Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Blank Grabber

59
Global rank
20
Month rank
24 infographic chevron week
Week rank
0
IOCs

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Stealer
Type
Unknown
Origin
1 December, 2022
First seen
21 December, 2024
Last seen

How to analyze Blank Grabber with ANY.RUN

Type
Unknown
Origin
1 December, 2022
First seen
21 December, 2024
Last seen

IOCs

IP addresses
147.185.221.24
98.66.160.121
Domains
ma-compile.gl.at.ply.gg
blank-c1vj5.in
a0928733.xsph.ru
kuralyok.com.tr
blank-iq5vj.in
blank-vm1ir.in
blank-1spec.in
brn-hacker.duckdns.org
blank-rfhww.in
blank-jknks.in
blank-agf5f.in
skoch-7bced.in
skoch-osjdw.in
skoch-wif67.in
g98546cg.beget.tech
skoch-cbec1.in
skoch-eadr7.in
shaurma.fun
o5.gg
Last Seen at
Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 217
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 311
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1118
comments 0

What is malware: Blank Grabber

Blank Grabber is an infostealer that has been openly distributed through Github since 2022. According to its developer, the software is intended for educational purposes only. However, this does not prevent threat actors from using it in malicious activities to infect devices and steal victims’ credentials, crypto wallets, and other sensitive data.

Currently, the original Blang Grabber GithHub repository is no longer active due to the author’s withdrawal from the project, but the official Blank Grabber fork is actively maintained and regularly receives new updates.

The stealer is written in Python, which lets attackers abuse legitimate services such as the Python Package Index by uploading malicious packages containing Blank Grabber.

Due to the open-source nature of the malware, threat actors can create different versions and add new components. It is also relatively simple to deploy and offers a graphical interface builder, allowing even low-skilled individuals to leverage it to conduct attacks.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Blank Grabber malware technical details

Blank Grabber can steal a wide range of data, including:

  • Login credentials and cookies from various browsers (e.g., Chrome, Firefox, Edge)
  • Cryptocurrency wallets (Bitcoin, Ethereum, etc.)
  • Telegram sessions and Discord tokens
  • Browsing history and autofill data (addresses, credit cards)

Blank Grabber also employs the WMIC tool to gather details about the infected system, such as operating system, hardware specifications (CPU, GPU, memory), and software versions. It is equipped with the capabilities to take screenshots and webcam images.

The malware is particularly popular among criminals targeting gamers. This is why it is widely utilized for stealing victims’ Roblox and Minecraft files, as well as Steam, Epic Games, and Uplay data.

Blank Grabber possesses built-in features for evading detection. The code of the program is often obfuscated to make it harder for security researchers to analyze. Attackers also can enable anti-sandboxing to stop the malware’s execution from running in a virtual environment.

Blank Grabber can disable Windows Defender and bypass User Account Control (UAC) on Windows systems, gaining elevated privileges.

Attackers employing the Blank Grabber malware leverage Discord and Telegram webhooks for communication and extraction of stolen information. With this approach, conventional Command and Control (C2) infrastructure is no longer required, which lowers the entry barrier for less experienced threat actors to carry out such cyber attacks.

Blank Grabber execution process

Let’s analyze a sample of Blank Grabber in the ANY.RUN sandbox to see how it operates.

The execution chain of Blank Grabber often involves one or two processes that carry out all the malicious activities themselves. However, it can be very complex and may involve the use of system utilities.

The execution chain of Blank Grabber begins with the delivery of a malicious payload through a phishing email or compromised website. Once the payload is executed, Blank Grabber injects itself into legitimate processes to evade detection. It then establishes persistence by creating registry entries or scheduled tasks. Next, it communicates with a command-and-control server to receive instructions and updates. Blank Grabber then scans the infected system for sensitive information such as login credentials, financial data, and personal information. Finally, it exfiltrates the collected data to a remote server controlled by the attackers for further exploitation.

In this analysis session in the ANY.RUN malware sandbox, Blank Grabber executes a series of commands:

  1. It starts with the launch of "7662ffc45c0b6...eea48.exe" using "runas.exe."
  2. This initiates multiple child processes that modify Windows Defender settings, display error messages, query system information, and interact with the registry.
  3. It disables several Windows Defender security features and alters registry keys related to system settings, which suggests an attempt to bypass security measures or manipulate configurations.

The sandbox detects the malicious behavior of Blank Grabber, indicating it with the tags “blankgrabber” and “stealer”.

Blank Grabber Suricata rule in ANY.RUN Blank Grabber Suricata rule shown in ANY.RUN

Blank Grabber malware distribution methods

Unlike some of the popular infostealers, such as FormBook and RisePro, Blank Grabber is rarely distributed via phishing emails. Instead, attackers prefer to mask it as software for gamers, hosting it on GitHub and similar platforms. There are also instances when the malware was found in legitimate repositories. Another common way of spreading Blank Grabber is via direct message on Discord.

Analyze Blank Grabber in ANY.RUN

Blank Grabber’s advanced features, evasion mechanisms, and wide accessibility make it a significant threat to user data. To prevent infection, it is crucial for organizations and individuals to analyze any suspicious files and links using a reliable security tool.

The ANY.RUN sandbox delivers safe and reliable virtual environments for conducting extensive malware behavior analysis and produces reports with critical information, like IOCs and TTPs. Analysts can use the analysis results to make well-informed decisions and improve their security against threats like Blank Grabber.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More