Overview

overview

10

Static

static

10

RGF-main.zip

windows10-2004-x64

10

RGF-main/Input.zip

windows10-2004-x64

1

RoBrute-ma...ICENSE

windows10-2004-x64

1

RoBrute-ma...DME.md

windows10-2004-x64

3

RoBrute-ma...ute.py

windows10-2004-x64

3

RoBrute-ma...Lib.py

windows10-2004-x64

3

RoBrute-ma...ib.pyc

windows10-2004-x64

3

RoBrute-ma...ss.lst

windows10-2004-x64

3

RoBrute-ma...y.yaml

windows10-2004-x64

3

RoBrute-ma...ts.txt

windows10-2004-x64

1

RoBrute-ma...cks.py

windows10-2004-x64

3

RoBrute-ma...ks.pyc

windows10-2004-x64

3

RGF-main/RBF.exe

windows10-2004-x64

10

RGF-main/README.md

windows10-2004-x64

3

Resubmissions

12-05-2024 18:09

240512-wrsnvahe71 10

12-05-2024 17:56

240512-wh2v6acb26 10

12-05-2024 17:50

240512-we2qzsbh82 10

Analysis

  • max time kernel
    126s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RGF-main.zip

  • Size

    54KB

  • MD5

    7bcc565dfb0ce789f9a984870a64414c

  • SHA1

    7918e05800b7d02be5aa3670259709fde7f5c268

  • SHA256

    33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb

  • SHA512

    0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0

  • SSDEEP

    768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr

Score
10/10
mercurialgrabberevasionstealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RGF-main.zip
    1⤵
      PID:4724
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1556
      • C:\Users\Admin\Documents\RGF-main\RGF-main\RBF.exe
        "C:\Users\Admin\Documents\RGF-main\RGF-main\RBF.exe"
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2248

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      7
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      5
      T1082

      Peripheral Device Discovery

      2
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2248-0-0x00007FFBFAA33000-0x00007FFBFAA35000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2248-1-0x0000000000F30000-0x0000000000F40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2248-2-0x00007FFBFAA30000-0x00007FFBFB4F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2248-6-0x00007FFBFAA30000-0x00007FFBFB4F1000-memory.dmp
        Filesize

        10.8MB

        Download