File name:	runner.exe
Full analysis:	https://app.any.run/tasks/56f31a55-5805-4a96-911c-f0d805bb40c8
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users. Malware Trends Tracker >>>
Analysis date:	April 04, 2025, 18:25:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github loader xor-url generic xenorat rat blankgrabber uac evasion remote stealer screenshot telegram
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:	C533E3AD230B1C417521ED6111B69B3C
SHA1:	160DC70868284B689F80C0DEAD9D14E3E84A61E9
SHA256:	1822DA18BCAFB93DC416122A3E4C9D61098C6FD9FC1E3474A971C4044F48CAAE
SSDEEP:	384:RnROBh8czVVNuocIF4SQ0z87/de4nW3HRu:botxzgdeEW3xu

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:04:04 17:17:17+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	12800
InitializedDataSize:	10752
UninitializedDataSize:	-
EntryPoint:	0x3160
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(7380) runner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7380) runner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7380) runner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	InstalledVersionMajor
Value: 0200C08038FB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	InstalledVersionMinor
Value: 2200C08038FB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	InstalledVersionBuild
Value: 616DC08038FB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	InstalledVersionRevision
Value: 0000C08038FB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	PreviousAppTerminationFromSuspended
Value: 00C08038FB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	CurrentDisplayMonitor
Value: 670061006D0065000000BA473DFB8EA5DB01
(PID) Process:	(7500) GameBar.exe	Key:	\REGISTRY\A\{bda3de24-25a8-f398-d511-5208fd15e9f7}\LocalState
Operation:	write	Name:	StartupTipIndex
Value: 0100000000000000206144FB8EA5DB01

PID	Process	Filename		Type
7380	runner.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\client[1].exe		executable
		MD5:4D216CA434C287B5D2D2964C7F467658	SHA256:D1BE9DA7AE22EE51A8A2D5833C72C80A05276DA6F5B8A0DD978AAD608D7CBF88
7380	runner.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\freeerobux[1].exe		executable
		MD5:7EAD1F3B64B9B37955F9A12E9E271F51	SHA256:1737CC87AF41FCF08DDCAD01218E4F3D2D838B647E98B86D5490E7BEC7C308F7
7380	runner.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\Built[1].exe		executable
		MD5:B89DB2ADD9058B69E2159C607C7187C8	SHA256:DC9DD5431FDB2FA302DF9CF5C823CFD75CBCBF98E67CDDA8CBBEE00EBE4B88DF
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_lzma.pyd		executable
		MD5:042AC1B18A7F6FFF8ED09EC9EFA9E724	SHA256:0F44F360662DAAC7DB8ACBCE44557035E7E170B1309A4931DDE07CFAAD6019A0
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_queue.pyd		executable
		MD5:1073D3147F0D6A1880B78A5A5695FC70	SHA256:7F381A79FBFDBCABEC751773CB211D1B9D36F287AE9F46E07A46D4116F4D5B04
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_socket.pyd		executable
		MD5:FCFDF8CD83A8D506A4483A72EB57026C	SHA256:C0AC0BDC8778BC2F5218359AD3C19F0D2C38A9871D643163B35A1D567D966F81
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_ctypes.pyd		executable
		MD5:FC40D41AFF12417142C0256E536B4A1A	SHA256:1846030E35037D8CBAACB640FA9AC99AF5D26C0AADC09E3C2AF04DB7CA7909DC
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_bz2.pyd		executable
		MD5:94309558EB827E8315D0F201BBE7F2B1	SHA256:7857736CEFD36B645191871F7D7C9256E1C940788CC1978609248B562E8B40D4
7888	setuppp.exe	C:\Users\admin\AppData\Local\Temp\_MEI78882\_decimal.pyd		executable
		MD5:0E02B5BCDE73A3CC01534FBA80EC0462	SHA256:9E977DDFAD4A9D39AF792B547588C9C6682D35F92FBD44750B539C7C106D0159

