Overview

overview

10

Static

static

10

freefire.exe

windows7-x64

10

freefire.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 22:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    freefire.exe

  • Size

    41KB

  • MD5

    f68b437e71726ea2eb09b74191080ca8

  • SHA1

    84f71751ae0e278350d1a232a533f6931b91c1bf

  • SHA256

    fc8eefc8e8e4283e729d021452d969e368c93abd4ac74196fc118f6817ee9246

  • SHA512

    42fb9b9fc0e14da7e54c27e9fdddfbd50af08313a48dc256a97c9b13587fd8b8b45b0c699f552454fc727a5be1012d1c6fbdad14595cb716d5531fc4f528560d

  • SSDEEP

    768:RscaIyI97QT+xBcwSuZ1e4WTjUKZKfgm3EhzM:uc1zQTCe4WTAF7EFM

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1330668414972198984/X1GuzAptUr12moshlt6mEJL0oBFzegr6RFPwbkHMcnOjkQGQUCJWBaetGlaj3pZY-5w9

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\freefire.exe
    "C:\Users\Admin\AppData\Local\Temp\freefire.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2036 -s 1328
      2⤵
        PID:2980

    Network

    • flag-us
      DNS
      ip4.seeip.org
      freefire.exe
      Remote address:
      8.8.8.8:53
      Request
      ip4.seeip.org
      IN A
      Response
      ip4.seeip.org
      IN A
      23.128.64.141
    • flag-us
      DNS
      ip-api.com
      freefire.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com//json/
      freefire.exe
      Remote address:
      208.95.112.1:80
      Request
      GET //json/ HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 19 Jan 2025 22:46:26 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 291
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      discord.com
      freefire.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.137.232
      discord.com
      IN A
      162.159.138.232
      discord.com
      IN A
      162.159.136.232
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.135.232
    • 23.128.64.141:443
      ip4.seeip.org
      freefire.exe
      152 B
       3
    • 208.95.112.1:80
      http://ip-api.com//json/
      http
      freefire.exe
      348 B
       600 B
       6
      3

      HTTP Request

      GET http://ip-api.com//json/

      HTTP Response

      200
    • 162.159.137.232:443
      discord.com
      tls
      freefire.exe
      345 B
       219 B
       5
      5
    • 162.159.137.232:443
      discord.com
      tls
      freefire.exe
      345 B
       219 B
       5
      5
    • 8.8.8.8:53
      ip4.seeip.org
      dns
      freefire.exe
      59 B
       75 B
       1
      1

      DNS Request

      ip4.seeip.org

      DNS Response

      23.128.64.141

    • 8.8.8.8:53
      ip-api.com
      dns
      freefire.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      discord.com
      dns
      freefire.exe
      57 B
       137 B
       1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.137.232
      162.159.138.232
      162.159.136.232
      162.159.128.233
      162.159.135.232

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2036-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-1-0x0000000000980000-0x0000000000990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2036-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2036-3-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-4-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2036-5-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

      Filesize

      9.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.