Grixba Deep Dive: Tracking 26 Months of Play Ransomware's Custom Scanner Evolution
Posted in: Malware Analysis | Threat Intelligence | Ransomware
Research Credit: The foundational analysis and sample-level findings in this article are based on original research by RakeshKrish published at The Raven File on June 8, 2026. This post expands on that work with additional context, defender guidance, and structured analysis for practitioners. All credit for the sandbox execution findings, MITRE profiling, and version comparison framework belongs to the original researcher.
Table of Contents
- Introduction: Why Play Ransomware Matters
- What Is Grixba?
- The Four Samples: SHA-256 Hashes and Timeline
- Size Analysis: The Bloat-and-Shrink Strategy
- Version-by-Version Feature Breakdown
- v1 → v1.5: Adding the Network Scanner
- v1.5 → v2: The Full Modular Overhaul
- v2 → v3: Strategic Regression for Evasion
- What Does Grixba Actually Hunt For? (Scanner Targets)
- MITRE ATT&CK Analysis: What the Sandbox Revealed
- The Mutex: CPFATE_2704_v4.0.30319
- Capability Verdict: Which Version Is Most Dangerous?
- Weakness Analysis: Where Defenders Can Win
- The DPRK Connection
- Detection Strategy and Hunting Guidance
- IOC Reference Table
- Conclusion
1. Introduction: Why Play Ransomware Matters
Play Ransomware is one of the most persistent and consistently active ransomware groups operating today. Since first appearing in 2022, the group has compromised more than 1,200 victims globally, with a heavy geographic focus on the United States (900+ victims), Canada, and the UK. The sectors most targeted include manufacturing, business services, and technology companies — organizations with high operational dependencies and low tolerance for downtime.
What separates Play from many ransomware-as-a-service (RaaS) operations is their investment in custom tooling. Most ransomware affiliates rely on commodity tools — off-the-shelf RATs, leaked builders, and publicly available post-exploitation frameworks. Play built their own. And one of those custom tools — a .NET-based infostealer and network scanner called Grixba — gives us a rare window into the operational maturity and evolving tradecraft of a sophisticated ransomware actor.
This article provides a practitioner-focused deep-dive into four versions of Grixba sampled across 26 months, from September 2022 through November 2024. The goal is not just to catalog indicators — it is to understand the reasoning behind each architectural change, identify persistent detection opportunities that survive version upgrades, and give defenders the context they need to build durable hunting rules rather than fragile signature-based detections.
2. What Is Grixba?
Grixba is a custom-built infostealer and network reconnaissance tool developed by the Play Ransomware group. It is written in .NET and was initially distributed as a single-executable binary packed using Costura — a .NET utility that embeds all assembly dependencies into a single portable EXE.
The tool's primary purpose is pre-encryption intelligence gathering. Before Play deploys its ransomware payload, Grixba is used to map everything relevant on the compromised network:
- Installed security software (AV, EDR, XDR products)
- Backup solutions and remote management tools
- Active user accounts and machine inventory
- Cached Remote Desktop Protocol (RDP) sessions
- Cryptocurrency wallet data
- Messaging application data
- Browser history (in v1.5 specifically)
- User credentials
The intelligence gathered by Grixba directly informs the ransomware operators' decisions about which systems to encrypt, which security tools to disable first, and which backup systems need to be wiped before the encryption phase begins. This is not opportunistic scanning — it is structured, deliberate pre-attack reconnaissance.
Grixba was first publicly identified in 2023, with CISA and the FBI referencing it in advisory AA23-352A and Symantec classifying it as Infostealer.Grixba. The original research by RakeshKrish at The Raven File is the most comprehensive multi-version analysis of this tool published to date.
3. The Four Samples: SHA-256 Hashes and Timeline
The analysis covers four distinct samples compiled across a 26-month window:
| Version | Approx. Date | Size | SHA-256 |
|---|---|---|---|
| v1 (Baseline) | September 2022 | 164 KB | 453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb |
| v1.5 (Network Scanner) | November 2022 | 175 KB | c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c |
| v2 (Full Modular) | May 2023 | 727 KB | f8810179ab033a9b79cd7006c1a74fbcde6ed0451c92fbb8c7ce15b52499353a |
| v3 (Stripped/Staged) | November 2024 | 118 KB | 3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94 |
The v1.5 label requires a note: this November 2022 sample is listed by CISA/FBI advisory AA23-352A as the "Play network scanner / Gt_net.exe" and by Symantec as Infostealer.Grixba. It sits seven weeks after v1 and predates the v2 architectural overhaul by approximately six months — consistent with an iterative build that added network scanning capability before the full modular redesign.
