@@ENNEN420 yeah that sure is fun and silly, but before you do that, make sure to use that same bot to infiltrate the server, and hopefully report the owner. although I wouldn't trust Discord's T&S team to actually do anything. It's also possible using the webhook URL to see the user who created it lmao
That won't Work If the attacker Setup a custom Domain with PHP Backend to do the requests behind the scencrs and Not forwarding it If It's a webhook delete request
@@electricz3045 yep, that's true! but if we take a moment to think about the target "audience" for these kinds of things, I feel like you'll be coming across a lot of people who don't bother to even do that. for example, in the Hypixel (a Minecraft server with different games) skyblock (one of their games) community, there's a lot of scams involving utility mods that "supposedly" help the player. a while back I remember browsing across a dozen TH-cam videos about said mods (sorted by upload date), and after reversing the code, it was mostly the same 2 jars (so two different grabbers), just with different webhooks
It terminating itself when detecting tokenprotector is really weird, you would think it would just laugh at it but actually "helping" it to work by not activating doesnt make any sense
One thing that would be important to mention with such videos is, HOW would one get infected with it? What to look out for, and how easy it is to be caught in the net. Arguably, that would be even more important than just doing a deep dive into the code! Which is also appreciated.
was not expecting to see growtopia mentioned. it was a fairly popular indie mmo that got bought out by ubisoft and ran into the ground. even if this stealer is from a while back its odd t o see something spesifically check for a game so niche. great video
Growtopia is a prolific MMO known for hacking and real world trading. I was involved with the real world trading scene for a while until the ingame inflation made it unbearable. Surprised it tried to password grab it. Bit of a throwback because I haven't heard of it for years.
@@paws-at-you Last time I touched it was in the summer of 2020. It was always not a great game, from mediocre content creation somehow garnering hundreds of thousands of subscribers because someone was rich ingame to culture (racism, sexism, homophobia, etc running rampant) to botting wise it was problematic. I am glad I distanced myself from it the moment there was extremely rapid inflation (going from 10% inflation in 3 months to 100% inflation in 2 months). In total I got like 4k profit with 20k turnover. Not a bad journey..
You got one info wrong. Blank grabber injects itself into Discord only for capturing discord related data like added payment data, changed password and Login token. It does not use discord injection to get presistence on the system and uses like most stealer the auto start folder to stay on the system. If you remove the stealer from the auto start folder, the stealer is also gone, and only the discord injection stays, which keeps montioring discord for passwords, payment info and new tokens.
my favorite thing i do is having a windows service that creates a bunch of fake processes of different debuggers to give myself some peace of mind (despite the fact i dont just download random software)
@@Nick-yy7zs its just a basic set of programs written in c that immediately suspend themselves that are named after debuggers. and the windows service is just a manually created service that runs on boot
Hey Eric, I know this is not at all related to this video, But it would be cool if you could show off how to hide a virtual machine from programs that it is a virtual machine. I am using windows and am trying to run Fortnite on an emulator but EAC prevents the use of virtual machines.
He made a video a little while back on this. For your use case, give up. EAC is kernel level, and spoofing it would be hell (and would 100 % get your account banned)
When I got hacked windows never told me anything, and how I got hacked was from remote desktop and UAC bypass by a GitHub (file from git pulling) now has been taken down and I've always scanned files but now since that happened I scan my computer at least 4 times a week even when download from official sites like Microsoft just in case 😁
Id love to see a video on setting up a new Windows PC and the best programs to keep it safe. Your expertise would be super helpful, especially for those just starting out with IT and PCs. There arent many legit videos on that topic, so yeah.
There is a reason I am not on Linux at least for me there are some games that don't work on Linux and some software that does support Linux entirely for example here is a software that doesn't support Linux that I use wallpaper engine, and a game example is dark and darker these don't work and probably will never maybe dark and darker but I will have to see, and some games detect VM's and whatnot so its impossible to run a VM to play some games that only support windows plus EPIC Games not supported so... I can't make games nor is RPG maker another program I frequently use (sorry for the rant on this)
Hey, thanks for making a video on this, I'm the server manager for a server with over 130k members on Discord, we experience the problem of members being sent viruses and the biggest amount of them are blank-grabber. We usually delete the webhook on it by simply getting the webhook from the code of the virus.