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	140.82.121.3:443	https://github.com/lightningspeed221/roblox/raw/refs/heads/main/freeerobux.exe	US	—	—	unknown
2104	svchost.exe	GET	200	23.48.23.158:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
—	—	GET	302	140.82.121.3:443	https://github.com/lightningspeed221/roblox/raw/refs/heads/main/client.exe	US	—	—	unknown
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/lightningspeed221/roblox/refs/heads/main/client.exe	US	executable	45.5 Kb	whitelisted
—	—	GET	302	140.82.121.3:443	https://github.com/lightningspeed221/roblox/raw/refs/heads/main/Built.exe	US	—	—	unknown
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/lightningspeed221/roblox/refs/heads/main/Built.exe	US	executable	8.40 Mb	whitelisted
—	—	GET	404	140.82.121.3:443	https://github.com/lightningspeed221/roblox/raw/refs/heads/main/rat.exe	US	html	267 Kb	whitelisted
5408	setuppp.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	whitelisted
—	—	GET	204	142.250.184.195:443	https://gstatic.com/generate_204	US	—	—	unknown
5408	setuppp.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	US	binary	168 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5328	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7380	runner.exe	140.82.121.3:443	github.com	GITHUB	US	whitelisted
7380	runner.exe	185.199.111.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
2104	svchost.exe	23.48.23.158:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5328	RUXIMICS.exe	23.48.23.158:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
github.com	140.82.121.3	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.108.133 185.199.109.133 185.199.110.133	whitelisted
crl.microsoft.com	23.48.23.158 23.48.23.180 23.48.23.173 23.48.23.164 23.48.23.194 23.48.23.193 23.48.23.169 23.48.23.159 23.48.23.167	whitelisted
blank-jj5f2.in	—	unknown
ip-api.com	208.95.112.1	whitelisted
visit-dose.gl.at.ply.gg	147.185.221.25	unknown
gstatic.com	172.217.23.99	whitelisted
api.telegram.org	149.154.167.220	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup

General Info

runner.exe

C533E3AD230B1C417521ED6111B69B3C

160DC70868284B689F80C0DEAD9D14E3E84A61E9

1822DA18BCAFB93DC416122A3E4C9D61098C6FD9FC1E3474A971C4044F48CAAE

384:RnROBh8czVVNuocIF4SQ0z87/de4nW3HRu:botxzgdeEW3xu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XORed URL has been found (YARA)

Executing a file with an untrusted certificate

XenoRAT has been detected (FILE)

BlankGrabber has been detected

XENORAT mutex has been found

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes settings for protection against network attacks (IPS)

Changes Windows Defender settings

Changes settings for real-time protection

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for checking scripts for malicious actions

Changes Controlled Folder Access settings

Changes the autorun value in the registry

XENORAT has been detected

Create files in the Startup directory

Steals credentials from Web Browsers

Actions looks like stealing of personal data

XENORAT has been detected (SURICATA)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

XENORAT has been detected (YARA)

Resets Windows Defender malware definitions to the base version

BLANKGRABBER has been detected (SURICATA)

Starts CMD.EXE for self-deleting

Connects to the CnC server

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads the date of Windows installation

Starts a Microsoft application from unusual location

The process drops C-runtime libraries

Application launched itself

Starts itself from another location

Process drops python dynamic module

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Changes default file association

Uses WEVTUTIL.EXE to query events from a log or log file

Found strings related to reading or modifying Windows Defender settings

Executes application which crashes

Get information on the list of running processes

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Script disables Windows Defender's IPS

Script disables Windows Defender's real-time protection

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Accesses video controller name via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Checks for external IP

Uses ATTRIB.EXE to modify file attributes

Connects to unusual port

Starts application with an unusual extension

BASE64 encoded PowerShell command has been detected

Uses NETSH.EXE to obtain data on the network

The process bypasses the loading of PowerShell profile settings

Base64-obfuscated command line is found

Accesses antivirus product name via WMI (SCRIPT)

Contacting a server suspected of hosting an CnC

Uses SYSTEMINFO.EXE to read the environment

CSC.EXE is used to compile C# code

Captures screenshot (POWERSHELL)