Analysis
-
max time kernel
14s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 13:01
Behavioral task
behavioral1
Sample
Xenith external.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Xenith external.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Xenith external.exe
Resource
win11-20241007-en
General
-
Target
Xenith external.exe
-
Size
464KB
-
MD5
e100e653c23372c11cb5f7d2e2aa19cd
-
SHA1
3cde5da0c33f819bfdbe35217e0dc5b15f8de999
-
SHA256
3dc8b2b1c3ced9219061ac2d7a000caa6b55d11b9b5588c4f08e3b9d2dbf63b5
-
SHA512
53b96843996018800bbcfd2f36bc16df5329b6a6f225e5d24b9cc455ed158c352a671b37f0f9b5478ccc098f22ab7793d069a032a5b362eac720acdc594524d4
-
SSDEEP
12288:s/UltPyOyoAWreyKs/+jJtgJzSOO8Z4zZY6dH:syPylrWrlGjJt8zLO8Z4zZY6dH
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1311424192897618040/nvddKCHqpLtA7pd9-TyyrZ_3e9j8wMmjTjbfWvCd7RK9QAr7enGcgBkVxbBAlPgUCT7x
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Xenith external.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Xenith external.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Xenith external.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Xenith external.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Xenith external.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Xenith external.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Xenith external.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Xenith external.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Xenith external.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Xenith external.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3496 Xenith external.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xenith external.exe"C:\Users\Admin\AppData\Local\Temp\Xenith external.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3496