Threat Research

Open Source Stealers (OSS) – Python – K7 Labs

K7computing

Analysis of the BlankGrabber stealer shows it is packaged as a PyInstaller executable with multi-layer obfuscation and AES encryption, exfiltrating data via Discord webhooks while performing sandbox/VM checks and Defender evasion before launching bundled payloads. It harvests Chromium browser data, Discord tokens, Telegram desktop key files, crypto-wallet data, Wi‑Fi profiles, screenshots, and webcam captures, and uses a GUI-driven builder to obfuscate, pack, and encrypt payloads for exfiltration to threat actor‑controlled webhooks. #BlankGrabber #DiscordWebhooks #PyInstaller #DiscordTokens #TelegramDesktop #CryptoWallets #WiFiPasswords #WebcamSnaps

Keypoints

  • Sample identified as the BlankGrabber stealer, packaged as a PyInstaller executable but modified to hide packer metadata.
  • Extraction and analysis used pyinstxtractor to unpack, then pycdc and a custom disassembly script to recover and deobfuscate loader-o.pyc and stub-o.pyc (blank.aes contains encrypted payload).
  • Pre-execution routines create a mutex, attempt privilege escalation, exclude/disable Windows Defender via decoded PowerShell commands, and launch any bundled payloads as separate processes.
  • Environment checks include blacklisted UUIDs, computer/usernames, running tasks and registry lookups to detect VMs/sandboxes and abort if found.
  • Stealer functions run multi-threaded and harvest Chromium browser data (passwords, cookies, history via SQLite queries), Discord profile/token data, Telegram desktop key files, crypto wallet data (appdata and extensions), Wi‑Fi profiles/passwords via netsh, screenshots, webcam snaps via ctypes.windll, system info and targeted file collections.
  • Builder (GUI) automates configuration, then BlankOBF.py splits/encodes/reverses and shuffles code parts, injects junk code, compiles into an archive encrypted with AES-GCM (using a typo-squatted pyaes implementation), and tampers with executable metadata to avoid PyInstaller detection.
  • Data exfiltration packages stolen items into an archive and sends them to threat actor-controlled Discord webhook URLs (C2) as the final delivery channel.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The malware uses multi-layer obfuscation and AES encryption to hide payloads. [‘multi-layer obfuscation and AES encryption’]
  • [T1567.002] Exfiltration Over Web Services – Exfiltration to threat actor-controlled webhooks (Discord) as the final delivery channel. [‘exfiltration to threat actor-controlled webhooks’]
  • [T1497] Virtualization/Sandbox Evasion – Performs sandbox/VM checks and Defender evasion before launching bundled payloads. [‘sandbox/VM checks and Defender evasion before launching bundled payloads’]
  • [T1562.001] Impair Defenses: Disable Windows Defender – Excludes/disable Windows Defender via decoded PowerShell commands. [‘exclude/disable Windows Defender via decoded PowerShell commands’]
  • [T1082] System Information Discovery – Collects system information during operation. [‘system info and targeted file collections’]
  • [T1057] Process Discovery – Looks for running tasks to adapt behavior. [‘running tasks’]
  • [T1012] Query Registry – Registry lookups to detect VMs/sandboxes. [‘registry lookups to detect VMs/sandboxes’]
  • [T1113] Screen Capture – Captures screenshots. [‘screenshots’]
  • [T1125] Video Capture – Captures webcam snaps. [‘webcam snaps’]
  • [T1555.003] Credentials from Web Browsers – Harvests Chromium browser data (passwords, cookies, history). [‘Chromium browser data (passwords, cookies, history)’]
  • [T1560] Archive Collected Data – Packs stolen items into an archive. [‘packs stolen items into an archive’]
  • [T1036] Masquerading – Tamper with executable metadata to avoid PyInstaller detection. [‘tamper with executable metadata to avoid PyInstaller detection’]
  • [T1068] Privilege Escalation – Attempts privilege escalation during operation. [‘attempt privilege escalation’]

Indicators of Compromise

  • [File Hash] sample detections – b1c222dc81a4c1bfe401c1c90d592ad8, bf552178396e2c988549aed62e1e3221
  • [URLs / Downloaders] dropped executables – hxxp://oniwtfxxx.ct8.pl/svhost.exe, hxxp://kreedcssg3.temp.swtest.ru/vsc.exe
  • [C2 / Webhooks] exfiltration endpoints – hxxps://discord.com/api/webhooks/1132809798509940777/vMplDDwRyx_6_5uYKAXG7bHS-mDzPgPXAJPMkjW0mOGRCJHraAdTsRBlguXlivb1DOef, hxxps://discord.com/api/webhooks/1175476732808155136/yWG3KpQSZDr3w_4pauQKwyHUcFjDeip0NNMvypVQ-rLtb-6Olf6bJH3ZSNvGqPPOGdoA
  • [File Names] local artifact and archive – blank.aes (encrypted payload archive), svhost.exe / vsc.exe (observed dropped binaries)

Read more: https://labs.k7computing.com/index.php/open-source-stealers-oss-python/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint