{ "Event": { "analysis": "1", "date": "2026-03-26", "extends_uuid": "", "info": "[Threat Intel] The Certificate Decoding Illusion: How Blank Grabber Stealer Hides Its Loader", "protected": false, "publish_timestamp": "1775900419", "published": true, "threat_level_id": "3", "timestamp": "1775900419", "uuid": "67a7f198-065a-4c76-9c31-b46c101930e4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#346a03", "local": false, "name": "misp-galaxy:producer=\"Splunk\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"BlankGrabber\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#4edbe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Information Discovery - T1217\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1629.003\"", "relationship_type": "" }, { "colour": "#00f752", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#461928", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Blocking - T1562.006\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ece0df", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Wi-Fi Discovery - T1016.002\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609214", "to_ids": false, "type": "link", "uuid": "35e7e4a8-3e78-48dc-ad37-a50487b63dff", "value": "https://www.splunk.com/en_us/blog/security/blankgrabber-trojan-stealer-analysis-detection.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774609214", "to_ids": false, "type": "text", "uuid": "10347686-cf8c-4a90-b048-2cf4e204e3cf", "value": "BlankGrabber, a Python-based information stealer, employs sophisticated techniques to evade detection and exfiltrate sensitive data. It uses a multi-stage infection chain, starting with a batch file loader that disguises the payload as certificate data. The malware implements anti-analysis measures, including sandbox and virtualization checks. It harvests a wide range of data, including browser information, system details, and credentials from various applications. BlankGrabber utilizes Windows Management Instrumentation for system discovery, captures screenshots and webcam images, and attempts to disable Windows Defender. The malware achieves persistence through startup folder manipulation and exfiltrates data using Telegram bots and public web services." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774609214", "to_ids": false, "type": "text", "uuid": "22ba38e6-54bf-499b-9a37-d597297f810d", "value": "Name: The Certificate Decoding Illusion: How Blank Grabber Stealer Hides Its Loader\nAuthor: AlienVault\nAdversary: \nTags: [\"xworm\", \"information stealer\", \"blankgrabber\"]\nTgtd countries: []\nMlwr families: [\"BlankGrabber\", \"XWorm\"]\nAttack_ids: []\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609214", "to_ids": false, "type": "vulnerability", "uuid": "418a6916-61ed-4098-be20-f643e8bc03d9", "value": "CVE-2024-27198" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609214", "to_ids": false, "type": "vulnerability", "uuid": "abbc652b-c44e-4ce7-846e-5d5de8c00ebf", "value": "CVE-2024-27199" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775884480", "uuid": "ac4f1333-201b-4254-a2b4-a2c8ce795d52", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775884480", "to_ids": true, "type": "md5", "uuid": "06ff532c-1173-4475-9222-0d84a7fabd72", "value": "4317201817b69553c0120ea4053da8ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884241", "to_ids": true, "type": "sha1", "uuid": "6fa5ff81-2b69-4884-aa7b-eb2acadf4524", "value": "2321100d9c75f80a6eb539d7b88214e517525502", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884241", "to_ids": true, "type": "sha256", "uuid": "dcb4c121-3abd-45d9-9443-d27999cf2cd6", "value": "268d12a71b7680e97a4223183a98b565cc73bbe2ab99dfe2140960cc6be0fc87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881231", "to_ids": true, "type": "ssdeep", "uuid": "2c193c10-e60b-4eb2-b8d2-f5fc1ec11312", "value": "196608:94UOXXKApQ5wRpj9fZwQRCgJIKpdzjPOtn7jzEOA4TBR2wTChiednXBtpicinf35:9QHw8fIKppDOSN4TB9e5BiJ35" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881231", "to_ids": false, "type": "size-in-bytes", "uuid": "b7a18e0e-fce7-495e-bd01-1b7c66732a3a", "value": "11382624" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881231", "to_ids": true, "type": "vhash", "uuid": "42598f3f-7d1d-4da0-8fb5-6b142e211018", "value": "017076655d155d0555504013z3006emz1cfz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881231", "to_ids": true, "type": "filename", "uuid": "b932fc8b-2478-4071-a63d-2b7cc74fa380", "value": "WINVER.EXE" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881231", "to_ids": false, "type": "text", "uuid": "0438aed5-9b34-44bc-ae18-ec3c36b37cb7", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Phonzy.A!ml\nVT Total Detection:52/72\nFirst Submission:2026-02-08T19:03:38.000000+00:00\nLast Submission:2026-03-09T11:41:05.000000+00:00" } ] } ] } }