A question, If you change your windows user to one of the blacklisted usernames, will that mean the stealer will not proceed? for example, my pc name is blahblah123 and one of the blacklisted ones is ralphs-pc theoretically, if i change my name to ralphs-pc does that mean the stealer no longer affect me?
against this specific sample yes. The problem is those blacklists are not all that consistent. Same idea as cyberscarecrow. Anti analysis isn't all that consistent.
The Discord uninstaller does rather messy uninstallations, so simply just uninstalling Discord might've worked for this stealer, but more nefarious stealers might persist in a file that doesn't get wiped by the uninstaller. Would definitely recommend deleting the discord folders in "%AppData%" *AND* "%LocalAppData%" (Discord stores stuff in both these locations).
Even then, it would need to hook itself back into discord so it could be executed again... Maybe the malware could make a task to reinstall itself once the uninstaller is executed and then delete said task once discord is back on the machine but it's definitely not that stealthy.
@@someguy9175 As I said, Discord's uninstaller is messy and leaves lots of files behind that the malware can inject to and will allow it to persist past a regular uninstallation. The index.js file shown in the video isn't the only file that can be injected to.
Hi eric I haven’t been here for too long, but I can already say your channel is the best on TH-cam. I enjoy your content a lot and it’s great that you’re posting more frequently.
Jo, buddy. This discord stealer is using almost the same code to bypass UAC as the malware in the other video of yours called "Remote Control Any PC With Discord". but instead of an "If/else", it's using "case". And now I am trying to block any outside access to my "%localappdata%\discord" directory, brb. I wonder, if I can pull that off.
hey my hitmanpro scans when i boot up my pc tells me my userinit.exe file is suspicious and its 128kb large is that normal, if I scan it with something else it says its fine
It's sad seeing all the bots in Growtopia. Shame Hamumu hates the game so we wont see Seth and Hamumu working on it after they sold the game to Ubisoft Abu Dhabi..
@@jeevacation The servers are constantly down and flooded with bots, the game's currency is fucked and inflation is pretty bad, over 80% of active players are bots or casino hosters and the devs don't give a fuck, since the game is owned by Ubisoft, since 2017.
@prodfulcrum16 yeah it was good when S&H had it, ubisoft ruined it by milking it. I remember seeing new locks all the time lol I think I first played it in '15 or '16
to add, this will not work if you have to do school, lock down browser. making bare metal look like a vm will cause more issues than its worth. It will not protect you from malware
@@XioJN well 1. It was obvsly a joke 2. If your school requires software invase enough to have antivm your school is shit anyway 3. Yes, it does protect you from malware with antivm if you do it well enough
Stealers like this? Generally no, since they often rely on Windows specific DLLs via ctypes, or the win32 library for a lot of their functionality. But that doesnt mean Linux is safe from it. Someone absolutely could write a stealer that works in both places. It's just significantly less likely that you'd find one due to the nature of most Linux users literally never using random binaries lol In the eyes of most stealer devs, they find it easier to target more gullible and susceptible people (Windows Users) And not as worth it to target Linux which requires different methods for a lot of the same functionality, with diminishing returns.
@@lol-w4r It's so dumb - right a stealer in Python, and they made it rely on ctypes. Whoever made this seriously denied the choice to make it crossplatform and still wrote it in Python lol
This thumbnail AB testing is getting annoying. Saw this on my homepage earlier with a different more green thumbnail, but I didn't have much free time just setting up a playlist for the drive...now when I come back I have to scroll and scroll just to find out the green thumbnail I was looking for is gone and its white now. I didn't avoid clicking earlier because of the thumbnail, it was just a free time thing. But now YT takes this info as the new thumbnail got me to click.
Very scary indeed. That’s why I always avoid logging into things I don’t really need on windows. Can’t steal login cookies or session tokens that don’t even exist 🤓
@@electricz3045 Growtopia was released in like 2012 though, lmao. And it was fairly popular up until around 2018-2020. The reason it was checking for passwords for that game was because the scene basically had a black market and irl trading scheme where accounts and stuff were being sold for real money. That's still going even today as far as I know.
