Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2023 22:46
Behavioral task
behavioral1
Sample
Gerador.exe
Resource
win10v2004-20230703-en
General
-
Target
Gerador.exe
-
Size
42KB
-
MD5
d0a24bb969b934df373005ad1d86847c
-
SHA1
d406e4e0ace784c125a8e106ccbb03051916c63e
-
SHA256
dfd07784906232802c3afda354ebd445b186db25eed65e4c3612d4a4a5beefc7
-
SHA512
b11bd5da81fe63beccd2ddc8a55d2593d43eba5a7d085b6d7cfb2e2f7143d4d72cfb61852ddc6600bd9c691d1278ee5fed55a8e2db776f99c6f9d43a6686a00f
-
SSDEEP
768:WmSPdxCGP4Q7YB8uZPLmRTjNKZKfgm3EhbSw:WDx8BNLmRTBF7EtN
Malware Config
Extracted
mercurialgrabber
https://discordapp.com/api/webhooks/1137732376970141788/BSr_PjmFVxqp7BblluwN-skaCKmhCEBuP-YwdA2hmT3jW_c5O5Bp1veikMRnN19SZlMv
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4704 3932 WerFault.exe Gerador.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Gerador.exedescription pid process Token: SeDebugPrivilege 3932 Gerador.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gerador.exe"C:\Users\Admin\AppData\Local\Temp\Gerador.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3932 -s 18242⤵
- Program crash
PID:4704
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3932 -ip 39321⤵PID:2848