mercurialgrabber | 060eeba1a6af6ae88083fd6b7756b7e5892e89e94dd0317757649584386b1b2d

Analysis

max time kernel
1s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19-06-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PyGrabber BETA/PyGrabber.exe
Size

46KB
MD5

9934be2fca82f5d2c76e23816e289e78
SHA1

4d857ca16570c1e9563f989bc00eba57a1f570e9
SHA256

d7431f4441abc86098bee0b76bd07dd6a59d313845d88d246f66de6d2cbc16cb
SHA512

995c58845dbd22f986a72573313896b9d8b2f7e5732da301d6310393753d3e4362373860a12f0084f3eb239435c454f99b1ee219c0e79cf7935364e28477b882
SSDEEP

768:EDf1uZdxCGO1rtQ7YBCuZ1L1+TjXtKZKfgm3Ehq6lnkN0Wkrh:Yaxm1r1BpL1+TztF7Ek6lnxW

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/989605498150092830/I3sJcFFWbTWwsAi6ly8l_n-AJ0DbeIeGdUt5rJnglsUWr5gsPaHLpVae-SL6M8scYn3s

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PyGrabber.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PyGrabber.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PyGrabber.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip4.seeip.org
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PyGrabber.exe
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PyGrabber.exe
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

PyGrabber.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	PyGrabber.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PyGrabber.exe

flow	ioc
1	ip4.seeip.org

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PyGrabber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	PyGrabber.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

PyGrabber.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	PyGrabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	PyGrabber.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PyGrabber.exe

description pid process

Token: SeDebugPrivilege 2628 PyGrabber.exe

description	pid	process
Token: SeDebugPrivilege	2628	PyGrabber.exe

C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\PyGrabber.exe
"C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\PyGrabber.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2628-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

Filesize
8KB

Download
memory/2628-1-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2628-2-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

Filesize
10.8MB

Download