You should try to collab with @NoTextToSpeech to explain this and how to detect it and how to avoid it, although he will probally make a video on his own as soon as he finds out about this stealer
@@KoDi82 it was just a suggestion as the context of these videos is interesting but the delivery can be rather boring, some sound other than plain talk definitely improves the atmosphere, though im not gonna argue with youtube comment warriors
"Akeo Consulting" should be Rufus' signature. Growtopia is a pretty old mobile MMORPG acquired by Ubisoft who did not care enough to patch the issue that the "save.dat" (practically the login token) is saved in an unsecured state to the game directory. These accounts still sell for some money on the game's black market, so it makes some sense to have it check that way.
One funny thing you can do with discord webhooks if they're present, is to _just_ delete them lmao
Another funny thing you can do with bots is you can kick them from your server! Silly, huh?
@@ENNEN420 yeah that sure is fun and silly, but before you do that, make sure to use that same bot to infiltrate the server, and hopefully report the owner. although I wouldn't trust Discord's T&S team to actually do anything. It's also possible using the webhook URL to see the user who created it lmao
That won't Work If the attacker Setup a custom Domain with PHP Backend to do the requests behind the scencrs and Not forwarding it If It's a webhook delete request
@@electricz3045 yep, that's true! but if we take a moment to think about the target "audience" for these kinds of things, I feel like you'll be coming across a lot of people who don't bother to even do that. for example, in the Hypixel (a Minecraft server with different games) skyblock (one of their games) community, there's a lot of scams involving utility mods that "supposedly" help the player. a while back I remember browsing across a dozen TH-cam videos about said mods (sorted by upload date), and after reversing the code, it was mostly the same 2 jars (so two different grabbers), just with different webhooks
@@electricz3045most cases skids dont modify code, incapable of it
It terminating itself when detecting tokenprotector is really weird, you would think it would just laugh at it but actually "helping" it to work by not activating doesnt make any sense
if i did read the code correctly, its the other way around. this malware kills any blacklisted process, the tokenprotector too.
One thing that would be important to mention with such videos is, HOW would one get infected with it? What to look out for, and how easy it is to be caught in the net. Arguably, that would be even more important than just doing a deep dive into the code! Which is also appreciated.
"Growtopia? I don't know what that is.. *sounds* like it's marijuana related..."
was not expecting to see growtopia mentioned. it was a fairly popular indie mmo that got bought out by ubisoft and ran into the ground. even if this stealer is from a while back its odd t o see something spesifically check for a game so niche. great video
definitely a throwback from when i played it back in like 2020
Growtopia is a prolific MMO known for hacking and real world trading. I was involved with the real world trading scene for a while until the ingame inflation made it unbearable. Surprised it tried to password grab it. Bit of a throwback because I haven't heard of it for years.
Also Gambling on the game ofcorse
@@lg-nathan84 thats tied to the real world trading... basically irl gambling but accessible to the youth! lovely..
Lmao yea I was surprised to see it mentioned here. I loved playing it when I was younger but ofc it got ruined
My childhood game... 22yo now. Sad to see it dying
@@paws-at-you Last time I touched it was in the summer of 2020. It was always not a great game, from mediocre content creation somehow garnering hundreds of thousands of subscribers because someone was rich ingame to culture (racism, sexism, homophobia, etc running rampant) to botting wise it was problematic.
I am glad I distanced myself from it the moment there was extremely rapid inflation (going from 10% inflation in 3 months to 100% inflation in 2 months). In total I got like 4k profit with 20k turnover. Not a bad journey..
"The most powerful stealer"
*It can't even grab Discord tokens correctly.*
(I know it from one person that I've targeted and took down their stealers)
at 8:04 at the top of cmd prompt you can see it says "isVM: no" xD
open-source malware is kind of based
im still waiting for GNU stealer
@@jimmlmaogst/gstr?
@@jimmlmao BSD Borrower
@@tryrexm KRetrieve
maybe it's called "Blank Grabber" because it puts the data in a folder with an invisible name.
im pretty sure its supposed to be named after the username of the creator, blank-c
@@Noratekki Oh, that makes sense
Mama Mia! My Italian countryball collection is at a-risk!
You got one info wrong. Blank grabber injects itself into Discord only for capturing discord related data like added payment data, changed password and Login token. It does not use discord injection to get presistence on the system and uses like most stealer the auto start folder to stay on the system. If you remove the stealer from the auto start folder, the stealer is also gone, and only the discord injection stays, which keeps montioring discord for passwords, payment info and new tokens.
