File name:	Built.exe
Full analysis:	https://app.any.run/tasks/1419514c-3c7c-471b-8f26-bf1cdbaf3daf
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 22, 2025, 01:15:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blankgrabber stealer evasion discord
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	4AA49A59B6347AED3A160BD235ABF867
SHA1:	6B3EACD3D8F605655F50B3AA953F0E908FF0DB0F
SHA256:	2DA23D4A64FD20EBBA5960D46D49B518BB33FFBEC6D08F650A5E6D48E034F318
SSDEEP:	98304:GC3CpWLAOzhJ8QKCt7bm6GpJ0SDazx/OTMKNY9T4i4oMMclkMSMnPSPQvJVfPVNJ:J5ZQwU8YgxjfnO

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:22 01:08:56+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	174592
InitializedDataSize:	96768
UninitializedDataSize:	-
EntryPoint:	0xd0d0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.3636
ProductVersionNumber:	10.0.19041.3636
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Download/Upload Host
FileVersion:	10.0.19041.3636 (WinBuild.160101.0800)
InternalName:	BackgroundTransferHost.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	BackgroundTransferHost.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.3636

PID	Process	Filename		Type
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_bz2.pyd		executable
		MD5:0C13627F114F346604B0E8CBC03BAF29	SHA256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_ctypes.pyd		executable
		MD5:38FB83BD4FEBED211BD25E19E1CAE555	SHA256:CD31AF70CBCFE81B01A75EBEB2DE86079F4CBE767B75C3B5799EF8B9F0392D65
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\rar.exe		executable
		MD5:9C223575AE5B9544BC3D69AC6364F75E	SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_sqlite3.pyd		executable
		MD5:D678600C8AF1EEEAA5D8C1D668190608	SHA256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\libffi-8.dll		executable
		MD5:90A6B0264A81BB8436419517C9C232FA	SHA256:5C4A0D4910987A38A3CD31EAE5F1C909029F7762D1A5FAF4A2E2A7E9B1ABAB79
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_ssl.pyd		executable
		MD5:156B1FA2F11C73ED25F63EE20E6E4B26	SHA256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\_socket.pyd		executable
		MD5:4351D7086E5221398B5B78906F4E84AC	SHA256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
1156	Built.exe	C:\Users\admin\AppData\Local\Temp\_MEI11562\python311.dll		executable
		MD5:BB46B85029B543B70276AD8E4C238799	SHA256:72C24E1DB1BA4DF791720A93CA9502D77C3738EEBF8B9092A5D82AA8D80121D0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6012	RUXIMICS.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6012	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	204	142.250.185.195:443	https://gstatic.com/generate_204	unknown	—	—	unknown
—	—	POST	—	162.159.138.232:443	https://discord.com/api/webhooks/1386118842446647314/kyUfbEsxDzXGipFrAPg1_iFNqyjM4WyM8qIFPn6QPzkKYpC1HvyLewpHtDcgBTUfzATg	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
1296	Built.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6012	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6012	RUXIMICS.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6012	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	184.25.50.10 184.25.50.8	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
gstatic.com	142.250.186.67	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.128.233 162.159.138.232 162.159.136.232 162.159.135.232 162.159.137.232	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	20.189.173.13	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2200	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1296	Built.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
1296	Built.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
1296	Built.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
1296	Built.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
—	—	Misc activity	ET HUNTING Discord WebHook Activity M1 (Contains Key, content)
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body

General Info

Built.exe

4AA49A59B6347AED3A160BD235ABF867

6B3EACD3D8F605655F50B3AA953F0E908FF0DB0F

2DA23D4A64FD20EBBA5960D46D49B518BB33FFBEC6D08F650A5E6D48E034F318

98304:GC3CpWLAOzhJ8QKCt7bm6GpJ0SDazx/OTMKNY9T4i4oMMclkMSMnPSPQvJVfPVNJ:J5ZQwU8YgxjfnO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Antivirus name has been found in the command line (generic signature)

Changes Controlled Folder Access settings

Changes settings for protection against network attacks (IPS)

Changes Windows Defender settings

Changes settings for sending potential threat samples to Microsoft servers

Adds path to the Windows Defender exclusion list

Changes settings for checking scripts for malicious actions

Changes settings for real-time protection

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Resets Windows Defender malware definitions to the base version

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Application launched itself

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Found strings related to reading or modifying Windows Defender settings

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Accesses product unique identifier via WMI (SCRIPT)

Get information on the list of running processes

The executable file from the user directory is run by the CMD process

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain operating system information

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain Windows Installer data

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

Checks for external IP

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information