Overview
overview
10Static
static
10SirCookie/...ks.dll
windows7-x64
1SirCookie/...ks.dll
windows10-2004-x64
1SirCookie/....3.dll
windows7-x64
1SirCookie/....3.dll
windows10-2004-x64
1SirCookie/...on.dll
windows7-x64
1SirCookie/...on.dll
windows10-2004-x64
1SirCookie/...er.exe
windows7-x64
8SirCookie/...er.exe
windows10-2004-x64
8SirCookie/...ks.dll
windows7-x64
1SirCookie/...ks.dll
windows10-2004-x64
1SirCookie/....3.dll
windows7-x64
1SirCookie/....3.dll
windows10-2004-x64
1SirCookie/...on.dll
windows7-x64
1SirCookie/...on.dll
windows10-2004-x64
1SirCookie/...er.exe
windows7-x64
8SirCookie/...er.exe
windows10-2004-x64
8SirCookie/...st.exe
windows7-x64
10SirCookie/...st.exe
windows10-2004-x64
10SirCookie/...st.exe
windows7-x64
10SirCookie/...st.exe
windows10-2004-x64
10General
-
Target
SirCookie.zip
-
Size
4.0MB
-
Sample
230124-bq7q6agc64
-
MD5
4cb3460008bc82dae99d4d75376f9622
-
SHA1
29fa368816b22724a1f6cdc14cd81518870c3251
-
SHA256
a1d03a6d7eb39e9bb6aca13b8d9b3da918f04998b4333070374a48257b683455
-
SHA512
e274adc59a6b7dfd865ed9207d26b5d43fafe4e68cf4063e8eb2261a6bf968d041dd7176ca2f26ff85976e7a16e713e199979211c14ced64cce0a687d9676679
-
SSDEEP
49152:V/dUuNI7NaoTmzfTZXHbAmBD3e6d18bBHdZ3/dUuNI7NaoTmzfTZXH23e6d18bBC:0usaoqWppSusaoyprLw
Behavioral task
behavioral1
Sample
SirCookie/BetterSocks.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SirCookie/BetterSocks.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
SirCookie/Bunifu_UI_v1.5.3.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
SirCookie/Bunifu_UI_v1.5.3.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
SirCookie/Newtonsoft.Json.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
SirCookie/Newtonsoft.Json.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
SirCookie/RobloxPlayerLauncher.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
SirCookie/RobloxPlayerLauncher.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
SirCookie/SirCookie/BetterSocks.dll
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
SirCookie/SirCookie/BetterSocks.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
SirCookie/SirCookie/Bunifu_UI_v1.5.3.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
SirCookie/SirCookie/Bunifu_UI_v1.5.3.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
SirCookie/SirCookie/Newtonsoft.Json.dll
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
SirCookie/SirCookie/Newtonsoft.Json.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
SirCookie/SirCookie/RobloxPlayerLauncher.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
SirCookie/SirCookie/RobloxPlayerLauncher.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
SirCookie/SirCookie/SirTrust.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
SirCookie/SirCookie/SirTrust.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
SirCookie/SirTrust.exe
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
SirCookie/SirTrust.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/944337247396823121/A81wQPz7g6M4BbXgnk9HuolrSnkDOZEUIRPDZZZKfpplEKVMQj8gLYN9kxwnDnuLyWhh
Targets
-
-
Target
SirCookie/BetterSocks.dll
-
Size
252KB
-
MD5
565f3a20efa082034d63d12b6ba8f5c7
-
SHA1
2bf7c33fe684e771b46d7328d5b8f1cd6de26c6f
-
SHA256
8cc7d0fda7fa11d64fac3b8efd86852e680e4c89ff5ac27bd3ea0a9390a77972
-
SHA512
6f5d233312a2dc1cefbb5217c625d331e893d4e937c165b88afbe50cdf2eb758f96903205791abbb0f2b3f73d77a1dfac7f0efc94f692329cd0fa52a43a34d9e
-
SSDEEP
6144:yg50eCz4GBT1dq47/v4Mh4dWV3vBLGY+N:y00eGhcpWBvBH
Score1/10 -
-
-
Target
SirCookie/Bunifu_UI_v1.5.3.dll
-
Size
323KB
-
MD5
e0ef2817ee5a7c8cd1eb837195768bd2
-
SHA1
426ea1e201c7d3dc3fadce976536edce4cd51bce
-
SHA256
76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
-
SHA512