10:25 there's just a rarreg.key file right there lmao (winrar activator)
They even give a free WinRAR key. how nice of them.
i had a guy grab all my info using this and had to pay 60 pounds for back it was quite a scary thing and it was disguised as a tweak pack
yea if the wron ppl get this in hands its just going to be in use of abuse thats crazy i got grabbed once too!
stealers are getting more and more popular bc of ppl stupidity
thanks for getting rid of the background music again
man what are you talking about. The background music kinda perfects it. I'm sad he changed to this from his last couple uploads.
@@yonice got his ass 🤣
my favorite thing i do is having a windows service that creates a bunch of fake processes of different debuggers to give myself some peace of mind (despite the fact i dont just download random software)
how do you do that
@@Nick-yy7zs its just a basic set of programs written in c that immediately suspend themselves that are named after debuggers. and the windows service is just a manually created service that runs on boot
Hey Eric, I know this is not at all related to this video, But it would be cool if you could show off how to hide a virtual machine from programs that it is a virtual machine. I am using windows and am trying to run Fortnite on an emulator but EAC prevents the use of virtual machines.
He made a video a little while back on this. For your use case, give up. EAC is kernel level, and spoofing it would be hell (and would 100 % get your account banned)
@@EZX280 Not for my account
@@EZX280look for VFIO.
If anyone has figured out how to, it's the Linux VFIO community
Could you make a video on how to protect browser cookies and or session tokens?
the true best way to protect yourself is to not download sketchy files and listen to windows defender/smartwall when they warn you 😊
@@slpyOb WD is the easiest AV to bypass even Malwarebytes is even more easier to bypass
I use brave though so its chromium based and I like brave
When I got hacked windows never told me anything, and how I got hacked was from remote desktop and UAC bypass by a GitHub (file from git pulling) now has been taken down and I've always scanned files but now since that happened I scan my computer at least 4 times a week even when download from official sites like Microsoft just in case 😁
@@thetrueshadow9227brave sucks. Watch Someordinarygamers video on it.
Id love to see a video on setting up a new Windows PC and the best programs to keep it safe. Your expertise would be super helpful, especially for those just starting out with IT and PCs. There arent many legit videos on that topic, so yeah.
If you're not on linux already, you've already lost. Windows only belongs in controlled environments such as VMs.
There is a reason I am not on Linux at least for me there are some games that don't work on Linux and some software that does support Linux entirely for example here is a software that doesn't support Linux that I use wallpaper engine, and a game example is dark and darker these don't work and probably will never maybe dark and darker but I will have to see, and some games detect VM's and whatnot so its impossible to run a VM to play some games that only support windows plus EPIC Games not supported so... I can't make games nor is RPG maker another program I frequently use (sorry for the rant on this)
@@thetrueshadow9227 Yeah, compatibility issues ARE a real hassle. Thanks for sharing your experience!
Hey, thanks for making a video on this, I'm the server manager for a server with over 130k members on Discord, we experience the problem of members being sent viruses and the biggest amount of them are blank-grabber. We usually delete the webhook on it by simply getting the webhook from the code of the virus.
what server?
Man if i saw this when i was like 13 14 i would go wild
im 13 and im going wild :DDD
@cybr08 self incrimination mhm
@@YazzTheDev huh i dont use that shit anymore
Eric, on a old cd from a old czech click! Magazine i found a trojan, if i send it to ya will you review it?
If he doesn't see this comment, I'd email them asking if they want it
That could be interesting, you can send via email.
Is possible that it's a false positive.
@@EricParker eset flags it as a trojan, it even shows the trojans name but i dont remember it, btw the cd is from 2006
stealer infects discord? yeah they tend to do that
The stealer has a new github which is where it is continued btw
A question, If you change your windows user to one of the blacklisted usernames, will that mean the stealer will not proceed?
for example, my pc name is blahblah123 and one of the blacklisted ones is ralphs-pc
theoretically, if i change my name to ralphs-pc does that mean the stealer no longer affect me?
against this specific sample yes. The problem is those blacklists are not all that consistent.
