{ "id": "e2ac68c1-0d13-4135-911a-dfb5397d0ece", "created_at": "2026-04-06T00:14:01.865891Z", "updated_at": "2026-04-10T03:37:08.734531Z", "deleted_at": null, "sha1_hash": "25b16af9b6e8cec1b1af15893c43fd013d815bde", "title": "Grabbot is Back to Nab Your Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1369338, "plain_text": "Grabbot is Back to Nab Your Data\r\nPublished: 2017-03-17 · Archived: 2026-04-05 19:45:32 UTC\r\nFortinet has discovered a new botnet capable of stealing large amounts of user information, as well as remotely\r\nmanipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot,\r\nwhich was first discovered back in November of 2014. This new variant improves on that existing functionality\r\nwhile adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions.\r\nReplication\r\nThe bot can be found hosted on a number of compromised websites with a random filename. We currently suspect\r\nthat Grabbot may arrive on these hosts through Exploit Kits or other malicious campaigns.\r\nThe bot may drop several files in the following paths:\r\n●\"%AppData%\\{GUID}\\{generated filename}.exe\"\r\n●\"%AppData%\\{GUID}\\{generated filename}.bat\"\r\n●\"%AppData%\\{GUID}\\{generated filename}\"\r\nNote that each generated filename is different, with the host machine’s System Volume Information. Several\r\nmutexes are created in the same way. Each drop file also has its file time information set to be the same as\r\n“cmd.exe” in Windows.\r\nThe malware creates the following registry entry to survive system reboots:\r\n●HKEY_CURRENT_USER\\Software\\Microsoft\\ Windows\\CurrentVersion\\Run\r\n○{GUID} = \"%AppData%\\{GUID}\\{generated filename}.exe\"\r\nDuring execution, the bot may inject the main payload into explorer.exe and delete the original file.\r\nBrowser Targeting\r\nThe bot enters a sleep loop and will not perform the rest of its functionality unless one of the following internet\r\nbrowsers is found in the active process list:\r\n●Internet Explorer (iexplore.exe)\r\n●Firefox (firefox.exe)\r\n●Google Chrome (chrome.exe)\r\n●Opera (opera.exe)\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 1 of 7\n\nAnti-analysis measures\r\nThe bot also scans active processes for the presence of certain system analysis tools, such as Wireshark or Process\r\nExplorer. If any is found, the bot may branch into a fake set of behaviours instead of the actual payload.\r\nFig.1: Searching for hashes of specific process names\r\nFig. 2: Part of the fake behaviour - Random domain name generation and contact\r\nC\u0026C Connection\r\nBefore the bot attempts to contact the command and control (C\u0026C) server, it first makes a connection to\r\nwww.microsoft.com to verify internet connectivity. If a connection can be established, the bot will iterate through a\r\nlist of possible C\u0026C servers and contact each until a response is received. The list of C\u0026Cs observed in this\r\nsample are:\r\n●http://de{REMOVED}is.site\r\n●http://ge{REMOVED}et.site\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 2 of 7\n\n●http://bi{REMOVED}ys.info\r\n●http://on{REMOVED}nc.site\r\n●http://de{REMOVED}is.info\r\n●http://ss{REMOVED}rs.info\r\nWhen a connection is established, the bot may attempt to download the following data files:\r\n●/wordpress/ajax/d.dat\r\n●/wordpress/ajax/e.dat\r\n●/wordpress/ajax/f.dat\r\n●/wordpress/ajax/out.dat\r\n●/wordpress/ajax/g.dat\r\n●/wordpress/ajax/h.dat\r\nThe files are saved on the disk with a generated filename. Notably, the file “out.dat” is renamed to the executable\r\nfile in the autorun registry. All communication between the bot and the C\u0026C are encrypted and done through\r\nHTTP. In any contact with a C\u0026C, the bot will try twice to establish connection before trying a different C\u0026C.\r\nFig.3: C\u0026C communication\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 3 of 7\n\nC\u0026C Commands\r\nThe botnet is capable of responding to the following commands:\r\nCommand Function\r\nuser_execute Executes a file on the host machine\r\nbot_update Updates the bot itself\r\nconf_update Updates the bot configuration\r\nbot_uninstall Removes the bot from the host machine\r\nconf_update2 Updates the bot configuration\r\nsend_debug Send system information and log data to C2\r\nsocks_bc Establish SOCKS proxy\r\nrun_vnc Creates VNC connection\r\ninstall_bd1 Install Teamviewer backdoor\r\nurl_block_add Blocks specific URLs from being accessed\r\nurl_block_rem Removes URL blocking\r\ngrab_ftp Retrieves FTP information from host\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 4 of 7\n\ngrab_cookies Retrieves browser cookies from host\r\ngrab_sol Retrieves local shared objects/flash cookies\r\ngrab_certs Retrieves client certificates\r\ngrab_all Retrieves data from all grab functions\r\ndel_cookies Deletes browser cookies\r\ngrab_pop Retrieves Outlook POP accounts\r\nrun_plugin_exe Downloads and injects an executable into svchost.exe and runs it\r\nrun_plugin_dll Downloads and injects a library into svchost.exe and runs it\r\nCompared to the previous known version of Grabbot, there are several new commands labeled “conf_update2”,\r\n“install_bd1”, “grab_pop”, “run_plugin_exe” and “run_plugin_dll”.\r\nSending Back Debug Information\r\nThe bot is able to extract current system information, including a list of active processes, detected AV products,\r\nand a list of installed applications. The bot may send this information to the C\u0026C on command.\r\nFig.4: System debug information\r\nBanking Backdoor\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 5 of 7\n\nThe bot is also capable of tracking if specific sites, namely financial institutions and services, are accessed, and\r\nmay launch a proxy or remote access backdoor to steal information. Some targeted sites from the list are as\r\nfollows (in the format of *[URL]*;[backdoor cmd][arguments]):\r\n●*paypal.com*;socks_bc 5.{REMOVED}.250:7777\r\n●*hxxps://www1.royalbank.com/cgi-bin/rbaccess/*;run_vnc\r\n●*hxxps://easyweb.td.com/*;run_vnc\r\n●*hxxps://www1.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain?product=5*;run_vnc\r\nCrypto-Currency Wallet Stealing\r\nThe bot recursively scans the %AppData% directory looking for files with the name “wallet.dat”, “electrum.dat”\r\nor “wallet”. If any match is found, the contents of the file are read and encrypted, then stored into a temporary file\r\nfor retrieval.\r\nFig.5: Wallet data to be retrieved\r\nConclusion\r\nGrabbot was a relatively unknown bot in the past, but from our brief analysis of this new variant it is apparent that\r\nGrabbot now has the potential to be very dangerous. Although we are still investigating its current distribution\r\nmethod, Fortinet is able to detect this new variant and we will keep you updated on any further changes.\r\nSample MD5: d439c468d59f117c584bda463b03aea9\r\nSample SHA256: 6d8ce2d1b33ff42ba04ded09fe79cff158e6dfffa82f6ceada12f4fda6d0c221\r\nFortinet Detection Name: W32/Kryptik.VVV!tr\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 6 of 7\n\nSource: http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nhttp://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" ], "report_names": [ "grabbot-is-back-to-nab-your-data" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434441, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25b16af9b6e8cec1b1af15893c43fd013d815bde.pdf", "text": "https://archive.orkl.eu/25b16af9b6e8cec1b1af15893c43fd013d815bde.txt", "img": "https://archive.orkl.eu/25b16af9b6e8cec1b1af15893c43fd013d815bde.jpg" } }