Analysis
-
max time kernel
32s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2023 14:25
Behavioral task
behavioral1
Sample
trackware leaked +++.exe
Resource
win10v2004-20230703-en
General
-
Target
trackware leaked +++.exe
-
Size
46KB
-
MD5
95bc936675673e99ce66592a5f172096
-
SHA1
67bbcf11ea8bbf0763668d316b89243b0e9beb52
-
SHA256
79de9f5d80b52488f8427eaa1a9b7972d658feeeca739831e196c3ded68650b5
-
SHA512
6f36167e33cf6f38331a50c019edf3608107f6231415f4578c3e152ae4a092155567121580b0c717c5e36a0f0a2cc045620ac747a805ccff9011b960f661bf3d
-
SSDEEP
768:BjLBbKKqqI2SrZDhuZiLHDTj9KZKfgm3EhAS7mca:HNqH2ofLHDT5F7EaXz
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1135556677366726792/KD7Ycd_y48McCdSP6hRTNv7oki6HzrPMjDpnfHaEmRKHmqHyI3M9f323bNCSBItoYij3
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com 10 ip4.seeip.org 12 ip4.seeip.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
trackware leaked +++.exedescription pid process Token: SeDebugPrivilege 2928 trackware leaked +++.exe