Overview

overview

10

Static

static

10

RGF-main.zip

windows10-2004-x64

1

RoBrute-ma...ute.py

windows10-2004-x64

3

RoBrute-ma...Lib.py

windows10-2004-x64

3

RoBrute-ma...ib.pyc

windows10-2004-x64

3

RoBrute-ma...cks.py

windows10-2004-x64

3

RoBrute-ma...ks.pyc

windows10-2004-x64

3

RGF-main/RBF.exe

windows10-2004-x64

10

Resubmissions

12-05-2024 18:09

240512-wrsnvahe71 10

12-05-2024 17:56

240512-wh2v6acb26 10

12-05-2024 17:50

240512-we2qzsbh82 10

Analysis

  • max time kernel
    199s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RGF-main/RBF.exe

  • Size

    41KB

  • MD5

    09d12c328c88bfdfef9dcc0927dca671

  • SHA1

    4f61a36bc05dbd9229b56db5ead4ea3d37e4308a

  • SHA256

    64e772d1da472d9da1dde4d9b070c1d9acf98d9819ec04058a0161f020022e49

  • SHA512

    4774119f1eb6f3f712fc29f7c7cceb31a67c62c01a6b7f09ccf17a85a4d78b3fed4f3a9532c353490f9058aae5db58d305a92a65a8e8039e7c123f48e73d1d51

  • SSDEEP

    768:escGoAxWdPN+wauZLePWTjZKZKfgm3Ehpe:tcVdPN9ePWTVF7Ebe

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RGF-main\RBF.exe
    "C:\Users\Admin\AppData\Local\Temp\RGF-main\RBF.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:4620
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5820
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.0.25825262\653010099" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d70cf7f-5847-4d21-84fa-3079eb1d7efd} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 1980 20b231ce158 gpu
          3⤵
            PID:5032
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.1.1572690353\1537483660" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f18813-5873-46ef-afd6-e8ec1ebde54a} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 2380 20b1676ce58 socket
            3⤵
              PID:4452
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.2.567203208\1326830004" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3008 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3abd2cde-ee32-483a-843e-d9564fa0060e} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3124 20b273a1b58 tab
              3⤵
                PID:4144
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.3.1640396610\1778456369" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a947d42-c1fd-49cc-81e9-b9a25b320fe5} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3784 20b1675ac58 tab
                3⤵
                  PID:1452
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.4.660453965\957859265" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4060 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0f3a52-53df-41be-bce7-c397994d3a53} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3776 20b22efcf58 tab
                  3⤵
                    PID:4916
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.5.1837837202\1394863219" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c753b8f4-0317-4695-a684-27d88748ff09} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 5096 20b28dd8158 tab
                    3⤵
                      PID:1924
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.6.1949364887\1729477973" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67af211a-6651-485c-bb3b-a962c93716f2} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 5152 20b28dd7858 tab
                      3⤵
                        PID:3876
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.7.1163726838\1179366797" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc3dff98-6608-42c5-a78a-e0beb9b8729a} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 5336 20b28dd9658 tab
                        3⤵
                          PID:3732

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
                      Filesize

                      13KB

                      MD5

                      81c57d3112090e059a777494be6aaf21

                      SHA1

                      74049ef146b97ad3681e221e91b9bda7a862fde8

                      SHA256

                      c404a9e01e10d34ef3e561f09f055510d2138161f77338ce5c26a2894b459d5e

                      SHA512

                      4ad9db7cc7b69a1ce3dd38eb0389d63ecaa77f26626d6ab9d802e99d5c4adf24d9ebd617b9fb803dff42af69a338b5b0d77b240e9a5755be16d06831151e6d7f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      6b4631b73ec9275704bc5871077c88b7

                      SHA1

                      923747c66af3ba9566b251d0e80ed1286bcb978f

                      SHA256

                      b7df7cbe9e3db19e1e7c862f3837ce3933f1791e278ac961ff22a1cb992fca5f

                      SHA512

                      af03ebba8d56c6ab4edad4a1ff869bc1ea9634b3fa38d17454f05285d064db4487744d7820dcfd67aae56682a6a66c0c2589d0af8bcafbc3284a2e6d203e8d6b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\c071c358-169c-456b-8806-548432b1548a
                      Filesize

                      746B

                      MD5

                      ec9625df5d05df11f9841202e7080004

                      SHA1

                      25fce810d4e54d5eba1c444cd8e7142a72ddd1ad

                      SHA256

                      2b2f5ef12863d39c987d73299e9c98463b1b213c140969129526eb9753b4a691

                      SHA512

                      630b2e72636c07ec954fdfc22610c972a6e267c9d1187b6f80b71aa47bfc05a51daf66fc663ef59c1e9038d8ac4183779e583c53311e5db40ae2f551ec1d4e81

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\fd3689c6-06fd-42fa-9b7b-2dd4880bd349
                      Filesize

                      11KB

                      MD5

                      d2b40e318703b6e10b4251e74dab0a48

                      SHA1

                      fdedba0189f0ec312e192c6b413c55516f7d444e

                      SHA256

                      d07b28e87b96d29e44582132d83b0d603b4a29eab547b8929568c1452b4be8be

                      SHA512

                      f905c84c40221209232c69dd2e213e9f168ea35d69c7e764156d9003a3aa0fee548b68873c7398e7ac3c1902f50a99f131d85359bdbaf4ac41a913e776294ee2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                      Filesize

                      9KB

                      MD5

                      43a453990c72dff24a025f4b3e615a37

                      SHA1

                      03b0cb32d201a081a6c3685a35d77a5ffd8a0c23

                      SHA256

                      6b2348200133beb0e8a7a2b6cf5a6d14f522a893e7d7c425304b4277f90a58d1

                      SHA512

                      c380524fab91471301ada466a9854cf15ae5a03eaa6350d70d2984a705c0e6bfe8148e5715ed9c0c996fc095b473e1aca939b8c744a7104c4e9366f414a1ad72

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      7cb189761888b9bbf5eeaba5895b81ce

                      SHA1

                      f7983223843632ee7b5e411449396d5bc3328046

                      SHA256

                      4ef1e2e49163431cde99bb88bdab85130ed9844d3a9518e2cc36a012cc57701a

                      SHA512

                      ff6f221887bbec46aada9bb7e1301f19c492057fd319ef482b6d11243420068c2ae843ed8550192771f34fe6ef99242b2edf6c979ba83080886195d5fb263c07

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      005b3811ee1fb0c9704dc56a7a5dbf12

                      SHA1

                      e2befb3ab10f7b232c1c090b5ce62df58ef610af

                      SHA256

                      56c70084e64ee65ce82bfe675db21986428105ca56dc574b7b818f778d8bad9e

                      SHA512

                      07a6680a8d45a15d777386c661ab920aae72a42feda31cf0f8ab6c6d779669b652ae1da716379644739053e15dca5d685841a4fcda80aa2a8abe179796608edc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      597f36cc531753caee5dc35d0aac775f

                      SHA1

                      5f982341504cdfef3533c573e52a8052bc148c77

                      SHA256

                      177d576d272d8fd79969a85709ba0c599e7431d33ffb1fbe4589877ca9775453

                      SHA512

                      78f488a0a825a8ca3ec15f11e00d06f704eb7ab8000443c426044053921ec717dbbfddafa369211b9d18b43634a1f26265d3cd4a45615922542b2f2d7a72d618

                      Download Submit

                    • memory/4620-1-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4620-2-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4620-6-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4620-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

                      Filesize

                      8KB

                      Download