Together, these four samples tell a coherent story: rapid capability expansion, followed by a deliberate architectural regression. The binary grew from 164 KB to 727 KB across the first three versions, then was deliberately cut back to 118 KB — smaller than the original baseline. Each phase reflects a specific operational objective.
4. Size Analysis: The Bloat-and-Shrink Strategy
v1 → v1.5: +11 KB (+6.7%)
A minor but meaningful bump compiled just seven weeks after the baseline. The v1.5 build expanded network scanning breadth — CISA's advisory explicitly labels this hash as the "Play network scanner," distinguishing it from the pure infostealer framing of v1. Additional host enumeration paths and a wider software detection list were added, but the monolithic architecture and Costura bundling were preserved.
v1.5 → v2: +552 KB (+315%)
The jump to 727 KB is the most dramatic in the series, driven by four concurrent changes happening simultaneously:
- XOR-encrypted modular payload (inf_g.dll / data.dat): All scanning logic was extracted into a bundled DLL, XOR-encrypted and stored as data.dat. Decoding at runtime requires an embedded base64 XOR key.
- SQLite database engine: Output migrated from flat CSV files to a structured
ExportData.dbdatabase, requiring bundling a database engine. - Forged PE version-info resources: The binary impersonates SentinelOne with fake metadata strings embedded in the PE header.
- Greatly expanded scan radar: 14+ new AV/EDR products, 15+ new RMM tools, and 5+ new backup vendors added to the detection target list.
Notably, v2 was compiled approximately three weeks after Symantec's public Grixba disclosure in April 2023. The operators were clearly watching detection research and responded with a substantially more evasive build within weeks.
v2 → v3: −609 KB (−84%)
The November 2024 sample is smaller than even the 2022 baseline at 118 KB. This is not simplification — it is intentional architectural regression driven by operational security lessons learned after 18 months of public analysis of v2.
After v2 was publicly documented by Symantec (April 2023), Field Effect MDR (January 2025), and CISA (June 2025), the v2 IoC set became widely distributed: the 727 KB size, ExportData.db, data.dat, inf_g.dll, and the SentinelOne PE metadata became well-known hunting signatures.
v3 sidesteps all of these in a single architectural move: by stripping the bundled database engine and moving the heavy scanning logic into a separately-delivered module, the dropper binary becomes dramatically smaller, carries fewer static indicators, and evades size-based and hash-based signatures tuned for v2. The scanning payload can now be staged and delivered on demand.
Critical Defender Note: YARA rules, size thresholds, and file-name detections built for the v2 pattern (727 KB, ExportData.db, inf_g.dll, SentinelOne metadata) will silently miss v3. Defenders must pivot to behavioral detections: WMI/WinRM enumeration patterns, the C:\Users\Public\Music\ drop path, and PIA VPN egress — which remain consistent across all four versions.
5. Version-by-Version Feature Breakdown
v1 → v1.5: Adding the Network Scanner
Added: Network Scanner Mode (Explicit Host Scanning)
v1.5 expands Grixba's enumeration to include active host discovery across IP ranges, beyond just WMI enumeration. CISA labels it a "network scanner" alongside infostealer — it can now aggressively identify reachable hosts and services. This is the earliest confirmed use of host-range scanning in Grixba.
Added: Browser History Path Enumeration
CISA published Snort detection rules for this hash that trigger on a chain of nine SMB-accessed web browser history paths (GRXBA_webhist_path_1 through _9). v1.5 added browser history collection — scanning for Chrome, Firefox, Edge, and Internet Explorer history databases accessible over SMB.
Added: Wider Software Enumeration List
The 11 KB size increase is consistent with additional string tables covering security products not present in v1's scan list, while not yet reaching the full breadth of v2's expanded radar.
