Analysis
-
max time kernel
20s -
max time network
23s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13-08-2023 16:58
Behavioral task
behavioral1
Sample
drexgrabber.exe
Resource
win10-20230703-en
General
-
Target
drexgrabber.exe
-
Size
41KB
-
MD5
03c35bba6b01980923da47f1667603b2
-
SHA1
96c14621d1d4580b8dc1ba7174ef168591aba8cc
-
SHA256
ba9b66e4af028959aaac31aa6d74a09e9e4cd8bc31fce00250328e4ab8053f86
-
SHA512
40b322aab326fa3c15433701dd912b5a4b688145422e7b1c2419e4589360adb4a36411f69322017c4a86bcf44bcb02993a7df3ecf35211ed9d635187397d6738
-
SSDEEP
768:5scaIyIqEemmpKYgGz3wVuZ/e6WTjeKZKfgm3EhhA:mc1eBZve6WTKF7E7A
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1140322513755308185/Zru5R3Imi_p01TgXsYXxo8TZXbXieCp0T3GFCAc9QSwVsz6QVcpQ1RBn2uKCL3z4leIA
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip4.seeip.org 2 ip4.seeip.org 3 ip4.seeip.org 4 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
drexgrabber.exedescription pid process Token: SeDebugPrivilege 60 drexgrabber.exe