File name:

AstroSpoofer.exe

Full analysis: https://app.any.run/tasks/881b34b6-316f-4c9e-a373-9b4d3d9aa6a0
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: February 09, 2025, 19:22:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
python
discord
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

248610C7AC4B0571E778A705E674DD48

SHA1:

7BD2889EE6958DC79014D1EB0D9831FFFAD9764A

SHA256:

3876BBC02A48553A16504B85A2AE924C1A001015CB282A4AB8FD2E669312B504

SSDEEP:

98304:j1T2QUUIaAAoXqwvHYi5XVBuPHf/82r4YCU3MNOD2KWucQ1cp+4LTfqqQVH68Dc+:M+e44a+bXOo9EhUt4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • AstroSpoofer.exe (PID: 3772)

    • Executing a file with an untrusted certificate

      • AstroSpoofer.exe (PID: 6092)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • AstroSpoofer.exe (PID: 3772)

    • Application launched itself

      • AstroSpoofer.exe (PID: 3772)

    • Starts a Microsoft application from unusual location

      • AstroSpoofer.exe (PID: 6092)

    • Loads Python modules

      • AstroSpoofer.exe (PID: 6092)

  • INFO

    • The sample compiled with english language support

      • AstroSpoofer.exe (PID: 3772)

    • Reads the computer name

      • AstroSpoofer.exe (PID: 3772)

    • Checks supported languages

      • AstroSpoofer.exe (PID: 3772)

    • Create files in a temporary directory

      • AstroSpoofer.exe (PID: 3772)
      • AstroSpoofer.exe (PID: 6092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:09 19:12:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.4746
ProductVersionNumber: 10.0.22621.4746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: "ApplyTrustOffline.PROGRAM"
FileVersion: 10.0.22621.4746 (WinBuild.160101.0800)
InternalName: "ApplyTrustOffline.PROGRAM"
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: "ApplyTrustOffline.PROGRAM"
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.4746
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLANKGRABBER astrospoofer.exe no specs astrospoofer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3772"C:\Users\admin\Desktop\AstroSpoofer.exe" C:\Users\admin\Desktop\AstroSpoofer.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
"ApplyTrustOffline.PROGRAM"
Version:
10.0.22621.4746 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\astrospoofer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6092"C:\Users\admin\Desktop\AstroSpoofer.exe" C:\Users\admin\Desktop\AstroSpoofer.exeAstroSpoofer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
"ApplyTrustOffline.PROGRAM"
Version:
10.0.22621.4746 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\astrospoofer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
15
Read events
15
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3772AstroSpoofer.exeC:\Users\admin\AppData\Local\Temp\_MEI37722\VCRUNTIME140.dll
MD5:
SHA256:
3772AstroSpoofer.exeC:\Users\admin\AppData\Local\Temp\_MEI37722\_bz2.pyd
MD5:
SHA256:
3772AstroSpoofer.exeC:\Users\admin\AppData\Local\Temp\_MEI37722\_ctypes.pyd
MD5:
SHA256:
3772AstroSpoofer.exeC:\Users\admin\AppData\Local\Temp\_MEI37722\_decimal.pyd
MD5:
SHA256:
3772AstroSpoofer.exeC:\Users\admin\AppData\Local\Temp\_MEI37722\_hashlib.pyd
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
12
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
svchost.exe
GET
200
23.53.42.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3280
svchost.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
GET
204
142.250.185.163:443
https://gstatic.com/generate_204
unknown
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
POST
404
162.159.136.232:443
https://discord.com/api/webhooks/1338222193246474250/uKkAzf4xTbqgpNCiVTfbIJBB8tXzGmTag7_j1XP4pFnLzVQYM4QSi85cLuzqflDtEpS7
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
3280
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.212.110.162:443
Akamai International B.V.
CZ
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3280
svchost.exe
23.53.42.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3280
svchost.exe
2.23.9.218:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
4712
MoUsoCoreWorker.exe
2.23.9.218:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
216.58.206.67:443
gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.53.42.18
  • 23.53.41.248
whitelisted
www.microsoft.com
  • 2.23.9.218
whitelisted
blank-b7rtp.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 216.58.206.67
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.138.232
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AstroSpoofer.exe