File name:	RunWithAffinity.exe
Full analysis:	https://app.any.run/tasks/c71fb4a6-0374-4284-9886-e1319458573d
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 23, 2024, 11:59:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	blankgrabber evasion discord stealer growtopia discordgrabber generic susp-powershell ims-api pyinstaller upx python autoit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	6019D4756C3441D263122287DEE5E1BE
SHA1:	6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01
SHA256:	EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571
SSDEEP:	98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:11:23 11:37:50+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.1
ProductVersionNumber:	10.0.19041.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Enhanced Storage Authentication Program
FileVersion:	10.0.19041.1 (WinBuild.160101.0800)
InternalName:	EhStorAuthn.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	EhStorAuthn.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.1


(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(848) RunWithAffinity.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31145375
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value: 807299079

PID	Process	Filename		Type
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_hashlib.pyd		executable
		MD5:596DF8ADA4B8BC4AE2C2E5BBB41A6C2E	SHA256:54348CFBF95FD818D74014C16343D9134282D2CF238329EEC2CDA1E2591565EC
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\rar.exe		executable
		MD5:9C223575AE5B9544BC3D69AC6364F75E	SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_ctypes.pyd		executable
		MD5:38FB83BD4FEBED211BD25E19E1CAE555	SHA256:CD31AF70CBCFE81B01A75EBEB2DE86079F4CBE767B75C3B5799EF8B9F0392D65
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_queue.pyd		executable
		MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E	SHA256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_socket.pyd		executable
		MD5:4351D7086E5221398B5B78906F4E84AC	SHA256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_ssl.pyd		executable
		MD5:156B1FA2F11C73ED25F63EE20E6E4B26	SHA256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\bound.blank		binary
		MD5:2F465D8AE1223DE5A6BD5FCC0872A6E3	SHA256:03CCB57CD73F735A1F90619966CCD9255CA61401126E26EAE9BF29E4ABF04A3E
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_sqlite3.pyd		executable
		MD5:D678600C8AF1EEEAA5D8C1D668190608	SHA256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\libffi-8.dll		executable
		MD5:90A6B0264A81BB8436419517C9C232FA	SHA256:5C4A0D4910987A38A3CD31EAE5F1C909029F7762D1A5FAF4A2E2A7E9B1ABAB79

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4328	svchost.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3884	RUXIMICS.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	204	172.217.18.3:443	https://gstatic.com/generate_204	unknown	—	—	unknown
3884	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
848	RunWithAffinity.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1309840324327112714/khOqC9Xa7VD6KiHYOJwCdhPJEXfjuHaNYi156MGqp0Drd_sRip37DX6D-Zk4HE_BQf5N	unknown	binary	45 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4328	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3884	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4328	svchost.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3884	RUXIMICS.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4328	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 40.127.240.158	whitelisted
www.bing.com	104.126.37.144 104.126.37.171 104.126.37.160 104.126.37.176 104.126.37.153 104.126.37.154 104.126.37.170 104.126.37.155 104.126.37.162	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.32.238.112 2.19.198.43	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
gstatic.com	142.250.186.99	whitelisted
ip-api.com	208.95.112.1	shared
discord.com	162.159.137.232 162.159.128.233 162.159.135.232 162.159.138.232 162.159.136.232	whitelisted
self.events.data.microsoft.com	20.189.173.15	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
848	RunWithAffinity.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
848	RunWithAffinity.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
848	RunWithAffinity.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

RunWithAffinity.exe

6019D4756C3441D263122287DEE5E1BE

6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01

EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571

98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Executing a file with an untrusted certificate

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Steals credentials from Web Browsers

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

GROWTOPIA has been detected (YARA)

DISCORDGRABBER has been detected (YARA)

BLANKGRABBER has been detected (SURICATA)

Stealers network behavior

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Starts CMD.EXE for commands execution

Loads Python modules

Uses REG/REGEDIT.EXE to modify registry

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

Uses SYSTEMINFO.EXE to read the environment

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

The process bypasses the loading of PowerShell profile settings

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Starts POWERSHELL.EXE for commands execution

CSC.EXE is used to compile C# code

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain a list of video controllers

Possible usage of Discord/Telegram API has been detected (YARA)

The executable file from the user directory is run by the CMD process

Uses WMIC.EXE to obtain operating system information

Checks for external IP

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Checks the directory tree

Reads security settings of Internet Explorer

The Powershell gets current clipboard

Found Base64 encoded reflection usage via PowerShell (YARA)

Displays MAC addresses of computer network adapters

UPX packer has been detected

Attempting to use instant messaging service

PyInstaller has been detected (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information