General

  • Target

    SirCookie.zip

  • Size

    4.0MB

  • Sample

    230124-bq7q6agc64

  • MD5

    4cb3460008bc82dae99d4d75376f9622

  • SHA1

    29fa368816b22724a1f6cdc14cd81518870c3251

  • SHA256

    a1d03a6d7eb39e9bb6aca13b8d9b3da918f04998b4333070374a48257b683455

  • SHA512

    e274adc59a6b7dfd865ed9207d26b5d43fafe4e68cf4063e8eb2261a6bf968d041dd7176ca2f26ff85976e7a16e713e199979211c14ced64cce0a687d9676679

  • SSDEEP

    49152:V/dUuNI7NaoTmzfTZXHbAmBD3e6d18bBHdZ3/dUuNI7NaoTmzfTZXH23e6d18bBC:0usaoqWppSusaoyprLw

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/944337247396823121/A81wQPz7g6M4BbXgnk9HuolrSnkDOZEUIRPDZZZKfpplEKVMQj8gLYN9kxwnDnuLyWhh

Targets

    • Target

      SirCookie/BetterSocks.dll

    • Size

      252KB

    • MD5

      565f3a20efa082034d63d12b6ba8f5c7

    • SHA1

      2bf7c33fe684e771b46d7328d5b8f1cd6de26c6f

    • SHA256

      8cc7d0fda7fa11d64fac3b8efd86852e680e4c89ff5ac27bd3ea0a9390a77972

    • SHA512

      6f5d233312a2dc1cefbb5217c625d331e893d4e937c165b88afbe50cdf2eb758f96903205791abbb0f2b3f73d77a1dfac7f0efc94f692329cd0fa52a43a34d9e

    • SSDEEP

      6144:yg50eCz4GBT1dq47/v4Mh4dWV3vBLGY+N:y00eGhcpWBvBH

    Score
    1/10
    • Target

      SirCookie/Bunifu_UI_v1.5.3.dll

    • Size

      323KB

    • MD5

      e0ef2817ee5a7c8cd1eb837195768bd2

    • SHA1

      426ea1e201c7d3dc3fadce976536edce4cd51bce

    • SHA256

      76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

    • SHA512

      5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

    • SSDEEP

      3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr

    Score
    1/10
    • Target

      SirCookie/Newtonsoft.Json.dll

    • Size

      637KB

    • MD5

      a6be9efdaa744e9947f4ee18de5423bd

    • SHA1

      258e57ba953cfadf9fdb00c759e8152a6ae7d883

    • SHA256

      6cc0cbcd5c4709c6a1c97f5581c347d93e586e7cc0d64bffb4d32c6e753476a4

    • SHA512

      be94cb3d150a2066db44031ad81921813cb841786fa827fdb36fc09bf06bf48939ee71fffd2d76c5b805b59d6c0f9a3e2dc6927aeaf0b4ac062c92c9205f55b0

    • SSDEEP

      12288:GG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U:37itqr3e6d18J9LBHd2

    Score
    1/10
    • Target

      SirCookie/RobloxPlayerLauncher.exe

    • Size

      803KB

    • MD5

      633e9d4955e745e82e6291db8fb743b1

    • SHA1

      940fe8593b3e22b97334574a66f3b1cb15be5cc6

    • SHA256

      ffeeba0ecbe5093bb52d0e037eac8e94f44a68add6c492388e6b7414f2d28588

    • SHA512

      cadc792bd52258f066b61ece83960616bdaa8f43668910e6823c24e8a8ca2daf01a740ce656152d518475f214f34cbeb4aa8a708a3ccd1d53a52a04bef304bfa

    • SSDEEP

      24576:T/dWIGPuNImcNai7Ntmknsa+TCXVET7Hg:T/dUuNI7NaoTmzfTZXHg

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Target

      SirCookie/SirCookie/BetterSocks.dll

    • Size

      252KB

    • MD5

      565f3a20efa082034d63d12b6ba8f5c7

    • SHA1

      2bf7c33fe684e771b46d7328d5b8f1cd6de26c6f

    • SHA256

      8cc7d0fda7fa11d64fac3b8efd86852e680e4c89ff5ac27bd3ea0a9390a77972

    • SHA512

      6f5d233312a2dc1cefbb5217c625d331e893d4e937c165b88afbe50cdf2eb758f96903205791abbb0f2b3f73d77a1dfac7f0efc94f692329cd0fa52a43a34d9e

