File name:	RunWithAffinity.exe
Full analysis:	https://app.any.run/tasks/c71fb4a6-0374-4284-9886-e1319458573d
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 23, 2024, 11:59:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	blankgrabber evasion discord stealer growtopia discordgrabber generic susp-powershell ims-api pyinstaller upx python autoit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	6019D4756C3441D263122287DEE5E1BE
SHA1:	6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01
SHA256:	EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571
SSDEEP:	98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:11:23 11:37:50+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.1
ProductVersionNumber:	10.0.19041.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Enhanced Storage Authentication Program
FileVersion:	10.0.19041.1 (WinBuild.160101.0800)
InternalName:	EhStorAuthn.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	EhStorAuthn.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.1


(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(848) RunWithAffinity.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31145375
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value: 807299079

PID	Process	Filename		Type
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\rar.exe		executable
		MD5:9C223575AE5B9544BC3D69AC6364F75E	SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\base_library.zip		compressed
		MD5:2A138E2EE499D3BA2FC4AFAEF93B7CAA	SHA256:130E506EAD01B91B60D6D56072C468AEB5457DD0F2ECD6CE17DFCBB7D51A1F8C
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\libcrypto-1_1.dll		executable
		MD5:DAA2EED9DCEAFAEF826557FF8A754204	SHA256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_ssl.pyd		executable
		MD5:156B1FA2F11C73ED25F63EE20E6E4B26	SHA256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\libffi-8.dll		executable
		MD5:90A6B0264A81BB8436419517C9C232FA	SHA256:5C4A0D4910987A38A3CD31EAE5F1C909029F7762D1A5FAF4A2E2A7E9B1ABAB79
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\blank.aes		binary
		MD5:3842F606F9C65E7D852925ED4F81441C	SHA256:43E41CC75170FB281BA9CA7AD288BD2C1AC018CCC7AF4D93E0C4A3C68EC9563B
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\select.pyd		executable
		MD5:ABF7864DB4445BBBD491C8CFF0410AE0	SHA256:DDEADE367BC15EA09D42B2733D88F092DA5E880362EABE98D574BC91E03DE30E
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_queue.pyd		executable
		MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E	SHA256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\libssl-1_1.dll		executable
		MD5:EAC369B3FDE5C6E8955BD0B8E31D0830	SHA256:60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4328	svchost.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3884	RUXIMICS.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3884	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	204	172.217.18.3:443	https://gstatic.com/generate_204	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
848	RunWithAffinity.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1309840324327112714/khOqC9Xa7VD6KiHYOJwCdhPJEXfjuHaNYi156MGqp0Drd_sRip37DX6D-Zk4HE_BQf5N	unknown	binary	45 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4328	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3884	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4328	svchost.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3884	RUXIMICS.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4328	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 40.127.240.158	whitelisted
www.bing.com	104.126.37.144 104.126.37.171 104.126.37.160 104.126.37.176 104.126.37.153 104.126.37.154 104.126.37.170 104.126.37.155 104.126.37.162	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.32.238.112 2.19.198.43	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
gstatic.com	142.250.186.99	whitelisted
ip-api.com	208.95.112.1	shared
discord.com	162.159.137.232 162.159.128.233 162.159.135.232 162.159.138.232 162.159.136.232	whitelisted
self.events.data.microsoft.com	20.189.173.15	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
848	RunWithAffinity.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
848	RunWithAffinity.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
848	RunWithAffinity.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

RunWithAffinity.exe

6019D4756C3441D263122287DEE5E1BE

6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01

EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571

98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Steals credentials from Web Browsers

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

GROWTOPIA has been detected (YARA)

DISCORDGRABBER has been detected (YARA)

Actions looks like stealing of personal data

Stealers network behavior

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Process drops python dynamic module

The process drops C-runtime libraries

Executable content was dropped or overwritten

Application launched itself

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Found strings related to reading or modifying Windows Defender settings

Starts CMD.EXE for commands execution

Uses WEVTUTIL.EXE to query events from a log or log file

Uses REG/REGEDIT.EXE to modify registry

Loads Python modules

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

Starts POWERSHELL.EXE for commands execution

Starts application with an unusual extension

Uses NETSH.EXE to obtain data on the network

The process bypasses the loading of PowerShell profile settings

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

CSC.EXE is used to compile C# code

The executable file from the user directory is run by the CMD process

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain a list of video controllers

Checks for external IP

Uses SYSTEMINFO.EXE to read the environment

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Creates files in the program directory

The Powershell gets current clipboard

Checks the directory tree

Reads security settings of Internet Explorer

Displays MAC addresses of computer network adapters

Found Base64 encoded reflection usage via PowerShell (YARA)

PyInstaller has been detected (YARA)

UPX packer has been detected

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information