mercurialgrabber | c85e0123fb0b3d29aae8881413fde27cb7054640e96f8d8340c41df731bcd7e0

Resubmissions

10-09-2024 20:12

240910-yy98ksvamg 10

10-09-2024 19:45

240910-yghf8s1gqn 10

10-09-2024 19:36

240910-ybfqfs1ekj 10

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boosttrapper.exe
Size

41KB
MD5

6dbeca583b9076080c5906a8390b682f
SHA1

2e065578d2014163123a9385127b8089130d5d9b
SHA256

c85e0123fb0b3d29aae8881413fde27cb7054640e96f8d8340c41df731bcd7e0
SHA512

77e1422802a153a155451796adaf307a5d04496e497ab697d66e030ab2a2b73d956c8fad0a48295230c55922d28eec3375e990bd44f30e8c8a2cc4d3a7416a38
SSDEEP

768:uscaIiIq3KHWOJTw3duZSeiWTjHKZKfgm3EhuS:dc1KKHHoXeiWTLF7EcS

Score

10^/10

mercurialgrabber credential_access evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1283148683948458076/nwSWn_1EUZ_xJZvUQAdPKe2Ale9RGmJpW5fCqCBqQQxxiGuweCIzhQUdNMd16Z7sffgt

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Boosttrapper.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Boosttrapper.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Boosttrapper.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Boosttrapper.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Boosttrapper.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Boosttrapper.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

22 discord.com
24 discord.com
28 discord.com
56 discord.com
57 discord.com
59 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip4.seeip.org
20 ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Boosttrapper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Boosttrapper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Boosttrapper.exe

flow	ioc
22	discord.com
24	discord.com
28	discord.com
56	discord.com
57	discord.com
59	discord.com

flow	ioc
2	ip4.seeip.org
20	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Boosttrapper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Boosttrapper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Boosttrapper.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Boosttrapper.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Boosttrapper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Boosttrapper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Boosttrapper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Boosttrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Boosttrapper.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Boosttrapper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Boosttrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Boosttrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Boosttrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Boosttrapper.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Boosttrapper.exe

pid process

3460 Boosttrapper.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Boosttrapper.exe

description pid process

Token: SeDebugPrivilege 3460 Boosttrapper.exe

pid	process
3460	Boosttrapper.exe

description	pid	process
Token: SeDebugPrivilege	3460	Boosttrapper.exe

C:\Users\Admin\AppData\Local\Temp\Boosttrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Boosttrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-0-0x00007FFF28353000-0x00007FFF28355000-memory.dmp

Filesize
8KB

Download
memory/3460-1-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/3460-2-0x00007FFF28350000-0x00007FFF28E11000-memory.dmp

Filesize
10.8MB

Download
memory/3460-3-0x00007FFF28353000-0x00007FFF28355000-memory.dmp

Filesize
8KB

Download
memory/3460-4-0x00007FFF28350000-0x00007FFF28E11000-memory.dmp

Filesize
10.8MB

Download
memory/3460-11-0x00007FFF28350000-0x00007FFF28E11000-memory.dmp

Filesize
10.8MB

Download