Overview

overview

10

Static

static

10

cr2dit-c4rd GEN.exe

windows7-x64

10

cr2dit-c4rd GEN.exe

windows10-2004-x64

10

Resubmissions

30-04-2024 03:16

240430-dsrttsah74 10

30-04-2024 03:15

240430-dr9y1sbe7x 10

30-04-2024 03:07

240430-dmhzqsag52 10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cr2dit-c4rd GEN.exe

  • Size

    41KB

  • MD5

    15934eee4dbef1cf6c12bb491b72463f

  • SHA1

    c724d3623a838647a3ee7a2be0f8df99114fa41d

  • SHA256

    010ffe6edeb4185ae04edeb175e4b444e1487f83e34c740c1701d48024dfec76

  • SHA512

    6435922f72ec254e65ec3d5aa425d73f3c3f4a912adcdba7d5634651a930df9400f1c806c0a08dc261fd27898586c6c4cb1d662419ee97d1cc5c6e0b3ef31c1b

  • SSDEEP

    768:bscWsQ0bYc+TSw1uZTesWTjRKZKfgm3Ehw3:AcP2TyesWT9F7E23

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1234693959406845993/tVvvFEz0YwsdI1M-DdEdiDwgcwcdEQVWb92B8DRbOAnqE2ESEyZqYAlxS_PTQgBiMdxN

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cr2dit-c4rd GEN.exe
    "C:\Users\Admin\AppData\Local\Temp\cr2dit-c4rd GEN.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:4140
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.0.805085745\665935530" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {753f3461-cfb4-46e0-82a1-e508f2e120c5} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 1844 1fed93dd658 gpu
        3⤵
          PID:364
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.1.846773815\31719001" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bef19f6b-f51f-4cd2-91a9-d942d5b4c4a2} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2372 1fed92fd558 socket
          3⤵
            PID:4612
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.2.527563887\841507056" -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2932 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd370394-888a-4331-a299-eca96b51ff83} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2896 1fedd49fe58 tab
            3⤵
              PID:3184
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.3.145701259\1050469313" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44777e55-7125-475d-9e7b-53cda407ce88} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3592 1fede273a58 tab
              3⤵
                PID:4044
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.4.853589214\1114008359" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa2a65a-29c7-464a-aa56-270b122a6514} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3976 1fedeb6c858 tab
                3⤵
                  PID:3780
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.5.760950995\352542387" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a162f9fa-debd-4d28-bac7-36edf3448dc7} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5160 1fec5761058 tab
                  3⤵
                    PID:5276
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.6.712886519\968391158" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0fd0a8-eeb5-4923-af58-d9e6ee5e9579} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5280 1fedeb6c558 tab
                    3⤵
                      PID:5284
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.7.308702253\795352344" -childID 6 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06fad635-f499-4442-8c3e-418049e3705e} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5488 1fedfa33858 tab
                      3⤵
                        PID:5292
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4936 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:5600

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA
                      Filesize

                      13KB

                      MD5

                      a0ea86dae7c0f040693568a48819a61e

                      SHA1

                      cc4d09540a12df297012fe6dd712a8c126918588

                      SHA256

                      ffd2c5808c9a2f1f117578bbc8053d2dc608699cf67014f037087817da19fdec

                      SHA512

                      fab00d1e75d4c2de1c439699fa56f2dcfa9bb0b7875e8e23ed7292d4cec6e8cdf063d805760a666ea813ce5d776ec3a2c6162c07f82fe19c05edb76cf99287c3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      9KB

                      MD5

                      14ff2562c5dd62ced1476b6eb258809e

                      SHA1

                      1eabb397f4f852afaaeed4c3f757710775e9c930

                      SHA256

                      ebe2e89d54bf94171e9fa357887db7b66f4180eb830abef4d18be88ea5f95559

                      SHA512

                      75d7529e0fe56e7cc3735710ca38b64549eb218e30fa1d00485acbcc516fd4c8fa98d8f41b1f78f23e97a340bc57acea571c0b2d4672a94910111256062bfc32

