General
-
Target
ItroublveTSC.exe
-
Size
514KB
-
Sample
240903-q9d1hszdjb
-
MD5
d8264e0921403244b0c29079bb732368
-
SHA1
d61b7c088ac4e118a6ac41fc4491961daa607773
-
SHA256
66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
-
SHA512
da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
-
SSDEEP
6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg
Static task
static1
Behavioral task
behavioral1
Sample
ItroublveTSC.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/899842638260338719/2a5S9S1gHhBIZB1ISPfnaBVgbTdkzaMWdmP_oGgFx14jtlvloXQRGQaYOY1Djoem1pL8
Extracted
nanocore
1.2.2.0
176.168.5.0:2605
d01924fe-4e8d-4b6f-850c-443e5741751a
-
activate_away_mode
true
-
backup_connection_host
176.168.5.0
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-31T04:06:57.831335236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2605
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d01924fe-4e8d-4b6f-850c-443e5741751a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
176.168.5.0
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
ItroublveTSC.exe
-
Size
514KB
-
MD5
d8264e0921403244b0c29079bb732368
-
SHA1
d61b7c088ac4e118a6ac41fc4491961daa607773
-
SHA256
66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
-
SHA512
da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
-
SSDEEP
6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1