c95a0a358083e8e3792c6d58d14a81
- SHA256
  
  4a475bc4076aa108386e67e85616bb0d43d1151939badc51a45f861cd33ca034
- SHA512
  
  f100b2a7725055c6208e0ff70d3c60d29bbe29b058506640231baa158e54481ca8f32b4774de57c9d7d67b7fc9558d0a77e6efd995a97665b70b5713c79ea9c1
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  batchcollect/66633ccafefd3f809284c7a3
- Size
  
  273B
- MD5
  
  b80dcdbc38885d00e692306988dd713e
- SHA1
  
  e5b7e523b82a52f5aef3ca449cdea4741306180b
- SHA256
  
  0fbcb7ffbb8968d93f4afc8d4b6adff74f446c38657f1136ad1825c64874f624
- SHA512
  
  383ee1e2cd7d2c2ad5dfc9d1b9f7a8d5dfbcf4449b8eabf03da787a9c3437440b76024a967337639f94a78e0c14ebf903b60e1b27560755c35ba59b37c9d3fc0
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  batchcollect/66633ccafefd3f809284c7a5
- Size
  
  2KB
- MD5
  
  dd7d513f38df0db6030ab0c29184c80f
- SHA1
  
  8c41410e176c2d31408bd9a8c43018d76f674bcd
- SHA256
  
  3e24cd316502724b3f38decb76df5520bbeea391d7fc3cb562cbe6417c7133a9
- SHA512
  
  13ca8fec4cfdb19f43e33e19494575ac5307c71ee4a8a002405fad60f369ba0029517a6ec119df9ddd2d91b83562e12707718d8513746d4bdddfbfe6829aaff9
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  batchcollect/667184c50fa995fe2d9c7dd8
- Size
  
  1KB
- MD5
  
  bc3dfc8d7193e6bd75677ed177ed199e
- SHA1
  
  158b3c1169798e6bd51dfa9e8c1d26cb9e473462
- SHA256
  
  d979af2270779223a66597661b9630033bc3926b30c1bfc2ad8e30fea4ffe00e
- SHA512
  
  47be524dee84d2e51e28e1f600dc78d052ea6019c6ea67074a65a88bdc071858e6f4dda21807c28d0b422a2b7edcf86e374144d595625220db53e84aec69201d
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  batchcollect/67101017e4be43ad7e545dc3
- Size
  
  403B
- MD5
  
  25622f0a5dd4d750c89c68973b8b5bb4
- SHA1
  
  a5b5820a5ed69cc28674bdc0deb2d944b4e203f2
- SHA256
  
  c11bb96e11276e2a1c08250f57ae0cafb6d9627e3bd02a31fa5012a7ddbdb283
- SHA512
  
  f2332ea630060ce0e9435a42607dac0aaf161c288b642a2b38c72f39d991cca5e0870a4f7cc7f699129088dd4d84fa4a93430ce1c2b322347e3c1c6b0be212c8
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  mongocrypt.dll
- Size
  
  4.3MB
- MD5
  
  0cf27a123c4f51d1992dbf1a92218680
- SHA1
  
  0367381d9206ab869e9c9fd178378e641d30acce
- SHA256
  
  ac8c1db990bd2c5612b2929c097ed5c3e4bc047158d9d7a39c57723c614dd51e
- SHA512
  
  faab924d5d802bd25a909741e49b89e6711f38829fdd6fc874cf75bf9e17ffdf40f51e5c50cbca5ee9c79c370c6c7268cf817161e92766dbcc8a4336f3a73683
- SSDEEP
  
  49152:OSPj1pOaQ+YYkQ1Nk70RAgO53XkuqF1C3LZjSdFGKrb8c+l66LmzoxuLvxuLuxuU:NPj1pOaVYYOkuW6lGGKrb8c2vKzocF
Score

1^/10
behavioral17 behavioral18
- Target
  
  setup.bat
- Size
  
  36B
- MD5
  
  a189a345343e1516001ed722007addbe
- SHA1
  
  09ca3818597ce8a294ea2d9a98b61919a7eb7f5d
- SHA256
  
  7750ff6cd5e6763edbb844d7d9fa3414078916cfd4843486f39a2e8fcb08ab20
- SHA512
  
  9a60348d41802434b20124fbd641e7c56acb46007c1eff17da75021bf5d0e5900b07cba70b67dd3fb096ae62f5a439a75542c1545dd8d863186956df940d720f
Score

1^/10
behavioral19 behavioral20
- Target
  
  start.bat
- Size
  
  34B
- MD5
  
  69ddf56665154f3276b27c5aa379a97a
- SHA1
  
  d88a4be9caf7eb353bab8c8eaf72c984e2043367
- SHA256
  
  2528949e5227db54fd02116e1fd9b3514a13452c9bdbdb3368d03a4d48f956d5
- SHA512
  
  7e417370ee1fe1b8c86c3b36d419d7723e76803b69c91d58136ecaeaa51395fc55bca1fb96fc5dba437e55881804c1b45536eab162e3f3c01e35839542aa5579
Score

1^/10
behavioral21 behavioral22