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\5d9d0eb3-bb24-4085-a797-1825a18ec0ee
                      Filesize

                      734B

                      MD5

                      0b48fdd950ba20a9945bd6b3b8b3a7ea

                      SHA1

                      ec8fd4d809dd73eb1fe200a711ec2a1a86b8f6cd

                      SHA256

                      0f118a78138a393e51975cfd44adf10ca16cffac4cf4ded9446f2a615e822dfe

                      SHA512

                      99653f8aa709ae9c2707288a2df491e82aabba6d077315541c626458e9a541d4570175086413a6340a5fcafab89c3ae99440ab21ec7661bcfd897a9ebce72104

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                      Filesize

                      9KB

                      MD5

                      e9a3f21e3b589e4779634d37147e486a

                      SHA1

                      0f5df0b5deabe48a7a724f863eb70be5d57b0b0b

                      SHA256

                      6a393f7fc6fc48790db9afdf5d981e93593a98c8a7c545463c3b8689a8069075

                      SHA512

                      34167ac83a7bef4d66c24e446d7ec5af23b6e2c55690da430713b73d9d6154ab6196188f7a46dd77e4c253577f90f8b5417017309b33ea8e0496af141bceed11

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      2219c4f22c57d5230ccd0e659fde3113

                      SHA1

                      43370d054fcce069f56870d5bf316cf8a6328b3a

                      SHA256

                      38b19682e32165a7707c09d882888ea6b579149b3a9adc8549d217899d02a425

                      SHA512

                      ecc6563eb6e663f3d11e7514cb0897e490156924f4189e7c126eda773ee91cf2703a457dc2eaee8fd5e0d8a956022c2a2c1a4e4efb53007d1b29f7ef5c0f03a5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      0ead7ed2de6bf09a8e83082cff1e01c5

                      SHA1

                      652c8df3637f187ecacd70c0e2857e2b0d64e864

                      SHA256

                      c072aefa822cea9ea5e654aad6e648d29b1dadd86fcf4bd3d75819829ddb898b

                      SHA512

                      cd2f7b0b770c38552b7830fafff65aa843f15ab1c9a0a32027d42a71392a1bccab28b07086802f2b2228a8ef2999462c93c2a650fa3f8bd576dc15ce285c5be0

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      aa456e80e5fb693699629753b925e9f2

                      SHA1

                      9e931699ace1d8bdaad59804b515cb67768452cd

                      SHA256

                      322cfcc7e8bd0cc8dbcc43161928cdc5069d92eaf3235baf82c3d9468a8d359d

                      SHA512

                      7dc532861ebb24175d1c1e15f572419f284e60b1f64bbe8396574fc0ce29741cde7a8750866f8571b7792051bd2a545fce9a1b03c83fe8cc8dd88d2a969b8114

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      24398a2ea56a3ee64bb9e436abc61adb

                      SHA1

                      834b6af0beb59433577c87dc54ac61233f6e79d4

                      SHA256

                      1287736d0512b0958c115d92b484e6800eb91fbe380d6c6bbf0655095d3ef42a

                      SHA512

                      1f3dbdf4f6c02a5f0e4df7b4011e5faefddcd201bf7ed326b2419b06b37997403fd15fa1e1874c0365cea8cee898e1ed57441272d7294a50c3f23eb76e5e2128

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      fc7990934c133cb3ba7f416433a015b2

                      SHA1

                      222fc4ec8bc68b6b16bab4ac0c5e2ed4eb1f23d7

                      SHA256

                      be114c5855049c7c9f1a0f7cf99206e8ae19294656ca70d4a1c4db68496a5d4c

                      SHA512

                      23465d6f1c772caf3feb11acc04d95a5709128505bfa0b128b110be06ed7a4f3887d0d489a25ebf2cdbcc582c5857e921b6cc9efb5e3d47f27054e591e705e66

                      Download Submit

                    • memory/4140-3-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4140-0-0x0000000000C80000-0x0000000000C90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4140-1-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4140-2-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

                      Filesize

                      64KB

                      Download