File name:	MVPloader.exe
Full analysis:	https://app.any.run/tasks/40e73ce5-03e9-494f-91fc-a54ace384385
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 03, 2024, 12:26:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion blankgrabber telegram stealer pyinstaller susp-powershell discordgrabber generic growtopia ims-api upx python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	2400F4A5AE3CD363FC4864A8FFBF6AFD
SHA1:	4CDD65283C1CC6B3142C9111D68F3C9EAF020479
SHA256:	C2E6D938996E5A5A3A9E724B3D828B9ECCD8C60F2FA7A30AF81ECCDAD6F0E9B3
SSDEEP:	98304:p6Cs+GmE/ZsG6TRAXfjE+DkVkFOBNdtLOSA2ibMlq0TVjzAfqqQVH68DcDo0nkPA:AqxqeO44a+bAdjRnbdUN

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:10:28 20:03:29+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	5.0.1.1
ProductVersionNumber:	5.0.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft® CAB File Extract Utility
FileVersion:	5.00 (WinBuild.160101.0800)
InternalName:	extrac32.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	extrac32.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	5


(PID) Process:	(8024) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31141355
(PID) Process:	(8024) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_hashlib.pyd		executable
		MD5:D6F123C4453230743ADCC06211236BC0	SHA256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_decimal.pyd		executable
		MD5:21D27C95493C701DFF0206FF5F03941D	SHA256:38EC7A3C2F368FFEB94524D7C66250C0D2DAFE58121E93E54B17C114058EA877
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_bz2.pyd		executable
		MD5:58FC4C56F7F400DE210E98CCB8FDC4B2	SHA256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_ctypes.pyd		executable
		MD5:79879C679A12FAC03F472463BB8CEFF7	SHA256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_lzma.pyd		executable
		MD5:055EB9D91C42BB228A72BF5B7B77C0C8	SHA256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_queue.pyd		executable
		MD5:513DCE65C09B3ABC516687F99A6971D8	SHA256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\_socket.pyd		executable
		MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C	SHA256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\blank.aes		binary
		MD5:89A73C4AD3149E951CF3815021711CC1	SHA256:6BA04EDA71F3034862FE9A0634265F9C4E32A744911F0D2AF136F3D843CE23FE
512	MVPloader.exe	C:\Users\admin\AppData\Local\Temp\_MEI5122\libffi-8.dll		executable
		MD5:08B000C3D990BC018FCB91A1E175E06E	SHA256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.16.164.51:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.51:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
6944	svchost.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	BR	binary	973 b	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	BR	binary	973 b	whitelisted
6584	MVPloader.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	shared
2444	RUXIMICS.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	BR	binary	973 b	whitelisted
—	—	GET	204	142.250.186.35:443	https://gstatic.com/generate_204	US	—	—	unknown
6584	MVPloader.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	US	binary	200 b	shared
—	—	POST	200	149.154.167.99:443	https://api.telegram.org/bot7301367482:AAEWfT2A4FEwVG3sHg1CfoRTZaBWbTqUSUQ/sendDocument	GB	binary	1.82 Kb	whitelisted
2444	RUXIMICS.exe	GET	200	2.16.164.51:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2444	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.16.164.51:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
5488	MoUsoCoreWorker.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
2444	RUXIMICS.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
6584	MVPloader.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.164.51 2.16.164.114 2.16.164.18 2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
blank-iw1bp.in	—	unknown
ip-api.com	208.95.112.1	shared
gstatic.com	172.217.18.3	whitelisted
api.telegram.org	149.154.167.220	shared
self.events.data.microsoft.com	52.182.143.208	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2172	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6584	MVPloader.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2172	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2172	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6584	MVPloader.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6584	MVPloader.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
6584	MVPloader.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body

General Info

MVPloader.exe

2400F4A5AE3CD363FC4864A8FFBF6AFD

4CDD65283C1CC6B3142C9111D68F3C9EAF020479

C2E6D938996E5A5A3A9E724B3D828B9ECCD8C60F2FA7A30AF81ECCDAD6F0E9B3

98304:p6Cs+GmE/ZsG6TRAXfjE+DkVkFOBNdtLOSA2ibMlq0TVjzAfqqQVH68DcDo0nkPA:AqxqeO44a+bAdjRnbdUN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for checking scripts for malicious actions

Changes settings for protection against network attacks (IPS)

Changes settings for real-time protection

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes Controlled Folder Access settings

Changes settings for sending potential threat samples to Microsoft servers

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Resets Windows Defender malware definitions to the base version

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

BLANKGRABBER has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Loads Python modules

Reads security settings of Internet Explorer

Reads the date of Windows installation

Found strings related to reading or modifying Windows Defender settings

Starts CMD.EXE for commands execution

Get information on the list of running processes

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Accesses video controller name via WMI (SCRIPT)

Accesses product unique identifier via WMI (SCRIPT)

Script disables Windows Defender's IPS

Uses WMIC.EXE to obtain Windows Installer data

Script disables Windows Defender's real-time protection

Uses WMIC.EXE to obtain a list of video controllers

Base64-obfuscated command line is found

Starts application with an unusual extension

Uses SYSTEMINFO.EXE to read the environment

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

CSC.EXE is used to compile C# code

The executable file from the user directory is run by the CMD process

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

The process uses the downloaded file

Reads security settings of Internet Explorer

The Powershell gets current clipboard

Checks the directory tree

Displays MAC addresses of computer network adapters

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

UPX packer has been detected

Attempting to use instant messaging service

Malware configuration

ims-api

Static information

TRiD