mercurialgrabber | 060eeba1a6af6ae88083fd6b7756b7e5892e89e94dd0317757649584386b1b2d

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PyGrabber BETA/Setup.bat
Size

131B
MD5

a58f7bad0e4d3a313ab83847931db227
SHA1

ff030845d85b500fbdfaf5f92e528d6bccd8f211
SHA256

8099f032726197ae774813b3bb0305ce06a62aa638e4555350400b500377670e
SHA512

f48315c0384c2e86fea7a671c422b1b58a73d995e9d451b5e37f73219dc0971a24c30d08cb919c93f97f65a721ee7dd61e91b4ccbc572aad383742f36cada456

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/989605498150092830/I3sJcFFWbTWwsAi6ly8l_n-AJ0DbeIeGdUt5rJnglsUWr5gsPaHLpVae-SL6M8scYn3s

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PyGrabber.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PyGrabber.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PyGrabber.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

18 discord.com
32 discord.com
17 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip4.seeip.org
4 ip4.seeip.org
13 ip-api.com
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PyGrabber.exe
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PyGrabber.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	PyGrabber.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PyGrabber.exe

flow	ioc
18	discord.com
32	discord.com
17	discord.com

flow	ioc
3	ip4.seeip.org
4	ip4.seeip.org
13	ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PyGrabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	PyGrabber.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PyGrabber.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

PyGrabber.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	PyGrabber.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PyGrabber.exe

description pid process

Token: SeDebugPrivilege 3076 PyGrabber.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4044 wrote to memory of 3076 4044 cmd.exe PyGrabber.exe
PID 4044 wrote to memory of 3076 4044 cmd.exe PyGrabber.exe

description	pid	process
Token: SeDebugPrivilege	3076	PyGrabber.exe

description	pid	process	target process
PID 4044 wrote to memory of 3076	4044	cmd.exe	PyGrabber.exe
PID 4044 wrote to memory of 3076	4044	cmd.exe	PyGrabber.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\Setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\PyGrabber.exe
PyGrabber.exe
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3076-1-0x00007FFCF9A73000-0x00007FFCF9A75000-memory.dmp

Filesize
8KB

Download
memory/3076-0-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/3076-2-0x00007FFCF9A70000-0x00007FFCFA531000-memory.dmp

Filesize
10.8MB

Download
memory/3076-6-0x00007FFCF9A70000-0x00007FFCFA531000-memory.dmp

Filesize
10.8MB

Download