Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 15:24
Behavioral task
behavioral1
Sample
PyGrabber BETA/PyGrabber.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PyGrabber BETA/PyGrabber.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
PyGrabber BETA/Setup.bat
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
PyGrabber BETA/Setup.bat
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
PyGrabber BETA/req.py
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
PyGrabber BETA/req.py
Resource
win11-20240508-en
General
-
Target
PyGrabber BETA/Setup.bat
-
Size
131B
-
MD5
a58f7bad0e4d3a313ab83847931db227
-
SHA1
ff030845d85b500fbdfaf5f92e528d6bccd8f211
-
SHA256
8099f032726197ae774813b3bb0305ce06a62aa638e4555350400b500377670e
-
SHA512
f48315c0384c2e86fea7a671c422b1b58a73d995e9d451b5e37f73219dc0971a24c30d08cb919c93f97f65a721ee7dd61e91b4ccbc572aad383742f36cada456
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/989605498150092830/I3sJcFFWbTWwsAi6ly8l_n-AJ0DbeIeGdUt5rJnglsUWr5gsPaHLpVae-SL6M8scYn3s
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PyGrabber.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions PyGrabber.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PyGrabber.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools PyGrabber.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PyGrabber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PyGrabber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip4.seeip.org 3 ip4.seeip.org 4 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PyGrabber.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PyGrabber.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PyGrabber.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
PyGrabber.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S PyGrabber.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PyGrabber.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PyGrabber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PyGrabber.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
PyGrabber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation PyGrabber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer PyGrabber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName PyGrabber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 PyGrabber.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PyGrabber.exedescription pid process Token: SeDebugPrivilege 1912 PyGrabber.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exePyGrabber.exedescription pid process target process PID 2228 wrote to memory of 1912 2228 cmd.exe PyGrabber.exe PID 2228 wrote to memory of 1912 2228 cmd.exe PyGrabber.exe PID 2228 wrote to memory of 1912 2228 cmd.exe PyGrabber.exe PID 1912 wrote to memory of 2824 1912 PyGrabber.exe WerFault.exe PID 1912 wrote to memory of 2824 1912 PyGrabber.exe WerFault.exe PID 1912 wrote to memory of 2824 1912 PyGrabber.exe WerFault.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\Setup.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PyGrabber BETA\PyGrabber.exePyGrabber.exe2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1912 -s 17043⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1912-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmpFilesize
4KB
-
memory/1912-1-0x0000000001080000-0x0000000001090000-memory.dmpFilesize
64KB
-
memory/1912-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmpFilesize
9.9MB
-
memory/1912-3-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmpFilesize
4KB
-
memory/1912-4-0x000007FEF57B0000-0x000007FEF619C000-memory.dmpFilesize
9.9MB