5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c
-
SSDEEP
3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr
Score1/10 -
-
-
Target
SirCookie/Newtonsoft.Json.dll
-
Size
637KB
-
MD5
a6be9efdaa744e9947f4ee18de5423bd
-
SHA1
258e57ba953cfadf9fdb00c759e8152a6ae7d883
-
SHA256
6cc0cbcd5c4709c6a1c97f5581c347d93e586e7cc0d64bffb4d32c6e753476a4
-
SHA512
be94cb3d150a2066db44031ad81921813cb841786fa827fdb36fc09bf06bf48939ee71fffd2d76c5b805b59d6c0f9a3e2dc6927aeaf0b4ac062c92c9205f55b0
-
SSDEEP
12288:GG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U:37itqr3e6d18J9LBHd2
Score1/10 -
-
-
Target
SirCookie/RobloxPlayerLauncher.exe
-
Size
803KB
-
MD5
633e9d4955e745e82e6291db8fb743b1
-
SHA1
940fe8593b3e22b97334574a66f3b1cb15be5cc6
-
SHA256
ffeeba0ecbe5093bb52d0e037eac8e94f44a68add6c492388e6b7414f2d28588
-
SHA512
cadc792bd52258f066b61ece83960616bdaa8f43668910e6823c24e8a8ca2daf01a740ce656152d518475f214f34cbeb4aa8a708a3ccd1d53a52a04bef304bfa
-
SSDEEP
24576:T/dWIGPuNImcNai7Ntmknsa+TCXVET7Hg:T/dUuNI7NaoTmzfTZXHg
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
SirCookie/SirCookie/BetterSocks.dll
-
Size
252KB
-
MD5
565f3a20efa082034d63d12b6ba8f5c7
-
SHA1
2bf7c33fe684e771b46d7328d5b8f1cd6de26c6f
-
SHA256
8cc7d0fda7fa11d64fac3b8efd86852e680e4c89ff5ac27bd3ea0a9390a77972
-
SHA512
6f5d233312a2dc1cefbb5217c625d331e893d4e937c165b88afbe50cdf2eb758f96903205791abbb0f2b3f73d77a1dfac7f0efc94f692329cd0fa52a43a34d9e
-
SSDEEP
6144:yg50eCz4GBT1dq47/v4Mh4dWV3vBLGY+N:y00eGhcpWBvBH
Score1/10 -
-
-
Target
SirCookie/SirCookie/Bunifu_UI_v1.5.3.dll
-
Size
323KB
-
MD5
e0ef2817ee5a7c8cd1eb837195768bd2
-
SHA1
426ea1e201c7d3dc3fadce976536edce4cd51bce
-
SHA256
76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
-
SHA512
5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c
-
SSDEEP
3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr
Score1/10 -
-
-
Target
SirCookie/SirCookie/Newtonsoft.Json.dll
-
Size
637KB
-
MD5
a6be9efdaa744e9947f4ee18de5423bd
-
SHA1
258e57ba953cfadf9fdb00c759e8152a6ae7d883
-
SHA256
6cc0cbcd5c4709c6a1c97f5581c347d93e586e7cc0d64bffb4d32c6e753476a4
-
SHA512
be94cb3d150a2066db44031ad81921813cb841786fa827fdb36fc09bf06bf48939ee71fffd2d76c5b805b59d6c0f9a3e2dc6927aeaf0b4ac062c92c9205f55b0
-
SSDEEP
12288:GG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U:37itqr3e6d18J9LBHd2
Score1/10 -
-
-
Target
SirCookie/SirCookie/RobloxPlayerLauncher.exe
-
Size
803KB
-
MD5
633e9d4955e745e82e6291db8fb743b1
-
SHA1
940fe8593b3e22b97334574a66f3b1cb15be5cc6
-
SHA256
ffeeba0ecbe5093bb52d0e037eac8e94f44a68add6c492388e6b7414f2d28588
-
SHA512
cadc792bd52258f066b61ece83960616bdaa8f43668910e6823c24e8a8ca2daf01a740ce656152d518475f214f34cbeb4aa8a708a3ccd1d53a52a04bef304bfa
-
SSDEEP
24576:T/dWIGPuNImcNai7Ntmknsa+TCXVET7Hg:T/dUuNI7NaoTmzfTZXHg
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
SirCookie/SirCookie/SirTrust.exe
-
Size
46KB
-
MD5
950a1ea250af03405d434d8913c43e30
-
SHA1
8eb9e8050faa62d3008f9d3e26b5968d48569988
-
SHA256
1c9aaca797b2d226260c3a84b38defe57123def7e5dca9d4e43099a9995ddc5b
-
SHA512
5cff406e6c986274d20f5dac7220f807583a731498921cc39e9210707723b586c0048951ad41547064fcd4d756d22548d636c913a571db854a2f0cc484335ad1
-
SSDEEP
768:MscGoA07Q2mcwQuZDeOWTjxKZKfgm3EhJB67r:DcBQ20eOWTNF7ETB6
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
SirCookie/SirTrust.exe
-
Size
46KB
-
MD5
950a1ea250af03405d434d8913c43e30
-
SHA1
8eb9e8050faa62d3008f9d3e26b5968d48569988
-
SHA256
1c9aaca797b2d226260c3a84b38defe57123def7e5dca9d4e43099a9995ddc5b
-
SHA512
5cff406e6c986274d20f5dac7220f807583a731498921cc39e9210707723b586c0048951ad41547064fcd4d756d22548d636c913a571db854a2f0cc484335ad1
-
SSDEEP
768:MscGoA07Q2mcwQuZDeOWTjxKZKfgm3EhJB67r:DcBQ20eOWTNF7ETB6
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-