Retained: Monolithic architecture, CSV output (alive.csv, soft.csv, wm.csv, etc.), WinRAR-compressed export.zip without password protection. The modular XOR-encrypted DLL architecture and SQLite database output are not present yet.
v1.5 → v2: The Full Modular Overhaul
Added: XOR-Encrypted Modular Architecture
v2 extracts all scanning logic into inf_g.dll, XOR-encrypted and bundled as data.dat. At runtime, Grixba decodes data.dat using an embedded base64 XOR key to recover inf_g.dll, which hosts the inf_g.Core.CoreScanner class. Static analysis of the EXE alone reveals no scanning logic. It also means the operators can update the payload (inf_g.dll) independently of the dropper (GT_NET.exe).
Added: PE Masquerading as SentinelOne
The v2 binary is named GT_NET.exe with PE version-info forged to display as "SentinelOne Compatibility Wizard" version 1.1.6.0. This exploits defender trust in recognizable security tool names in Task Manager and basic triage — and the irony of impersonating one of the very products the tool is designed to detect is operationally deliberate.
Added: SQLite DB Output — ExportData.db
All reconnaissance output is consolidated into a single structured database with 18 tables: active hosts, browser history, installed software, processes, session information, network routes, cached credentials, and more. This eliminates the eight named CSV files that were prominent hunting artifacts in v1/v1.5.
Added: Obfuscated-Password Archive (data.zip)
v2 produces a password-protected data.zip. The password displayed at runtime is not the actual decryption password — it must be combined with the hard-coded GUID E8B10161-0849-4984-A6BF-3D1B267615CC- found in inf_g.dll to derive the real password. Capturing the console output alone is insufficient to open the archive.
Added: C2 via PIA VPN (84.239.41.12)
v2 communicates with a Private Internet Access (PIA) VPN exit node for anonymized exfiltration. v1 and v1.5 had no dedicated C2 infrastructure.
Added: Massively Expanded Scan List
New AV/EDR additions include CrowdStrike, SentinelOne, Carbon Black, Morphisec, MVISION, WithSecure, WatchGuard, FireEye, F-Secure, Heimdal, HitmanPro, VIPRE, DeepArmor, and Dr.Web. New RMM additions include NinjaOne, Kaseya VSA, ConnectWise, BeyondTrust, GoTo Resolve, Splashtop, Atera, Zoho Assist, Action1, Pulseway, DameWare, and Radmin. IDrive, Synology C2, and Dropbox added to backup vendor coverage.
v2 → v3: Strategic Regression for Evasion
Regressed: SQLite Engine Removed
The SQLite engine was the largest single contributor to v2's 727 KB size. v3 drops it entirely. Output returns to a compressed archive, retaining the password protection mechanism from v2.
Regressed: Payload Delivery Externalized
In v2, the XOR-encrypted inf_g.dll was carried inside data.dat alongside the EXE. v3 externalizes the scanning logic entirely — the dropper is now a lean loader stub that pulls the scanning payload as a separate stage. This makes the dropped EXE far smaller and removes data.dat as a detection artifact.
Regressed: SentinelOne PE Metadata Dropped
The elaborate SentinelOne version-info block is removed or significantly simplified. The GT_NET.exe filename convention is retained as a lighter-weight naming disguise, but the PE metadata that was the most-published static signature from v2 is gone.
Regressed: Costura Dependency Bundling Reduced
v3 drops below v1's baseline (118 KB vs 164 KB), which is only achievable by removing or drastically reducing Costura bundling. Dependencies are resolved at runtime via the target environment's .NET Framework installation.
Regressed: Expanded Scan List Trimmed to Core Targets
The aggressive v2 expansion is dialed back. Core targets (CrowdStrike, SentinelOne, Microsoft Defender, Veeam, TeamViewer, AnyDesk) are retained as the highest-value detections. Products added in v2 that proved rarely encountered in target environments are removed.