Same idea as cyberscarecrow. Anti analysis isn't all that consistent.
so im guessing using blank grabber is safe with a vm but its dangerous asf pretty much
the John's are celebrating right now
The Discord uninstaller does rather messy uninstallations, so simply just uninstalling Discord might've worked for this stealer, but more nefarious stealers might persist in a file that doesn't get wiped by the uninstaller. Would definitely recommend deleting the discord folders in "%AppData%" *AND* "%LocalAppData%" (Discord stores stuff in both these locations).
Even then, it would need to hook itself back into discord so it could be executed again... Maybe the malware could make a task to reinstall itself once the uninstaller is executed and then delete said task once discord is back on the machine but it's definitely not that stealthy.
@@someguy9175 As I said, Discord's uninstaller is messy and leaves lots of files behind that the malware can inject to and will allow it to persist past a regular uninstallation.
The index.js file shown in the video isn't the only file that can be injected to.
Genius! I'm going to get my cookies deleted and have to log in every time!
Bravo, bravo.
Hi eric I haven’t been here for too long, but I can already say your channel is the best on TH-cam. I enjoy your content a lot and it’s great that you’re posting more frequently.
*Discord* is a mine field of 'em.
*Discords* not far from how *facebook* were in the early 2010 Nowadays.
please use dark mode
no it's less readable
lol fr, my eyes are already itchy cuz im sick.
@@JessicaFEREM the windows is zooming like 150% rn
@@JessicaFEREM mfr got astigmatism and making it our problem.
Got to get uses to those flashbangs somehow.
as far as i know "John-PC" is some kind of Sandbox from i think it was Avast
"most powerful" :^)
you mean Shouko :^)
I like waking up 10 minutes earlier (so I can eat breakfast) the Eric posts. W MORNING
Its Good but Getting the webhook is way to ez from process hacker 2
im guessing you search the strings or sum? cus i been trying to get the webhook of one.
Jo, buddy. This discord stealer is using almost the same code to bypass UAC as the malware in the other video of yours called "Remote Control Any PC With Discord".
but instead of an "If/else", it's using "case". And now I am trying to block any outside access to my "%localappdata%\discord" directory, brb. I wonder, if I can pull that off.
hey my hitmanpro scans when i boot up my pc tells me my userinit.exe file is suspicious and its 128kb large is that normal, if I scan it with something else it says its fine
@@wlanverbot it should go away after a reboot, You can also check the details to see what is it being detected as and by what av motor if available
It's sad seeing all the bots in Growtopia. Shame Hamumu hates the game so we wont see Seth and Hamumu working on it after they sold the game to Ubisoft Abu Dhabi..
anyways to hide process hacker from another softwares ?
rename the process lol
@@Luna5829 you got brains i could NEVER have guessed that
@@Luna5829 how you do that?
rename the file lol
I asked specifically for bandicam coz i know how to debug without use of titanhide to hide debugger detection
they really said "Most Powerful"
I was just playing growtopia and the servers went down lol
That game is still alive??
@@jeevacation It indeed is, filled with bots from Indonesia on other third world countries.
@@jeevacation The servers are constantly down and flooded with bots, the game's currency is fucked and inflation is pretty bad, over 80% of active players are bots or casino hosters and the devs don't give a fuck, since the game is owned by Ubisoft, since 2017.
@prodfulcrum16 yeah it was good when S&H had it, ubisoft ruined it by milking it.
I remember seeing new locks all the time lol
I think I first played it in '15 or '16
@@jeevacation yeah, it brings me a tear imagining how the game was around 2013-2016, since I started playing in 2013 christmas being 7 years old :D
not the browser history 😭we must leave
i wanna know what software you use to check the internet stuff that happens, if you even use one, of course
The software that is shown in the video is the web interface of "mitmproxy" software.
oh, thanks
Mitmproxy or wireshark
What anti malware/virus program do you use or suggest?
A user is the best anti virus.
not downloading sketchy shit
1.) dont be an idiot.
2.) windows defender
3.) seriously, just pay the fuck attention to what the fuck you're doing
@@hahahahaha7237 Single handedly the best response for this type of question.
@@hahahahaha7237possibly the best answer I’ve ever seen to this question
The good thing about black hats installing VMware protection is they can't hit you if you're using a VM as your main
Or make your main install look like a vm
@@grisu1934 I thought same
@@grisu1934 no bad idea, games with anti cheats (battleeye) will ban you.
to add, this will not work if you have to do school, lock down browser.
making bare metal look like a vm will cause more issues than its worth.
