Analysis
-
max time kernel
38s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-12-2024 19:53
General
-
Target
https://github.com/xsplitst/RGF/blob/main/RBF.exe
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/xsplitst/RGF/blob/main/RBF.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95bb446f8,0x7ff95bb44708,0x7ff95bb447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4180 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\RBF.exe"C:\Users\Admin\Downloads\RBF.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\RBF.exe"C:\Users\Admin\Downloads\RBF.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,6039944772596593621,18332283087694583762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
1KB
MD543d79a1114eaf62a772e2f298bd54127
SHA1a8f1bc1d0da673c0848cacfe1c30f5fe886566be
SHA256bcf6aa66f61c499aeb89d804732e3505a1c2f5cd26313e4d7e560655c410c0e6
SHA5128e0462e96d9b3f8f7498495eb3fb8f1d47c5cc02705e39669bc45346833487d24b4f087bd7b64caae837fecea1ee269401a25bb343878295e593c2fcec4abe6c
-
Filesize
5KB
MD5da7162e100e21b84b976929235feeb0a
SHA17992294bcd476425b7e502e8558a75b211c02270
SHA25658c57de7e17a1388063616b138b7441a6c2d00ee2d8914a29193b2c279a9246f
SHA51235cadb933f6fb970364c24e8dcec5ee4f1f74a0764065076da56be3bafd4578f4f6ad4b3dea4e5399774b40d109a6692c97239ea25d21ba0d683c2a8f2e35606
-
Filesize
6KB
MD5779327f5ad9948418a963da086a72686
SHA18aaae861cb6ee3f3a0cc4024b9b646c720709645
SHA2561ef3426e21cfe22e84838acfeb9a27cbebaf4b35cfb3b32302cf73bcaf4c1228
SHA5121370ff1263089f5cfac2ac8f6c633eddb158c5d26d4583306c61e02e7b9ee22e31f2494b967b129e4f2b88085fb1ad56f4f04b953143b949471387184eb991a7
-
Filesize
1KB
MD5e357a5b543fa068e336606d77a2e8a4a
SHA1b857a30d0e0fffacf700a8dfa2d762f6ff67482e
SHA25679a7bc726aa6e64e40e2d40300ed8daeaebbe4d7a512fa109f8ffff4e0a4cd00
SHA5124bf65fc6b90b64b930d765c174949825d8b77f4d340fcd1f1dfa63a126d4fbbac6738b49987bcc12d46a0871dbeb5dcfa18b81817cf8b45ae2ab9f8db11f5c37
-
Filesize
1KB
MD5b22cb811d99e53216b2e6b681534a991
SHA138469af470a192b3c027673221ed76cce5fa4481
SHA256ccffb9d8f28af819059e73b3c4275e837c4cfc0cf8baa9aa5e416dfc940ec4d5
SHA512ffa06c68b8718313edf423668a40ff83d3c46fb456a03de6681708cd2af5e944ceec00c512a8c45322fa902f094e264a6f2cc84ecede5292d0b2c20d2d6bdf78
-
Filesize
6KB
MD5b1b66db545d584ee5d48d7b39418a974
SHA1d1e37a592f7dee44d0600a3f7d69b4d8a9894cc3
SHA256f664ca890b06320c211dd08efcfdc9b3d6377e067305b387460472f99b398478
SHA512c094c96b9ca44b409f8e5fedb934ceb87036b81b866c063ee35f3ebeedf86b9fc982e1e3fd39328cf276cd237d41d104bba43c3ee681afc8c13be882b1ba86e6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD579812e45c17c172cb4be19b6592275cf
SHA19b4e4e845165e9711eebac9de9275b21907c9b63
SHA2564e275d43064b6a672c8cb434a5115bf309ee6aa2a6344728ec874909d5cffb13
SHA5128e2cafcd5f5db53eb2e50e439f4df29c8af84c714afc1ba81b27f259f15b1e714baf83a20b25b670bbbc5284fce9942902c804f77682e34594781749403dc63d
-
Filesize
10KB
MD50a41e319dceff566699374662b6c0451
SHA1d22dbe21ebfd2bc2523f687f9d981127a2290850
SHA2562089a9e08cc55d46a1c4dca595bc4c8f6211e21ec266ca4803feb9a2b2278b90
SHA5129494bb2905ff2e4c86bfe584219158b0f91ee9e7882a484cee9db5273a09a53493c6b3ac74f38516cd7e5e0dd0d97119f764b827c1bac2c4e73ba846e8a23ec9
-
Filesize
41KB
MD509d12c328c88bfdfef9dcc0927dca671
SHA14f61a36bc05dbd9229b56db5ead4ea3d37e4308a
SHA25664e772d1da472d9da1dde4d9b070c1d9acf98d9819ec04058a0161f020022e49
SHA5124774119f1eb6f3f712fc29f7c7cceb31a67c62c01a6b7f09ccf17a85a4d78b3fed4f3a9532c353490f9058aae5db58d305a92a65a8e8039e7c123f48e73d1d51
-
Filesize
64KB