Grixba

Grixba is a custom .NET reconnaissance and information-stealing tool closely associated with the Play ransomware operation, also tracked as Playcrypt and by Symantec as Balloonfly. It is used during pre-encryption phases for discovery and data gathering rather than as the ransomware payload itself. Multiple sources describe it as a network scanner and infostealer used to enumerate users and computers in a Windows domain, collect network information, perform Active Directory reconnaissance, and scan for antivirus, security, backup, and remote administration software. Reported collection methods include WMI, WinRM, Remote Registry, and Remote Services. Some reporting also states it can gather host, software, process, session, browser history, and network route information to support follow-on actions such as privilege escalation, exploitation, lateral movement, and backup disruption.

Grixba has been observed in Play-linked intrusions where initial access was obtained through mechanisms including valid account abuse, exploitation of public-facing applications, and RDP/VPN access. It has also been reported in an intrusion where Play-linked actors exploited the Windows CLFS privilege-escalation vulnerability CVE-2025-29824, though ransomware was not deployed in that case. In another observed intrusion, Grixba was dropped via RDP to C:\Users\Public\Music on a Windows server as GT_NET.exe alongside data.dat and disguised as "SentinelOne Compatibility Wizard" to resemble legitimate SentinelOne software. Symantec also reported Play-linked artifacts masquerading as Palo Alto software in a separate intrusion.

Technical reporting describes Grixba as an obfuscated .NET Framework 4.6.2 application that can require operator-supplied base64-encoded arguments and a base64-encoded 64-byte XOR key to decode data.dat and load inf_g.dll, which contains scanning logic. Observed command-line options include modes to scan the current domain, scan IP ranges, or load IPs from a file. Symantec reported modes including Scanall, Scan, and Clr; Clr deletes logs from local and remote computers, including event logs and Microsoft-Windows-WMI-Activity logs via EvtOpenLog and EvtClearLog. Output handling varies by sample/reporting: Symantec reported CSV outputs such as alive.csv, wm.csv, soft.csv, all_soft.csv, mount.csv, users.csv, remote_svc.csv, and cached_RDP.csv compressed with WinRAR into export.zip for manual exfiltration, while Field Effect reported creation of a password-protected data.zip containing ExportData.db, an 18-table database storing scan results. ExportData.db was highlighted as a notable indicator of compromise.

Grixba is repeatedly cited as a proprietary Play/Balloonfly tool and has been observed alongside other Play tradecraft and tooling including AdFind, Cobalt Strike, SystemBC, PsExec, Mimikatz, WinPEAS, WinRAR, and WinSCP. High-confidence indicators mentioned in the content include filenames GT_NET.exe, data.dat, inf_g.dll, export.zip, data.zip, and ExportData.db; the path C:\Users\Public\Music; and hashes SHA-256 3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94 (GT_NET.exe), 5922b1a7172bd60b1353f2a3c4de2a03efba8d57d0f696d00868d4ef6fcbc218 (data.dat), and b4505ab44108e27d8a5311fe5ba32e2db88e70f0084b5c0b0b903e5b98f904b7 (inf_g.dll). The joint FBI/CISA/ACSC advisory also notes IoCs for GRIXBA/Gt_net.exe.