Retained across all versions:
- Core WMI/WinRM/Remote Registry/Remote Services enumeration
- Clr mode: EvtOpenLog/EvtClearLog log wiping (anti-forensics)
C:\Users\Public\Music\drop path via RDP- Password-protected ZIP exfiltration (from v2 onward)
6. What Does Grixba Actually Hunt For?
Grixba's scanning targets fall into three categories: security products (AV/EDR), remote management tools (RMM), and backup solutions. Understanding what it scans for tells us exactly which defensive gaps the Play operators are looking to exploit before they detonate ransomware.
Security Products Targeted (AV/EDR): Windows Defender, CrowdStrike Falcon, SentinelOne, Carbon Black, Morphisec, Symantec, Malwarebytes, Kaspersky, ESET, Bitdefender, Sophos, Trend Micro, McAfee/Trellix, MVISION, WithSecure, WatchGuard, FireEye, F-Secure, Heimdal, HitmanPro, VIPRE, DeepArmor, Dr.Web, and others.
Remote Management Tools Targeted (RMM): TeamViewer, AnyDesk, ConnectWise Control, NinjaOne, Kaseya VSA, BeyondTrust, GoTo Resolve, Splashtop, Atera, Zoho Assist, Action1, Pulseway, DameWare, Radmin, and others. These tools can be weaponized for lateral movement or hijacked for persistence.
Backup Solutions Targeted: Veeam, Acronis, Backup Exec, IDrive, Synology C2, Dropbox backups, Windows Backup, shadow copy utilities (Play also uses a separate AlphaVSS-based companion tool for VSS wiping). Knowing what backup tools are present helps operators plan targeted disruption before encryption.
The color-coded version tracking in the original research shows that v1 covered the core list in grey, v1.5 expanded it (purple additions), v2 dramatically broadened it (green additions), and v3 pruned the v2 additions back (red removals), retaining only the most consistently valuable targets.
7. MITRE ATT&CK Analysis: What the Sandbox Revealed
The original researcher conducted direct sandbox execution of all four binaries rather than relying solely on public reports. The MITRE ATT&CK findings reflect actual runtime behavior. A notable trend: technique count decreases across versions — v1 and v1.5 each triggered 12 techniques, v2 triggered 10, and v3 triggered only 8. The tool becomes progressively quieter with each version, generating fewer detectable behaviors as the architecture is simplified.
Key Findings from Sandbox Analysis
1. Architecture flip: x86 → x64 → x86
v1 and v1.5 are 32-bit (x86) binaries. v2 upgraded to 64-bit (x64). v3 reverted back to 32-bit. This is significant: 32-bit .NET processes run under WOW64 on modern 64-bit Windows, adding a translation layer that some EDR hooks do not cover as comprehensively as native 64-bit processes. The reversion to 32-bit in v3 may be deliberate evasion engineering.
2. EDR unhooking present in all four versions — but the method changed
Every version modifies ntdll.dll memory protection to PAGE_READWRITE to unhook EDR instrumentation. However, in v1 and v1.5, this is paired with direct syscalls from unbacked memory — a more aggressive technique that calls kernel functions directly, bypassing ntdll entirely. In v2 and v3, the direct unbacked syscall technique is absent. The developers traded raw aggression for cleaner execution in later versions.
3. AMSI and WLDP loaded in v1, v1.5, v2 — completely absent in v3
v1 through v2 load amsi.dll (Antimalware Scan Interface) and wldp.dll (Windows Lockdown Policy) from unbacked callers — indicative of bypass attempts before executing the managed payload. v3 loads neither. This is the single most significant behavioral change between v2 and v3, eliminating a class of alerts that the first three versions consistently triggered.
4. Identical self-read offset in v1 and v1.5 — codebase fingerprint
Both v1 and v1.5 read from their binary images at the same offset (0x3030785c3030785c), confirming they share the same Costura bootstrapper code and identical packing. This confirms a direct code lineage between the two versions.
5. v3 added new locale/language APIs — not in any prior version
v3 resolves LCIDToLocaleName, GetUserDefaultLocaleName, GetLocaleInfoEx, GetUserPreferredUILanguages, LocaleNameToLCID, and GetConsoleCP. Combined with the persistent en-US geofencing registry check present in all four versions, this suggests v3 expanded its locale-awareness — possibly to avoid execution in non-English-language environments, or to support new targeting criteria introduced alongside the DPRK partnership context.
