GitHub Repo

Analytics Story: BlankGrabber Stealer

Date: 2026-03-03 ID: 19342670-28e0-4efa-89d9-e709ba5534a4 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

BlankGrabber is a Windows-based information-stealing malware typically distributed through phishing emails, malicious downloads, cracked software, and fake game cheats. Once executed, it harvests sensitive data such as saved browser passwords, cookies, autofill data, cryptocurrency wallet information, Discord tokens, and system details. Stolen data is commonly exfiltrated to attacker-controlled servers via webhooks or encrypted channels. BlankGrabber often includes basic anti-analysis and obfuscation techniques to evade detection. It poses significant risks to individuals and organizations by enabling account takeover, financial theft, and broader network compromise.

Why it matters

When BlankGrabber slips onto a system, it rarely announces itself. Disguised as cracked software, a game cheat, or an innocent attachment, it quietly installs and begins sifting through the victim's digital life. Browsers yield saved passwords and cookies, cryptocurrency wallets expose valuable keys, and messaging apps hand over authentication tokens. In the background, the malware packages this information and transmits it to an attacker-controlled server, often using encrypted channels. With subtle persistence and basic anti-analysis tricks, BlankGrabber enables account takeovers, financial theft, and deeper compromise before the victim realizes anything is wrong.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Mshta, Visual Basic Anomaly
Cisco NVM - Suspicious Download From File Sharing Website BITS Jobs Anomaly
Cisco NVM - Suspicious File Download via Headless Browser Ingress Tool Transfer, Command and Scripting Interpreter TTP
Cisco NVM - Suspicious Network Connection to IP Lookup Service API IP Addresses, System Network Configuration Discovery Anomaly
Detect mshta inline hta execution Mshta TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Potential Telegram API Request Via CommandLine Bidirectional Communication, Exfiltration Over C2 Channel Anomaly
Powershell Disable Security Monitoring Disable or Modify Tools TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
System Information Discovery Detection System Information Discovery TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows ComputerDefaults Spawning a Process Bypass User Account Control TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Disable or Modify Tools Via Taskkill Disable or Modify Tools Anomaly
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Windows EventLog Recon Activity Using Log Query Utilities Log Enumeration Anomaly
Windows Hosts File Access Query Registry Anomaly
Windows Impair Defense Disable Controlled Folder Access Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools TTP
Windows MpCmdRun RemoveDefinitions Execution Disable or Modify Tools Anomaly
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly
Windows Product Key Registry Query Query Registry Anomaly
Windows Screen Capture Via Powershell Screen Capture TTP
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows Time Based Evasion Time Based Checks TTP
Windows WinRAR Launched Outside Default Installation Directory Windows Management Instrumentation Anomaly
Windows WMI Reconnaissance Class Query Windows Management Instrumentation Anomaly
Windows Wmic Systeminfo Discovery System Information Discovery Anomaly
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Suspicious Process With Discord DNS Query Visual Basic Anomaly
Windows Abused Web Services Web Service Anomaly
Windows DNS Query Request by Telegram Bot API DNS, Bidirectional Communication Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1