Skip to content
Malware family

BlankGrabber

BlankGrabber is a Python-based information stealer first identified in 2023 that targets Windows systems.

Profile source: Mallory opens in a new tab

BlankGrabber

Family profile

BlankGrabber is a Python-based information stealer first identified in 2023 that targets Windows systems. It is commonly packaged with PyInstaller and uses layered obfuscation and multi-stage delivery to evade analysis, including an encrypted payload file named blank.aes, runtime AES-GCM decryption, and additional encoded Python stages such as stub-o.pyc using Base64, ROT13, string reversal, and zlib-compressed content. Reporting cited in the content attributes analysis to Splunk Threat Research Team.

The malware is distributed through social engineering and commodity malware channels, including fake cracked software, malicious archives shared on Discord, fraudulent GitHub repositories, phishing, and at least one observed Gofile.io-hosted batch script. In the described attack chain, a batch loader abuses certutil.exe in a fake certificate installation workflow to decode a Rust-based stager. That stager performs anti-sandbox checks, then decrypts and launches a self-extracting archive that delivers BlankGrabber together with XWorm. The broader campaign is described as abusing counterfeit certificate-themed lures to conceal Rust- and Python-based stages.

BlankGrabber performs anti-analysis and victim triage by checking for virtual machines, debugger or sandbox indicators, security tools, MAC addresses, WMI hardware strings, adapter registry names, usernames, computer names, UUIDs, and cloud-hosting indicators such as ip-api.com hosting fields. The content notes expanded blacklists of UUIDs, computer names, and account names associated with sandbox farms.

Its theft capabilities include collecting data from Chromium and Firefox browsers, including credentials, saved passwords, cookies, session tokens, and autofill information; enumerating saved Wi-Fi profiles and stealing Wi-Fi passwords; harvesting clipboard contents; taking screenshots and webcam snapshots; and stealing cryptocurrency wallet data, including wallet extensions and directories associated with Exodus, AtomicWallet, Coinomi, and Electrum. It also targets Telegram Desktop data, Discord tokens, and data associated with Telegram, Roblox, Discord, Steam, and browser-stored wallet extensions.

BlankGrabber also tampers with host defenses and maintains persistence. The content states it disables multiple Windows Defender protections, including via PowerShell, removes antivirus signatures, modifies the Windows hosts file to redirect security websites to 0.0.0.0, uses a registry-based UAC bypass to relaunch with elevated privileges, and establishes persistence via Registry Run Keys and by copying itself into the Windows startup folder.

Exfiltration in this malware family is described as commonly occurring via Telegram Bot API or HTTP POST, including api.telegram.org endpoints such as sendDocument and sendMessage. The content also notes that Telegram bot tokens and C2 strings can often be recovered from process memory after runtime decryption. Overall, BlankGrabber is characterized in the source material as a mass-produced infostealer rather than an APT-grade tool, notable for broad credential and data theft, low barrier to entry, and widespread distribution.

MITRE ATT&CK

BlankGrabber in ATT&CK

24 distinct techniques

Reporting

Research mentioning BlankGrabber

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.