6. v2 uniquely added timezone and shell APIs
v2 resolves RtlGetSystemTimeAndBias, GetDynamicTimeZoneInformation, and loads shell32.dll, tzres.dll, and related APIs. None appear in v1, v1.5, or v3 — consistent with v2's expanded reconnaissance scope and its 18-table ExportData.db structure, which required timezone-aware and shell folder enumeration capabilities.
Universal Detection Rule (All Four Versions)
The original research identifies a four-behavior chain confirmed present across every version from September 2022 to November 2024:
- Process modifies ntdll.dll to
PAGE_READWRITE - Registers a Vectored Exception Handler (VEH)
- Creates RWX (Read-Write-Execute) memory
- Checks registry key:
HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
Any process that executes this sequence in order is exhibiting Play's Grixba execution pattern. This is the most durable detection rule in the entire Grixba analysis corpus — it survives architectural changes, size regressions, and PE metadata changes across all four versions.
8. The Mutex: CPFATE_2704_v4.0.30319
A mutex named CPFATE_2704_v4.0.30319 was found in two of the four samples (v1 and v2). Breaking down the components:
- CPFATE: A custom operator-defined prefix. Not a Windows system mutex and not associated with any legitimate application.
- 2704: Likely a hardcoded build or version identifier, or a PID baked into the mutex name at runtime.
- v4.0.30319: The exact .NET Framework 4.0 runtime version string (
Microsoft .NET Framework 4.0.30319), suggesting the mutex is constructed programmatically as:"CPFATE_" + hardcoded_id + "_" + Environment.Version.ToString()
The implications for defenders and analysts are significant:
- Same author confirmed: Finding an identical custom mutex prefix across a September 2022 and May 2023 build confirms the same person or team developed both — v2 is a direct evolution, not a separate tool that was relabeled.
- Shared code lineage: The mutex creation code was carried forward verbatim from v1 to v2, confirming direct codebase inheritance.
- OpSec failure: Any EDR or hunting query looking for mutex creation events containing
CPFATEwill catch both v1 and v2 regardless of filename, PE metadata, or binary size changes. - .NET 4.x dependency confirmed:
v4.0.30319locks the runtime requirement — both samples require .NET Framework 4.x on the victim machine.
The mutex has not been observed in v1.5 or v3 analysis yet, but the pattern is a valuable hunting artifact for v1 and v2 detections.
9. Capability Verdict: Which Version Is Most Dangerous?
From an attacker's perspective, the original research concludes that v2 (727 KB, May 2023) is the strongest overall sample — it combines peak capability (ExportData.db with 18 intelligence tables, expanded scan list, encrypted modular architecture, anonymized C2) with moderate evasion. However, each version makes different trade-offs:
| Version | Capability | Evasion | Operational Agility | Best For |
|---|---|---|---|---|
| v1 | Moderate | Low | Low (monolithic) | Initial reconnaissance, simple targets |
| v1.5 | Moderate+ | Low | Low (monolithic) | Network-wide host discovery |
| v2 | High | Moderate | Moderate | Deep pre-encryption intelligence gathering |
| v3 | Moderate | High | High (staged) | Evading mature v2 detection stacks, varied deployment contexts |
v3's reduced capability is a deliberate trade-off — the operators accepted less detailed intelligence output in exchange for dramatically improved evasion of the detection ecosystem that had built up around v2 over 18 months.
10. Weakness Analysis: Where Defenders Can Win
Every version of Grixba has structural weaknesses that defenders can exploit. Some were fixed across versions. The weaknesses that remain unfixed across all four versions are the most important for building durable detection.
Weaknesses Fixed in Later Versions
- Plaintext export.zip (v1, v1.5): All CSV output immediately readable by incident responders. Fixed in v2 with password-protected data.zip.
- No PE metadata disguise (v1, v1.5): Binary easily identifiable as unknown with no legitimate cover story. Fixed in v2 with SentinelOne impersonation (then removed in v3).
- Console help screen revealing all modes (v1): Executing without correct arguments printed all supported modes and output file names. Obscured in v2.
- Browser history SMB paths triggering Snort rules (v1.5): Nine specific SMB access patterns to browser history databases were detectable at the network layer with published Snort rules.
- Hard-coded GUID enabling data.zip decryption (v2): The GUID
E8B10161-0849-4984-A6BF-3D1B267615CC-in inf_g.dll allows defenders who recover the sample to decrypt the exfiltration archive. Not fixed in v3. - 727 KB anomalous binary size (v2): Detectable by ML-based size/entropy heuristics. Fixed in v3.
- data.dat + inf_g.dll two-file deployment fingerprint (v2): A highly distinctive drop pattern. Fixed in v3 by externalizing the payload.
Weaknesses Persistent Across All Versions (Never Fixed)
- Drop path unchanged —
C:\Users\Public\Music\via RDP: Every single version of Grixba across 26 months has been dropped to this exact path via Remote Desktop Protocol. This is the most significant unforced operational security error in the tool's history. Any EDR or file-integrity monitoring alerting on executable writes to this directory from RDP sessions catches every version. - WMI/WinRM enumeration generates high-volume telemetry: Grixba's primary function produces a distinctive pattern of rapid lateral WMI connections from one source host to multiple targets in a short time window — a well-known lateral movement indicator. This has never changed because it is the core capability.
- No anti-sandbox or anti-debug capability: None of the four versions check for VM artifacts, low uptime, unusual process lists, or virtual NIC vendors. Running any version in a sandbox produces a complete execution trace. This basic capability — common in commodity malware — has never been implemented.
- .NET managed IL is trivially decompilable: Building in .NET means every version decompiles to near-source code with freely available tools (dnSpy, ILSpy). No obfuscation layer has been applied to any version. v2's XOR encryption of inf_g.dll adds one step, but once decoded, it decompiles identically.
New Weaknesses Introduced in v3
- Staged delivery creates a single point of failure: If the second-stage payload is blocked or detected in transit, the dropper alone is useless. Unlike v2 which was fully self-contained, v3's operational success depends on a delivery dependency.
- GT_NET.exe filename without the SentinelOne cover story: In v2, the filename was paired with convincing PE metadata making it look legitimate. In v3, the metadata was removed but the recognizable filename remains — arguably making it more suspicious than before.
11. The DPRK Connection
In October 2024, security researchers confirmed that North Korean state actor Jumpy Pisces (Andariel) had been operating alongside Play Ransomware as an initial access broker. The November 2024 v3 compilation coincides directly with the period of active DPRK collaboration.
The v3 architectural choices — leaner, stageable, lower fingerprint — may reflect not just evasion of public detection but also the operational requirements of a new partner. A 727 KB monolithic EXE with database engine bundled is harder to adapt to varied intrusion contexts. A lean loader stub that stages its payload on demand is far more versatile across the diverse deployment environments that a state-actor initial access broker would encounter.
The expanded locale/language APIs newly introduced in v3 also support this hypothesis: greater locale awareness could serve geofencing requirements for DPRK operational security, avoiding execution in environments that would trigger unwanted attention.
12. Detection Strategy and Hunting Guidance
Based on the four-version analysis, here is a prioritized detection framework for defenders:
Tier 1: Highest Confidence, Version-Agnostic
- File writes to
C:\Users\Public\Music\from RDP sessions: The single most reliable indicator across all versions and 26 months. Monitor for any executable (.exe, .dll, .dat) written to this path during or immediately after an RDP session. - 4-behavior execution chain: ntdll PAGE_READWRITE modification + VEH handler registration + RWX memory creation +
HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-USregistry check in sequence. - Rapid lateral WMI connections: One source host initiating WMI queries against multiple targets within a short time window, especially combined with WinRM and Remote Registry access patterns.
Tier 2: High Confidence, Version-Specific
- Mutex creation events containing "CPFATE": Catches v1 and v2 regardless of other changes.
- GT_NET.exe process name: Used across multiple versions with only cosmetic PE metadata changes.
- EvtOpenLog / EvtClearLog API calls + WMI activity log wipe in sequence: The Clr (log clearing) mode present in every version.
- ntdll.dll memory protection modification to PAGE_READWRITE: EDR unhooking behavior present in all four versions.
