Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
19-07-2024 22:40
General
-
Target
https://github.com/InstallerDiscord/SelfBot/commits/NewSelfDiv
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/921678357500936203/OMxsDxYLyTruPzBRPLU45c5V4FI7ldOpTiPH3tZMQ9nwEBCpbZijt3W2YXMkjjwMT5Y5
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/InstallerDiscord/SelfBot/commits/NewSelfDiv1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f5e546f8,0x7ff8f5e54708,0x7ff8f5e547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5472 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4918824026964877452,4040875024824610459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat1⤵
-
C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\Iniciador.exe"C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\Iniciador.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[Atenção] Leia-me.txt1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\[ 1 ] Installer.bat1⤵
-
C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\Iniciador.exe"C:\Users\Admin\Desktop\SelfBot-NewSelfDiv\Iniciador.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d406f3135e11b0a0829109c1090a41dc
SHA1810f00e803c17274f9af074fc6c47849ad6e873e
SHA25691f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA5122b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409
-
Filesize
152B
MD57f37f119665df6beaa925337bbff0e84
SHA1c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA2561073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA5128e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817
-
Filesize
2KB
MD52e19c600e601c59084a9b69884369f94
SHA1baed057c6a976abe42ff1a54c1d3dfe1c23d05a8
SHA25648280948c9fae15107880c0327f93e508f95b17cf07e2a3bf95ae33bb83ba5b9
SHA512882ac7e0cd83a843af0d3f3dbaf2cb714acd73fa3c30c9cd9f2925ac0e35eb9f1520f20c8f86c1d21076f4b0d2b0407f0e4dec3dd1fc7e47ab0cedfa4e1cd645
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
573B
MD50028a1a5c441a3cd5a60c34da771564f
SHA1e15d27a8322b435564ebcd36467b997d0fa8ef32
SHA2568dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d
SHA512e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e
-
Filesize
5KB
MD5c26e71e0ee204a8a671ca0f619fba56b
SHA1665a598bdd45c8362b0f44d96abd20c11a46e89c
SHA2562eac3f04885b529b152084d74335aac9ac8ef0e295039ecf2f44d8c0fb4bb28d
SHA512a45d1181e887c0e9843470aa23b9fbd19547de4cf3b9ebacc7afcf5b3810e4afb488f8044b361fd8da23c5bad1a1c5545339ba70ee55c91a06dc51b5a91c5ba7
-
Filesize
6KB
MD54f5e1f02aaed4d30edf5baa3eb24c2b2
SHA128d0c5cc0c3f45659c6be5e848dad0ba8e07dde2
SHA256562b2f35c1c19d7fa6b5ce2e4e5109ffae9bef71eb40ebae192e73844a78a0e5
SHA512fa9dec8bc83fa1b518b1c3375d49ec9e2ccb310d19c11440c4da9b960263d8812f358b905b869180057fd3eb68a573acfd3ba3305ec1b1ff95d09772f87a1552
-
Filesize
6KB
MD57575f31e769f5b4cbba82b6822292025
SHA183d4bb939ed705045e87afb2f70e717f86086871
SHA256ab97fb6f0526a8a3f5c67e34494d2da5699b68914db3ef5aaaafc16a284ed32b
SHA5121c48152a76c0f116dfcb307c641cb4285d9a904348cdc165eeeafef241d8672adf364e32bd2fdd56e7a56b66deaa0275518f88e1a6ed259a6af529e4f790ae4a
-
Filesize
1KB
MD5362b6963df6b3f5b42edcb6ed6cf09da
SHA1d24e900e37faefe66c6d9057568dff6a6769a69e
SHA2567fab70cb77d7c6947e869e4980586d18846a315a3b925501214009ed77d9bc87
SHA51268db564ec744e34caff8c74dad333ab97d99adbee6ebf3d6f464c0e67a789e73c0e67a2b5e9e89a1f78dba13e915ef045c3696041cbefc2df5f64266336ddbec
-
Filesize
1KB
MD5f126d69bbc96f10b60c8e5a67b4f8a3d
SHA1cdec8f1cf3152dab241d4c34db8beacc47c692e7
SHA25660754e6c727714ad380425bd72e56cc6a67f955459969c624ffc75261db75305
SHA512ce0feb96bc04d7e37d1dbf27159813a6454f1bc52878d1660be244648ac68b5f0f7e3f7e2af02d56804ad59df177920c2c827b2c4f6dc44fe6399d6640609406
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dc39ab697e84e933799084ccc50e3cbd
SHA1a198df43cea6d73b7d32ea604e4832c28fb5d6b9
SHA256a3500b8364192ec105195ac9df14131747a8b7ed435576e05ecceb106baea205
SHA512d0841c13df04d3f6a06546b14d0eb1150606d3ebe18d1d8907de1bdf45a21089767a14e9f51ef209b102613758a0645435768f53af470c1e1406d80d22205093
-
Filesize
10KB
MD5284a77f71ca029c09031430dcd30576a
SHA1fc6f1faea498949cfba2f12aab324b87ee3989a1
SHA256df7a87495aafb327370a880f422f1c4fc0d8dca893500ddba4ee536b2635d241
SHA512c4bbd669c5baa82ad74f2238b649252c2c0f4224bc5befdf3c79d42c4af5a7781cb3b81cb4d9d5eae0e4f6767dc073dc93d59e2cb6bbb3b44afb829381e1be28
-
Filesize
19KB
MD5a176fff11e37661c9c224661f732bc59
SHA12f71a8f703db9b588557009dd99d0da930ec92ac
SHA25601dda1bfbceaad3411c427be2618fae0e40576c96ede94b2f982fab542a84697
SHA512990729c72b8de4e6d857fd63ea5015a96d1c5b3da41aba8b2b7903c5b8d62538de27353c2a050a84a1c1c512ba753e03e7583794977315d66fc7c3dd8dce6c6e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB