File name:	RunWithAffinity.exe
Full analysis:	https://app.any.run/tasks/c71fb4a6-0374-4284-9886-e1319458573d
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 23, 2024, 11:59:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	blankgrabber evasion discord stealer growtopia discordgrabber generic susp-powershell ims-api pyinstaller upx python autoit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	6019D4756C3441D263122287DEE5E1BE
SHA1:	6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01
SHA256:	EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571
SSDEEP:	98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:11:23 11:37:50+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.1
ProductVersionNumber:	10.0.19041.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Enhanced Storage Authentication Program
FileVersion:	10.0.19041.1 (WinBuild.160101.0800)
InternalName:	EhStorAuthn.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	EhStorAuthn.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.1


(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3000) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(848) RunWithAffinity.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31145375
(PID) Process:	(7892) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value: 807299079

PID	Process	Filename		Type
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_decimal.pyd		executable
		MD5:7BA541DEFE3739A888BE466C999C9787	SHA256:F90EFA10D90D940CDE48AAFE02C13A0FC0A1F0BE7F3714856B7A1435F5DECF29
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_bz2.pyd		executable
		MD5:0C13627F114F346604B0E8CBC03BAF29	SHA256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_sqlite3.pyd		executable
		MD5:D678600C8AF1EEEAA5D8C1D668190608	SHA256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_ctypes.pyd		executable
		MD5:38FB83BD4FEBED211BD25E19E1CAE555	SHA256:CD31AF70CBCFE81B01A75EBEB2DE86079F4CBE767B75C3B5799EF8B9F0392D65
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\base_library.zip		compressed
		MD5:2A138E2EE499D3BA2FC4AFAEF93B7CAA	SHA256:130E506EAD01B91B60D6D56072C468AEB5457DD0F2ECD6CE17DFCBB7D51A1F8C
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\bound.blank		binary
		MD5:2F465D8AE1223DE5A6BD5FCC0872A6E3	SHA256:03CCB57CD73F735A1F90619966CCD9255CA61401126E26EAE9BF29E4ABF04A3E
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\blank.aes		binary
		MD5:3842F606F9C65E7D852925ED4F81441C	SHA256:43E41CC75170FB281BA9CA7AD288BD2C1AC018CCC7AF4D93E0C4A3C68EC9563B
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
4444	RunWithAffinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI44442\_queue.pyd		executable
		MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E	SHA256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3884	RUXIMICS.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	204	172.217.18.3:443	https://gstatic.com/generate_204	unknown	—	—	unknown
4328	svchost.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3884	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
848	RunWithAffinity.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1309840324327112714/khOqC9Xa7VD6KiHYOJwCdhPJEXfjuHaNYi156MGqp0Drd_sRip37DX6D-Zk4HE_BQf5N	unknown	binary	45 b	whitelisted
4328	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4328	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3884	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.144:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4328	svchost.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3884	RUXIMICS.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4328	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 40.127.240.158	whitelisted
www.bing.com	104.126.37.144 104.126.37.171 104.126.37.160 104.126.37.176 104.126.37.153 104.126.37.154 104.126.37.170 104.126.37.155 104.126.37.162	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.32.238.112 2.19.198.43	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
gstatic.com	142.250.186.99	whitelisted
ip-api.com	208.95.112.1	shared
discord.com	162.159.137.232 162.159.128.233 162.159.135.232 162.159.138.232 162.159.136.232	whitelisted
self.events.data.microsoft.com	20.189.173.15	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
848	RunWithAffinity.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
848	RunWithAffinity.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
848	RunWithAffinity.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

RunWithAffinity.exe

6019D4756C3441D263122287DEE5E1BE

6FBA26BE39D67FE7F49BB98BFDB9C260F683FB01

EB9E6EE23BF224A25796C48CA84F35574F122AFC95CB3B5681A39EE566E27571

98304:KJ3pHOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGe3ZIztsFyv9rWAqCEV9A3grO:ZZmb8YgKjfff

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Steals credentials from Web Browsers

Bypass execution policy to execute commands

Actions looks like stealing of personal data

Changes powershell execution policy (Bypass)

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

BlankGrabber has been detected

BLANKGRABBER has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops python dynamic module

Application launched itself

Uses WEVTUTIL.EXE to query events from a log or log file

Uses REG/REGEDIT.EXE to modify registry

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Loads Python modules

Get information on the list of running processes

Starts POWERSHELL.EXE for commands execution

Uses WMIC.EXE to obtain Windows Installer data

Uses SYSTEMINFO.EXE to read the environment

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Base64-obfuscated command line is found

The process bypasses the loading of PowerShell profile settings

BASE64 encoded PowerShell command has been detected

CSC.EXE is used to compile C# code

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain operating system information

Checks for external IP

Uses WMIC.EXE to obtain a list of video controllers

Uses WMIC.EXE to obtain computer system information

The executable file from the user directory is run by the CMD process

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

The Powershell gets current clipboard

Reads security settings of Internet Explorer

Checks the directory tree

Displays MAC addresses of computer network adapters

Found Base64 encoded reflection usage via PowerShell (YARA)

PyInstaller has been detected (YARA)

Attempting to use instant messaging service

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information