Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 16:07
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Injector.exe
Resource
win10v2004-20240508-en
General
-
Target
Injector.exe
-
Size
44KB
-
MD5
f7c3875f6ea9e98e25d6921a9c0a58ab
-
SHA1
46873856ece643479466542a66af96bee8b91b00
-
SHA256
19f40119dcaa7c7f3e898645bd74ba3ed4f9bf48bba8ffd053bc3a2cfa52313e
-
SHA512
e27a95fd5933cc4e349fb3ea21320b31f09c6a8e9d65fce9a09dcef15534637a3458d717bbfbe21c7665e6e1b1b204f08e170c892d8bce942cc9f1cde7a641a2
-
SSDEEP
768:J2Z7xsuNZq/lxKNpFdGf0WBREh0pGu20Q:05NexeUnEcG
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1244319532915622019/8xRNI2ixDCH_dmiSdYAGju9j8p_GBNGhBKnYDx93NJ_79q_2t8FIq-6srjH1y2o0xGns
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 70 discord.com 71 discord.com 9 discord.com 10 discord.com 11 discord.com 69 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip4.seeip.org 2 ip4.seeip.org 7 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Injector.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 928 Injector.exe