Resubmissions

16/02/2025, 15:05

250216-sgbe2a1mgw 10

16/02/2025, 15:02

250216-seve5a1mc1 10

Analysis

  • max time kernel
    844s
  • max time network
    854s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/02/2025, 15:02

General

  • Target

    Fr skibidi.exe

  • Size

    41KB

  • MD5

    4bbb23adbc1cafec977fc52a786c1c7a

  • SHA1

    95602a3060dd058abfa3ba6a1384b4023fea5c57

  • SHA256

    7bf62b6bf5ffbf4a72069d4a365bfc99f0c3552ccaf16c28f8845705d2f7df50

  • SHA512

    e28fcdf2db2b4cd75f14df55a287c50db302daf51e4e337fcb886d71ca015f49e414558640f31b7e1065ddac3c0a10680ae5b4939f063d9d0bd1f87d52d9b286

  • SSDEEP

    768:SscaIiIJVE64/ywruZye0WTj8KZKfgm3EhrF:Bc1jVElLe0WTIF7ENF

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1340699331883307028/16tpnAYBByHiVAI4QQLfQk-oiOtbEf2bDhtVR0QMI8eY0P03LzqokziuamktrNpiopq2

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe
    "C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3336
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY4RjE2NDEtMkE4Ri00ODkwLTk0RkQtRjdDMkE1QjZCMUI5fSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkJDNUJEQkItNzI2QS00RDVDLTk0MzgtQTRGOUQzMTEyOTQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NDMxOTkxMTkiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:944
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY4RjE2NDEtMkE4Ri00ODkwLTk0RkQtRjdDMkE1QjZCMUI5fSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszMUI2NEQ5MS1DNTA5LTQ0OEYtQkI4Ni0zODFEM0ExNEJCOUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgY29ob3J0PSJycmZAMC41OSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins3ODFEN0EzNy05ODZDLTQ3NjItOTU2NC03MTdDQzBFODkzMDh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjYiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzY1OTQ4OTk2MjM5NjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI2IiByPSI2IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7NDI1N0VFOUUtRTJEOS00QzI2LUFFRjEtNDEzQzI5NTA4QzFGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuNDkiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9IntEMDZFQzRGRi0zQjEwLTQ2MjgtQUFBMi02NDU3MERDMDM4MkN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2744
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1452
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTE0MjUxQjMtRjg4RC00QkU2LThFOUMtRTQ4QjQzMUI0MjEwfSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDMzZDOUY1OC0zRjcyLTREQTYtQTk2RC03QkRCNDJDMTI2ODl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgY29ob3J0PSJycmZAMC41OSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins3ODFEN0EzNy05ODZDLTQ3NjItOTU2NC03MTdDQzBFODkzMDh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjYiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzY1OTQ4OTk2MjM5NjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI2IiByPSI2IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7NDI1N0VFOUUtRTJEOS00QzI2LUFFRjEtNDEzQzI5NTA4QzFGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuNDkiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9IntEMDZFQzRGRi0zQjEwLTQ2MjgtQUFBMi02NDU3MERDMDM4MkN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    611KB

    MD5

    72deb3e3655373bf9bb754d066933aa9

    SHA1

    1fd5a48450b82c956ba666cfcdb3cc216d3bbc2a

    SHA256

    8411cfcc7daa2c7fe73d5a805f6d85d7e1f329aa8d224458b01761b13702de0e

    SHA512

    8b5a057ba599f155bcc40196cf13ffdf02cc9936bc7ab7dff77b15cef7ef5e2e8f070b21f99f245f3530018361556e3c55b98170b8fab6dade31a392b275082e

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    629KB

    MD5

    d83868b1aa54e213c8d914db00756419

    SHA1

    4d75b1c14e24b10144ec8ad80381ad1e679a8e8e

    SHA256

    1ee222050e9e89e2f465021d862dd26986f6e24217e6bacb5dec8c6513316372

    SHA512

    bc80d0906a8e9b85468dd8ff2d535cb7be6675d485799dfbb83f0aa81152c405d93b9888e26131286e8c780186508d4ce4f42ef124ba95bbb5e6be4cb54e384d

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    669KB

    MD5

    111fd6383806f887cb8efab8b6a4951c

    SHA1

    aec3d00bf541b4ba051bb774a7fa5530df414c91

    SHA256

    ee079711fed79bde3ff4b0e1d1605cf29edc40c20e9c0cf269200e0146408233

    SHA512

    91826b1cb4e3fe28e73b9d21b45128e2cfe3ebcc00f05210e239824d197588e04e71f5b76ee7763b95efdbab0a4398d24299e153ea1f62f830ae505588f57233

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    683KB

    MD5

    692335c727cf1137c396c51e8c11a08e

    SHA1

    5a31231348d17a1187f8973fa52b41b729e689fc

    SHA256

    f26f88e7424f93d70ad8ab7e3849c5af6dcac806bcb6e4e776509bf22b94af93

    SHA512

    44026d976f575a1684b9014534272f9f67e770aa6e47987df494ca0338f9c8cbdd385932c76ba25407ace5865029540327e0b57aec98a540a37a817d48162a62

  • memory/3336-0-0x00007FFD1DE73000-0x00007FFD1DE75000-memory.dmp

    Filesize

    8KB

  • memory/3336-1-0x0000000000720000-0x0000000000730000-memory.dmp

    Filesize

    64KB

  • memory/3336-2-0x00007FFD1DE70000-0x00007FFD1E932000-memory.dmp

    Filesize

    10.8MB

  • memory/3336-3-0x00007FFD1DE73000-0x00007FFD1DE75000-memory.dmp

    Filesize

    8KB

  • memory/3336-4-0x00007FFD1DE70000-0x00007FFD1E932000-memory.dmp

    Filesize

    10.8MB

  • memory/3336-8-0x00007FFD1DE70000-0x00007FFD1E932000-memory.dmp

    Filesize

    10.8MB