It will not protect you from malware
@@XioJN well 1. It was obvsly a joke 2. If your school requires software invase enough to have antivm your school is shit anyway 3. Yes, it does protect you from malware with antivm if you do it well enough
Does this work on Linux?
Stealers like this? Generally no, since they often rely on Windows specific DLLs via ctypes, or the win32 library for a lot of their functionality.
But that doesnt mean Linux is safe from it. Someone absolutely could write a stealer that works in both places.
It's just significantly less likely that you'd find one due to the nature of most Linux users literally never using random binaries lol
In the eyes of most stealer devs, they find it easier to target more gullible and susceptible people (Windows Users)
And not as worth it to target Linux which requires different methods for a lot of the same functionality, with diminishing returns.
@@lol-w4r It's so dumb - right a stealer in Python, and they made it rely on ctypes. Whoever made this seriously denied the choice to make it crossplatform and still wrote it in Python lol
@NoTextToSpeech your time
fr i didnt see ur comment, but i said he should try to do a collab lol
oh yt notifications actually works
FOR REAL
What the open source
babe, wake up eric parker posted a video
This thumbnail AB testing is getting annoying. Saw this on my homepage earlier with a different more green thumbnail, but I didn't have much free time just setting up a playlist for the drive...now when I come back I have to scroll and scroll just to find out the green thumbnail I was looking for is gone and its white now. I didn't avoid clicking earlier because of the thumbnail, it was just a free time thing. But now YT takes this info as the new thumbnail got me to click.
Thank you so much for making the video❤
Very scary indeed. That’s why I always avoid logging into things I don’t really need on windows. Can’t steal login cookies or session tokens that don’t even exist 🤓
you havent heard of growtopia??????
Not everybody in the Internet ist a 12 y old roblox kid. We have better things to do
@@electricz3045 Growtopia was released in like 2012 though, lmao. And it was fairly popular up until around 2018-2020.
The reason it was checking for passwords for that game was because the scene basically had a black market and irl trading scheme where accounts and stuff were being sold for real money.
That's still going even today as far as I know.
@@electricz3045 i'm not a 12 year old roblox kid and i've heard of it lol
had you ever used android a few years back you'd have been recommended it
@@eIixi i install it how i remove his grabber pls i'm scared
guys i install blank grabber and how i remove it?
plssss help
i open it
i aint helping you lil bro 😭
@@qNitr0-r2n re-install your windows and change all your passwords and credentials lol, nothing is saving u
@@vazikismir7536 so blank grabber has now all my data?
Hello! How does the NightfallGT/Lunar Grabber work? Nice vid btw
Growtopia mentioned no way
growtopia😎😎
haha blank grabber detected
The goat back at it again
Bro chill with the uploads
You should try to collab with @NoTextToSpeech to explain this and how to detect it and how to avoid it, although he will probally make a video on his own as soon as he finds out about this stealer
it's been out since 2021 lmao
you avoid it by not downloading junk.
he only makes a video when its a new "type" of stealer
Why eric u looking forward to every thing im using :((
you suck
exposed
ntts mentionf letsy goo
Good vid
w video
15th
1M subs soon
Part timer
Jynxzi fell off
yay
Thanks
thanks andrew tate
Ive been using this for 4 years now😆
Skid.
@@NullByte-p5u frr
jump ❤
add some chill background music to these videos
man what are you talking about. The background music kinda ruins it. I'm glad he changed back from his last couple uploads.
It takes away from the minor mic cutouts that I live for
zoomer
@@KoDi82 it was just a suggestion as the context of these videos is interesting but the delivery can be rather boring, some sound other than plain talk definitely improves the atmosphere, though im not gonna argue with youtube comment warriors
Powerful, no kidding.
"Akeo Consulting" should be Rufus' signature.
Growtopia is a pretty old mobile MMORPG acquired by Ubisoft who did not care enough to patch the issue that the "save.dat" (practically the login token) is saved in an unsecured state to the game directory. These accounts still sell for some money on the game's black market, so it makes some sense to have it check that way.
is this safe to download?
no
... bruh did u watch this video or no??
if you use it go on to a VM
@@Ye_owio I already have another GOOD stealer, I was just asking.
@@KUIJEN8659 What stealer do you use?