Sample

The sample (“Velocity.exe”) is a 64-bit Windows PyInstaller-packed dropper whose purpose is to deliver BlankGrabber. The interesting bit isn’t BlankGrabber itself (well-documented), but the multi-stage loader:

1. PyInstaller container → extracts a main .pyc loader.
2. That loader reads an embedded file (blank.aes), applies byte-reversal + zlib, then decrypts it with AES-GCM using a modified PyAES implementation, and loads a module (stub-o).
3. stub-o is mostly obfuscation glue that unwraps a compressed XZ/LZMA stage (and more layered Python obfuscation + marshal payloads).
4. After fixing the Python 3.13 mismatch, the final marshalled code can be dumped back into a .pyc for normal decompilation.

Final payload behavior matches a typical commodity stealer, including:
- Sandbox/VM checks (UUID/hostname/username blacklists, hosting-IP checks, VirtualBox/VMware artifacts).
- Browser theft focused on Chromium (passwords, cookies, history, autofill).
- Discord-focused theft: collects account/payment metadata and performs client injection (AppData modification) to steal tokens/credentials and payment details.
- Session theft across gaming/messaging apps (Discord/Telegram/Steam/etc.) and crypto wallet targeting (notably MetaMask extension IDs).
- Additional post-compromise features: screenshots, clipboard, webcam capture, Wi-Fi credential collection, persistence tricks, UAC bypass attempts, website blocking, and Defender tampering.