File name:	B-Executor.exe
Full analysis:	https://app.any.run/tasks/6076037a-f884-4583-a6ba-ed7d6231aa14
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 18, 2024, 19:20:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion discord blankgrabber stealer pyinstaller discordgrabber generic growtopia susp-powershell ims-api upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	33AED1D72D4146276CDF95296A395D8F
SHA1:	A433193DABB2425E28A0A112908FA0D313CFB044
SHA256:	CCC317CA87B4B6A34DB801AA03296EA882B976093F06D3C9CE4E22466B38B0CC
SSDEEP:	98304:IJ3CpombrO47fz9hluqG9yeFyOnace7EewAxtHfktEzafhOsE+XZ0+33T/1UfJF2:+re4uNE6gLRya

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:11:15 18:03:35+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.26100.1882
ProductVersionNumber:	10.0.26100.1882
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Registry Editor
FileVersion:	10.0.26100.1882 (WinBuild.160101.0800)
InternalName:	REGEDIT
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	REGEDIT.EXE
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.26100.1882


(PID) Process:	(7036) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7036) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7036) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7036) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5832) B-Executor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(8088) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31144430
(PID) Process:	(8088) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\_bz2.pyd		executable
		MD5:83B5D1943AC896A785DA5343614B16BC	SHA256:BF79DDBFA1CC4DF7987224EE604C71D9E8E7775B9109BF4FF666AF189D89398A
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\_lzma.pyd		executable
		MD5:71F0B9F90AA4BB5E605DF0EA58673578	SHA256:D0E10445281CF3195C2A1AA4E0E937D69CAE07C492B74C9C796498DB33E9F535
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\VCRUNTIME140.dll		executable
		MD5:870FEA4E961E2FBD00110D3783E529BE	SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\_queue.pyd		executable
		MD5:F1E7C157B687C7E041DEADD112D61316	SHA256:D92EADB90AED96ACB5FAC03BC79553F4549035EA2E9D03713D420C236CD37339
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\_ctypes.pyd		executable
		MD5:7ECC651B0BCF9B93747A710D67F6C457	SHA256:B43963B0883BA2E99F2B7DD2110D33063071656C35E6575FCA203595C1C32B1A
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\_sqlite3.pyd		executable
		MD5:72A0715CB59C5A84A9D232C95F45BF57	SHA256:D125E113E69A49E46C5534040080BDB35B403EB4FF4E74ABF963BCE84A6C26AD
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:EB0978A9213E7F6FDD63B2967F02D999	SHA256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:33BBECE432F8DA57F17BF2E396EBAA58	SHA256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\api-ms-win-core-heap-l1-1-0.dll		executable
		MD5:ACCC640D1B06FB8552FE02F823126FF5	SHA256:332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
6564	B-Executor.exe	C:\Users\admin\AppData\Local\Temp\_MEI65642\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:1C58526D681EFE507DEB8F1935C75487	SHA256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4836	RUXIMICS.exe	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4836	RUXIMICS.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	204	216.58.206.67:443	https://gstatic.com/generate_204	unknown	—	—	—
5832	B-Executor.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
—	—	POST	200	162.159.138.232:443	https://discord.com/api/webhooks/1306719010334969886/44cmdkPguShyMjyoH0Vnbwa-9kSOud3BPtWdgLberLdSuUvZ7wqC0eoWnOhXalAy2VFG	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4836	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	92.123.104.18:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4836	RUXIMICS.exe	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
www.bing.com	92.123.104.18 92.123.104.13 92.123.104.21 92.123.104.17 92.123.104.14 92.123.104.26 92.123.104.12 92.123.104.25 92.123.104.11	whitelisted
google.com	172.217.16.142	whitelisted
crl.microsoft.com	23.48.23.194 23.48.23.190 23.48.23.177 23.48.23.193 23.48.23.183 23.48.23.140 23.48.23.137 23.48.23.176 23.48.23.139	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
gstatic.com	216.58.206.35	whitelisted
ip-api.com	208.95.112.1	shared
discord.com	162.159.138.232 162.159.128.233 162.159.135.232 162.159.137.232 162.159.136.232	whitelisted
self.events.data.microsoft.com	52.168.117.169	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2172	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2172	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5832	B-Executor.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
5832	B-Executor.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
5832	B-Executor.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

General Info

B-Executor.exe

33AED1D72D4146276CDF95296A395D8F

A433193DABB2425E28A0A112908FA0D313CFB044

CCC317CA87B4B6A34DB801AA03296EA882B976093F06D3C9CE4E22466B38B0CC

98304:IJ3CpombrO47fz9hluqG9yeFyOnace7EewAxtHfktEzafhOsE+XZ0+33T/1UfJF2:+re4uNE6gLRya

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Adds path to the Windows Defender exclusion list

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

BLANKGRABBER has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Get information on the list of running processes

Possible usage of Discord/Telegram API has been detected (YARA)

Checks for external IP

Uses REG/REGEDIT.EXE to modify registry

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

UPX packer has been detected

Attempting to use instant messaging service

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

ims-api

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests