Malware Analysis Report

2024-11-13 15:43

Sample ID 231105-lpedbsdh8v
Target Eulen CRACK.exe
SHA256 76964d8a6b5b9b4655be96b4dac3c11dc1104918fced6f069b044e56ac2eacb3
Tags
mercurialgrabber evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76964d8a6b5b9b4655be96b4dac3c11dc1104918fced6f069b044e56ac2eacb3

Threat Level: Known bad

The file Eulen CRACK.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber evasion spyware stealer

Mercurialgrabber family

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-05 09:42

Signatures

Mercurialgrabber family

mercurialgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-05 09:42

Reported

2023-11-05 09:43

Platform

win10v2004-20231023-en

Max time kernel

44s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe

"C:\Users\Admin\AppData\Local\Temp\Eulen CRACK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 8.8.8.8:53 ip-api.com udp
N/A 100.86.145.126:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 126.145.86.100.in-addr.arpa udp

Files

memory/864-0-0x0000000000D00000-0x0000000000D52000-memory.dmp

memory/864-1-0x00007FFEE5A80000-0x00007FFEE6541000-memory.dmp

memory/864-2-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

memory/864-6-0x000000001C6C0000-0x000000001C82A000-memory.dmp

memory/864-7-0x00007FFEE5A80000-0x00007FFEE6541000-memory.dmp