File name:	Built.exe
Full analysis:	https://app.any.run/tasks/7a47f298-c4d1-409c-b68d-f19f1336e23d
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 27, 2025, 06:00:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blankgrabber python evasion discord stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	888DDBCFA0DE82B1222B60FEE440D1F3
SHA1:	CFE29DC0DE7DCBBE9E0522C3323930BA382C1C84
SHA256:	140A72C20DC182E507042458958E9612A22ADB5227B2C5ED27D310B23140DB7D
SSDEEP:	98304:CC3CpWh1b/L+En1GFJ+yNpB1oSBSmCNHT69fsevZJvfClPmRSvddzdzoqNLiaX0k:thUcISu6aqBl+FqTkS

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:07:27 05:59:02+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	174592
InitializedDataSize:	96768
UninitializedDataSize:	-
EntryPoint:	0xd0d0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.22621.5415
ProductVersionNumber:	10.0.22621.5415
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Application Frame Host
FileVersion:	10.0.22621.5415 (WinBuild.160101.0800)
InternalName:	Application Frame Host
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	ApplicationFrameHost.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.22621.5415

PID	Process	Filename		Type
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_decimal.pyd		executable
		MD5:B282F0296923D835B69C26ACAE984112	SHA256:CCF7F7E1F56C5ABD9AFF5248335349F223A415F7D019DB6A4780CFEC7AF21095
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\VCRUNTIME140_1.dll		executable
		MD5:C0C0B4C611561F94798B62EB43097722	SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\VCRUNTIME140.dll		executable
		MD5:32DA96115C9D783A0769312C0482A62D	SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_ctypes.pyd		executable
		MD5:984082C8FB774F1512D1C223CF63D203	SHA256:34F8F0BE6BF6631B1E78379EB69349F5017CB47C4AAEA3CC0DC38B265CB8E8D7
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_multiprocessing.pyd		executable
		MD5:B9F0A51A7504F7BDE98E5B0B862B86BB	SHA256:CAA733840D30A5325FD0783503BB281E443149481D4BE8E0DE94BCE39BDAE24E
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_wmi.pyd		executable
		MD5:0DC30917CAEAFA78B8D689F86D6105DF	SHA256:0876E75A5D5E3272492312F20BF7F1B7CEDADEFE438B34A3DF0370B377343FFA
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_queue.pyd		executable
		MD5:9A95D033DE9A4A50CAA701B51D439A53	SHA256:B35C25275915A8C67DAFFEBBFE29245FE10A9C8D43F8EED9BD0135FF50467470
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:4890901924F515B4B91613A4D95ADCB4	SHA256:FDB29AFC4EC3585586D8415DE087D6C6993C5A1171F57DD5185389ECA33BA948
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\api-ms-win-core-fibers-l1-1-0.dll		executable
		MD5:86C236EB806D74516E70741F15993958	SHA256:ACD898771C674E63B0F3E67D98826C93143B391AE8C58563C2DA7B98475CED14
2524	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI25242\_lzma.pyd		executable
		MD5:358F73495777544B0581D2809CF9F90C	SHA256:CBBD749034C3EEB289BA855D336607CDD61E2DE81EAA8CD062EE9F517EA7BA1D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.241.14:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5348	RUXIMICS.exe	GET	200	2.16.241.14:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.241.14:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	20.190.159.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.68:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
5348	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	204	142.250.184.227:443	https://gstatic.com/generate_204	unknown	—	—	unknown
—	—	POST	200	40.126.31.128:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5348	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	2.16.241.14:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5348	RUXIMICS.exe	2.16.241.14:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	2.16.241.14:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5348	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	2.16.241.14 2.16.241.12 23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	20.190.160.130 40.126.32.136 20.190.160.5 20.190.160.14 40.126.32.133 40.126.32.74 40.126.32.68 20.190.160.67	whitelisted
gstatic.com	142.250.185.131	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.128.233 162.159.136.232 162.159.137.232 162.159.138.232 162.159.135.232	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	74.178.240.61	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2200	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6756	Built.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
6756	Built.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
6756	Built.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6756	Built.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET HUNTING Discord WebHook Activity M1 (Contains Key, content)

General Info

Built.exe

888DDBCFA0DE82B1222B60FEE440D1F3

CFE29DC0DE7DCBBE9E0522C3323930BA382C1C84

140A72C20DC182E507042458958E9612A22ADB5227B2C5ED27D310B23140DB7D

98304:CC3CpWh1b/L+En1GFJ+yNpB1oSBSmCNHT69fsevZJvfClPmRSvddzdzoqNLiaX0k:thUcISu6aqBl+FqTkS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes Controlled Folder Access settings

Changes Windows Defender settings

Changes settings for real-time protection

Changes settings for checking scripts for malicious actions

Changes settings for protection against network attacks (IPS)

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for sending potential threat samples to Microsoft servers

Resets Windows Defender malware definitions to the base version

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Process drops python dynamic module

Application launched itself

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

Loads Python modules

Reads the date of Windows installation

The process drops C-runtime libraries

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Uses NETSH.EXE to obtain data on the network

The executable file from the user directory is run by the CMD process

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

Checks for external IP

INFO

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

Reads the computer name

The sample compiled with english language support

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information