Tier 3: Version-Specific (Still Valuable for Triage)
- ExportData.db presence on disk (v2 indicator)
- data.dat + GT_NET.exe co-presence in C:\Users\Public\Music\ (v2 indicator)
- Network connection to 84.239.41.12 (v2 C2 indicator)
- Browser history SMB access across Chrome/Edge/Firefox/IE paths in sequence (v1.5 indicator)
What to Avoid Over-Indexing On
- Binary size thresholds (changed dramatically across versions)
- SentinelOne PE metadata strings (removed in v3)
- Specific CSV file names like alive.csv, soft.csv (removed in v2)
- Hash-based detections as the primary signal (each version is a new hash)
13. IOC Reference Table
File Hashes (SHA-256)
| Hash | Description |
|---|---|
453257c3...65deb | Infostealer.Grixba baseline (v1) |
c59f3c8d...904b7 | Play network scanner / Gt_net.exe (v1.5, CISA AA23-352A) |
f8810179...353a | Peak-capability build (v2) |
36214681...6e94 | Stripped/staged build (v3) |
b4505ab4...b7 | inf_g.dll — XOR-decoded CoreScanner module |
5922b1a7...18 | XOR-encrypted payload carrier (data.dat) |
f71476f9...b6 | Infostealer.Grixba cluster (Symantec) |
f81bd2ac...f9 | All VSS Copying Tool (AlphaVSS-based companion) |
Network Indicators
- IP:
84.239.41(.)12— PIA VPN exit node used as v2 C2
File System Indicators
- Drop path:
C:\Users\Public\Music\(all versions) - Filenames: GT_NET.exe, GT_NET.exe (lean), data.dat, inf_g.dll, ExportData.db, export.zip, data.zip
- Embedded GUID:
E8B10161-0849-4984-A6BF-3D1B267615CC-
Mutex
CPFATE_2704_v4.0.30319(observed in v1 and v2)
Tor Infrastructure (Play Ransomware)
x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd(.)onionb3pzp6qwelgeygmzn6awkduym6s4gxh6htwxuxeydrziwzlx63zergyd(.)onionp2qzf3rfvg4f74v2ambcnr6vniueucitbw6lyupkagsqejtuyak6qrid(.)onionwhfsjr35whjtrmmqqeqfxscfq564htdm427mjekic63737xscuayvkad(.)onionmbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd(.)onionk7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd(.)onionj75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid(.)onion
14. Conclusion
The four-version arc of Grixba is one of the clearest documented examples of a ransomware group's feedback loop with the detection ecosystem. Play built a tool, watched it get detected, expanded it dramatically in response to the first detections, and then — after that expansion became the new detection baseline — stripped it back below the original baseline to escape again.
The April 2023 Symantec disclosure was answered in three weeks with v2. The 18 months of progressive v2 analysis from Symantec, CISA, Trend Micro, and Field Effect MDR was answered by November 2024 with v3 — a build smaller than v1, carrying none of the artifacts that made v2 detectable, and architecturally suited for the new DPRK partnership context.
For defenders, the message is straightforward: do not anchor detection to any single version's artifacts. The only constants across all four versions are the C:\Users\Public\Music\ drop path from RDP sessions and the WMI/WinRM enumeration behavior. While size, filename, PE metadata, output format, and archive structure have all changed, this behavioral pair has held steady across 26 months and four architectural generations.
Hunt the behavior. Not the binary.
References and Further Reading
- Original Research: RakeshKrish, "Decoding Grixba — A Play Ransomware Scanner," The Raven File, June 8, 2026. https://theravenfile.com/2026/06/08/decoding-grixba-a-play-ransomware-scanner/
- CISA/FBI Advisory AA23-352A — Play Ransomware
- Symantec Threat Intelligence — Infostealer.Grixba (April 2023)
- Field Effect MDR — Grixba / Play Ransomware impersonates SentinelOne (January 2025)
- Trend Micro — Play Ransomware Analysis
Tags: Play Ransomware, Grixba, Malware Analysis, Infostealer, .NET Malware, MITRE ATT&CK, Ransomware, Threat Intelligence, EDR Evasion, DPRK Threat Actor, Jumpy Pisces, Andariel, Incident Response, IOC, Hunting