    • SSDEEP

      6144:yg50eCz4GBT1dq47/v4Mh4dWV3vBLGY+N:y00eGhcpWBvBH

    Score
    1/10
    • Target

      SirCookie/SirCookie/Bunifu_UI_v1.5.3.dll

    • Size

      323KB

    • MD5

      e0ef2817ee5a7c8cd1eb837195768bd2

    • SHA1

      426ea1e201c7d3dc3fadce976536edce4cd51bce

    • SHA256

      76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

    • SHA512

      5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

    • SSDEEP

      3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr

    Score
    1/10
    • Target

      SirCookie/SirCookie/Newtonsoft.Json.dll

    • Size

      637KB

    • MD5

      a6be9efdaa744e9947f4ee18de5423bd

    • SHA1

      258e57ba953cfadf9fdb00c759e8152a6ae7d883

    • SHA256

      6cc0cbcd5c4709c6a1c97f5581c347d93e586e7cc0d64bffb4d32c6e753476a4

    • SHA512

      be94cb3d150a2066db44031ad81921813cb841786fa827fdb36fc09bf06bf48939ee71fffd2d76c5b805b59d6c0f9a3e2dc6927aeaf0b4ac062c92c9205f55b0

    • SSDEEP

      12288:GG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2U:37itqr3e6d18J9LBHd2

    Score
    1/10
    • Target

      SirCookie/SirCookie/RobloxPlayerLauncher.exe

    • Size

      803KB

    • MD5

      633e9d4955e745e82e6291db8fb743b1

    • SHA1

      940fe8593b3e22b97334574a66f3b1cb15be5cc6

    • SHA256

      ffeeba0ecbe5093bb52d0e037eac8e94f44a68add6c492388e6b7414f2d28588

    • SHA512

      cadc792bd52258f066b61ece83960616bdaa8f43668910e6823c24e8a8ca2daf01a740ce656152d518475f214f34cbeb4aa8a708a3ccd1d53a52a04bef304bfa

    • SSDEEP

      24576:T/dWIGPuNImcNai7Ntmknsa+TCXVET7Hg:T/dUuNI7NaoTmzfTZXHg

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Target

      SirCookie/SirCookie/SirTrust.exe

    • Size

      46KB

    • MD5

      950a1ea250af03405d434d8913c43e30

    • SHA1

      8eb9e8050faa62d3008f9d3e26b5968d48569988

    • SHA256

      1c9aaca797b2d226260c3a84b38defe57123def7e5dca9d4e43099a9995ddc5b

    • SHA512

      5cff406e6c986274d20f5dac7220f807583a731498921cc39e9210707723b586c0048951ad41547064fcd4d756d22548d636c913a571db854a2f0cc484335ad1

    • SSDEEP

      768:MscGoA07Q2mcwQuZDeOWTjxKZKfgm3EhJB67r:DcBQ20eOWTNF7ETB6

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      SirCookie/SirTrust.exe

    • Size

      46KB

    • MD5

      950a1ea250af03405d434d8913c43e30

    • SHA1

      8eb9e8050faa62d3008f9d3e26b5968d48569988

    • SHA256

      1c9aaca797b2d226260c3a84b38defe57123def7e5dca9d4e43099a9995ddc5b

    • SHA512

      5cff406e6c986274d20f5dac7220f807583a731498921cc39e9210707723b586c0048951ad41547064fcd4d756d22548d636c913a571db854a2f0cc484335ad1

    • SSDEEP

      768:MscGoA07Q2mcwQuZDeOWTjxKZKfgm3EhJB67r:DcBQ20eOWTNF7ETB6

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

2
T1130

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

16
T1012

System Information Discovery

14
T1082

Virtualization/Sandbox Evasion

4
T1497

Peripheral Device Discovery

4
T1120

Collection

Data from Local System

4
T1005

Command and Control

Web Service

2
T1102

Tasks

static1

mercurialgrabber
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discoveryevasionspywarestealertrojan
Score
8/10

behavioral8

discoveryevasionspywarestealertrojan
Score
8/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

discoveryevasionspywarestealertrojan
Score
8/10

behavioral16

discoveryevasionspywarestealertrojan
Score
8/10

behavioral17

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral18

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral19

mercurialgrabberevasionspywarestealer
Score
10/10

behavioral20

mercurialgrabberevasionspywarestealer
Score
10/10