blankgrabber | 36d76bec8aab1199c777bc14e10a0cf02411d3eefe1116c8a7b6a6aef6a2678c

Sharing

General

Target

PoorChecker 2.7V.rar
Size

27.3MB
Sample

241116-w7wens1gkk
MD5

b953de35b7b2f8437c0ab6a5caaa77e7
SHA1

a87d7c8dfcca9edf95901a7d82f8d6e561b37145
SHA256

36d76bec8aab1199c777bc14e10a0cf02411d3eefe1116c8a7b6a6aef6a2678c
SHA512

a901d3d9897777830c60de63055e40e1e7e60b64390d5f3dddf2ac4bf7747a644c3fd253bd52ba60e0ed69f88b84351db87a163a427e70752330075dcb16a982
SSDEEP

786432:hANzjbwx2YTFeTcFz1dZk1/OZlaMGnsPc7Wlq:KNz3Q2GFgcFzzZ6zMLLs

Score

10^/10

Malware Config

Targets

- Target
  
  PoorChecker 2.7V.rar
- Size
  
  27.3MB
- MD5
  
  b953de35b7b2f8437c0ab6a5caaa77e7
- SHA1
  
  a87d7c8dfcca9edf95901a7d82f8d6e561b37145
- SHA256
  
  36d76bec8aab1199c777bc14e10a0cf02411d3eefe1116c8a7b6a6aef6a2678c
- SHA512
  
  a901d3d9897777830c60de63055e40e1e7e60b64390d5f3dddf2ac4bf7747a644c3fd253bd52ba60e0ed69f88b84351db87a163a427e70752330075dcb16a982
- SSDEEP
  
  786432:hANzjbwx2YTFeTcFz1dZk1/OZlaMGnsPc7Wlq:KNz3Q2GFgcFzzZ6zMLLs
Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  PoorChecker 2.7V/Database/d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  2191e768cc2e19009dad20dc999135a3
- SHA1
  
  f49a46ba0e954e657aaed1c9019a53d194272b6a
- SHA256
  
  7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
- SHA512
  
  5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
- SSDEEP
  
  49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score

1^/10
behavioral2
- Target
  
  PoorChecker 2.7V/Database/ffmpeg.dll
- Size
  
  2.7MB
- MD5
  
  d5e1f1e9d0ccfe7f21b5c3750b202b4d
- SHA1
  
  74144ac93c0c58a9b9288bce5d06814c9a1b1dc2
- SHA256
  
  e1ab367644f72ebcdc8eb3fcfe829ff51719559ac2a43a1600e712b16871ad65
- SHA512
  
  dcf70d43f1a83c424be99c38e33e520c72115c3d30945980e5e394d460462251bde309e543213b2b08dcbe9769d11d46792e1cc99aa42777fcc34d6f3361a3d2
- SSDEEP
  
  49152:EZ2KxYmwFfgQQs0ShPrF0/zO6R0gRhPj3hTUctrRhuwSnKxqgI5IN8N3lzl3hqzb:Aofp1Pyi54wnKxqg4INhhd
Score

1^/10
behavioral3
- Target
  
  PoorChecker 2.7V/Database/libEGL.dll
- Size
  
  469KB
- MD5
  
  dd78b86b3c92d61c37b44ef5b157cfe0
- SHA1
  
  4dcf9ebc3ff5ca552c0e83469b921153b29aea1f
- SHA256
  
  e142752e073c0051a0beb963981af70263ed673959515545521a7941d3230838
- SHA512
  
  9d071568dc56db2ab93d034d07a11a477aab8ac50d9ea3c4db3ac4866fcd3c2f3002ba7a3f2c55589a9d68463181fc7a03327dc164310d7e80e30cc6f6bf2423
- SSDEEP
  
  6144:s4itlpEJVqKqK5Z5UibKsBHI0Sfnx+lXGpeOQHA93GT3sm:s4itlpAqKqK5Z5U+jBolfnjIyG
Score

