Full Report
Grixba is a custom Infostealer developed by Play Ransomware Group using Costura (.NET tool for embedding dependencies into single executable), which is publicly disclosed in 2023 (but originally dates back to 2022). It harvests information such as: Installed Software, User Credentials, Cryptocurrency Wallets, Messaging App Data.
Analysis Summary
# Tool/Technique: Grixba
## Overview
Grixba is a custom, in-house information stealer and network scanner developed and utilized by the **Play Ransomware Group**. Developed using the .NET framework and the **Costura** assembly embedding tool, Grixba is designed to perform comprehensive reconnaissance on a victim's network prior to the final encryption phase. It maps security software, backup systems, and remote management tools while harvesting sensitive user data.
## Technical Details
- **Type:** Malware Family (Infostealer / Network Scanner)
- **Platform:** Windows (.NET Framework)
- **Capabilities:** Network reconnaissance, host enumeration, credential harvesting, sensitive file exfiltration.
- **First Seen:** 2022 (Publicly disclosed in 2023)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- [T1012 - Query Registry]
- [T1018 - Remote System Discovery]
- [T1518.001 - Software Discovery: Security Software]
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- [T1555 - Credentials from Password Stores]
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service]
## Functionality
### Core Capabilities
- **System Enumeration:** Lists installed software, including security tools (AV/EDR/XDR), Backup solutions, and Remote Monitoring and Management (RMM) software.
- **Credential Theft:** Targets user credentials, web browser data, and messaging application information.
- **Cryptocurrency Harvesting:** Scans for and collects data related to cryptocurrency wallets.
- **Network Scanning:** Maps machines and users across the compromised environment via WMI and WinRM.
### Advanced Features
- **Architectural Evolution:**
- **v1/v1.5:** Monolithic builds focused on scanning breadth.
- **v2:** Shifted to a modular design using an XOR-encrypted payload (`inf_g.dll`) hidden in a `data.dat` file to evade detection. Migrated output from CSV to a SQLite engine (`ExportData.db`).
- **v3:** Strategic regression to a smaller, "stripped" build (118 KB) to reduce the forensic footprint and bypass signature-based detection after public analysis.
- **Evasion:** Impersonates legitimate software by forging PE metadata strings (e.g., mimicking SentinelOne).
## Indicators of Compromise
- **File Hashes (SHA256):**
- `453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb` (v1 Baseline)
- `c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c` (v1.5 Network Scanner)
- `f8810179ab033a9b79cd7006c1a74fbcde6ed0451c92fbb8c7ce15b52499353a` (v2 Modular Build)
- `3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94` (v3 Stripped Build)
- **File Names:** `GT_NET.exe`, `inf_g.dll`, `data.dat`, `ExportData.db`, `export.zip`, `data.zip`
- **Path:** `C:\Users\Public\Music\`
- **Network Indicators:**
- IP: `84[.]239[.]41[.]12`
- Onion Addresses (Defanged): `x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd[.]onion`
- **Behavioral Indicators:** Execution via RDP; use of WMI/WinRM for lateral enumeration; creation of ZIP archives in public folders.
## Associated Threat Actors
- **Play Ransomware Group (also known as PlayCrypt)**
## Detection Methods
- **Behavioral Detection:** Monitor for mass system/software enumeration via WMI and registry queries originating from non-standard paths like `C:\Users\Public\Music\`.
- **Anomalous Process Activity:** Watch for .NET executables using Costura to load embedded DLLs in memory followed by rapid file collection and compression.
- **Metadata Inspection:** Look for forged PE metadata (e.g., SentinelOne strings) on unsigned binaries.
## Mitigation Strategies
- **Network Segmentation:** Limit lateral movement capabilities by restricting WMI and WinRM traffic to authorized management consoles.
- **Access Control:** Enforce the principle of least privilege and restrict access to `C:\Users\Public\` directories where possible.
- **Endpoint Hardening:** Disable unnecessary administrative shares and monitor RDP sessions for suspicious outbound file transfers or tool deployments.
## Related Tools/Techniques
- **Costura:** Used for bundling .NET dependencies.
- **AlphaVSS:** Utilized in companion tools for Volume Shadow Copy manipulation.
- **Cobalt Strike:** Often used by the same actor for initial stages prior to Grixba deployment.