1^/10
behavioral4
- Target
  
  PoorChecker 2.7V/Database/libGLESv2.dll
- Size
  
  7.1MB
- MD5
  
  af3792b63af63408a40604184ea6ef7f
- SHA1
  
  b4d577e1c7ca0d4d3a34e2edb919cf58e6b62952
- SHA256
  
  b0ff1bad8e2f34b12dfcc4b5387bdc042f9bc2f963e11dea1758397ca0e907ea
- SHA512
  
  d413c52f7c82dd17f06002f3ca6bc3efcf4e11e88379d989d982b2f9f47b71643971c4988abee2dc1212027b2cea148a8849bcb442dd4dbcd8e26ea892dd7a58
- SSDEEP
  
  49152:x2b3imtb1uWsvZRUCXQNMBbGUa/XFfOpvQnDwX+xjA7LAIgRg37QiI+id3pFJs7w:x7RWft4NV+sduHox6gWE5lHaFX
Score

1^/10
behavioral5
- Target
  
  PoorChecker 2.7V/Database/vk_swiftshader.dll
- Size
  
  5.0MB
- MD5
  
  b06a97b925991eac3832437d7db078cd
- SHA1
  
  ca32356ba0938ada1233e13795860690712fbc14
- SHA256
  
  2df870c1719ab057ea37aa15e3e379360c1dd8eaea2eaa56cb7b026f5ee4f19f
- SHA512
  
  e1e61c28a28dfcf15d69e9ccc8e289dfe606b926e21756bbc0f21e15df18d27b1926277ffc2bd6549cdfb17f11d71c2a9353392e58c33557209b781ec32cef9e
- SSDEEP
  
  49152:Ab03fn3GIdr1DO1N8jvfWSrvOuyEE0+w7rz77gpxbhk0H4t38mvttDpSHUoeygs4:d3v3xDvRTGVgt38mvt1pSH0adU
Score

1^/10
behavioral6
- Target
  
  PoorChecker 2.7V/Database/vulkan-1.dll
- Size
  
  910KB
- MD5
  
  d562628f9df56ae61770ffdef79c8d05
- SHA1
  
  2423105a960fe0ceb038ca36d6a37638ebd32b6f
- SHA256
  
  5789ca1822f3a5a67cd2c24e6ff0307e688b76a2e99831050bdcf8b8d155956d
- SHA512
  
  739f9f41d8e3e48dbd20bfecfc5679f38e59b3fc8cb406a77c384fd5146f19efafa1e4f23f15071dbeaa1d0dc71e125966e19fb757fc39e6abe953159669c096
- SSDEEP
  
  24576:FoHDVVdrfQ09CPKuy0O0Q6Z5W0DYsHA6g3P0zAk7s+:FuVdrI0GKuy066Z5W0DYsHA6g3P0zAkz
Score

1^/10
behavioral7
- Target
  
  PoorChecker 2.7V/PoorChecker.exe
- Size
  
  6.9MB
- MD5
  
  16c1cb62d0a9c649626e783421eb9453
- SHA1
  
  e40f00c54d556122444ff16656d89325ed5119d2
- SHA256
  
  c04e1dfec88b308b397f25ff47b4cea7e308e68df6711baf6a3fe39ce938cb04
- SHA512
  
  c3ae076fa54a25c67b18a46b93140c2fc5c2192937d2876b22164f9f9132b38f0d974d064de5758ddb8dc81fb47c0cf4d5ef6ede3fba879f4c22207d4c975df8
- SSDEEP
  
  98304:DPDjWM8JEE1F8amaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRpYRJJcGhEIFWd:DP0TeNTfm/pf+xk4dWRpmrbW3jmrc
Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  PoorChecker 2.7V/resources/elevate.exe
- Size
  
  105KB
- MD5
  
  792b92c8ad13c46f27c7ced0810694df
- SHA1
  
  d8d449b92de20a57df722df46435ba4553ecc802
- SHA256
  
  9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
- SHA512
  
  6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
- SSDEEP
  
  3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
Score

3^/10

discovery
behavioral9