Analysis
-
max time kernel
844s -
max time network
854s -
platform
windows11-21h2_x64 -
resource
win11-20250210-en -
resource tags
arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/02/2025, 15:02
Behavioral task
behavioral1
Sample
Fr skibidi.exe
Resource
win11-20250210-en
General
-
Target
Fr skibidi.exe
-
Size
41KB
-
MD5
4bbb23adbc1cafec977fc52a786c1c7a
-
SHA1
95602a3060dd058abfa3ba6a1384b4023fea5c57
-
SHA256
7bf62b6bf5ffbf4a72069d4a365bfc99f0c3552ccaf16c28f8845705d2f7df50
-
SHA512
e28fcdf2db2b4cd75f14df55a287c50db302daf51e4e337fcb886d71ca015f49e414558640f31b7e1065ddac3c0a10680ae5b4939f063d9d0bd1f87d52d9b286
-
SSDEEP
768:SscaIiIJVE64/ywruZye0WTj8KZKfgm3EhrF:Bc1jVElLe0WTIF7ENF
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1340699331883307028/16tpnAYBByHiVAI4QQLfQk-oiOtbEf2bDhtVR0QMI8eY0P03LzqokziuamktrNpiopq2
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 7 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip4.seeip.org 3 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 944 MicrosoftEdgeUpdate.exe 2744 MicrosoftEdgeUpdate.exe 4948 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Fr skibidi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fr skibidi.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1452 MicrosoftEdgeUpdate.exe 1452 MicrosoftEdgeUpdate.exe 1452 MicrosoftEdgeUpdate.exe 1452 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3336 Fr skibidi.exe Token: SeDebugPrivilege 1452 MicrosoftEdgeUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe"C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY4RjE2NDEtMkE4Ri00ODkwLTk0RkQtRjdDMkE1QjZCMUI5fSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkJDNUJEQkItNzI2QS00RDVDLTk0MzgtQTRGOUQzMTEyOTQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NDMxOTkxMTkiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:944
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY4RjE2NDEtMkE4Ri00ODkwLTk0RkQtRjdDMkE1QjZCMUI5fSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszMUI2NEQ5MS1DNTA5LTQ0OEYtQkI4Ni0zODFEM0ExNEJCOUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgY29ob3J0PSJycmZAMC41OSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins3ODFEN0EzNy05ODZDLTQ3NjItOTU2NC03MTdDQzBFODkzMDh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjYiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzY1OTQ4OTk2MjM5NjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI2IiByPSI2IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7NDI1N0VFOUUtRTJEOS00QzI2LUFFRjEtNDEzQzI5NTA4QzFGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuNDkiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9IntEMDZFQzRGRi0zQjEwLTQ2MjgtQUFBMi02NDU3MERDMDM4MkN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2744
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTE0MjUxQjMtRjg4RC00QkU2LThFOUMtRTQ4QjQzMUI0MjEwfSIgdXNlcmlkPSJ7QTc0OEJGMUItNjQ2NS00MzMzLUEzMDYtOTU5QkZCQUY3NjlFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDMzZDOUY1OC0zRjcyLTREQTYtQTk2RC03QkRCNDJDMTI2ODl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgY29ob3J0PSJycmZAMC41OSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins3ODFEN0EzNy05ODZDLTQ3NjItOTU2NC03MTdDQzBFODkzMDh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjYiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzY1OTQ4OTk2MjM5NjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI2IiByPSI2IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7NDI1N0VFOUUtRTJEOS00QzI2LUFFRjEtNDEzQzI5NTA4QzFGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuNDkiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9IntEMDZFQzRGRi0zQjEwLTQ2MjgtQUFBMi02NDU3MERDMDM4MkN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4948
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD572deb3e3655373bf9bb754d066933aa9
SHA11fd5a48450b82c956ba666cfcdb3cc216d3bbc2a
SHA2568411cfcc7daa2c7fe73d5a805f6d85d7e1f329aa8d224458b01761b13702de0e
SHA5128b5a057ba599f155bcc40196cf13ffdf02cc9936bc7ab7dff77b15cef7ef5e2e8f070b21f99f245f3530018361556e3c55b98170b8fab6dade31a392b275082e
-
Filesize
629KB
MD5d83868b1aa54e213c8d914db00756419
SHA14d75b1c14e24b10144ec8ad80381ad1e679a8e8e
SHA2561ee222050e9e89e2f465021d862dd26986f6e24217e6bacb5dec8c6513316372
SHA512bc80d0906a8e9b85468dd8ff2d535cb7be6675d485799dfbb83f0aa81152c405d93b9888e26131286e8c780186508d4ce4f42ef124ba95bbb5e6be4cb54e384d
-
Filesize
669KB
MD5111fd6383806f887cb8efab8b6a4951c
SHA1aec3d00bf541b4ba051bb774a7fa5530df414c91
SHA256ee079711fed79bde3ff4b0e1d1605cf29edc40c20e9c0cf269200e0146408233
SHA51291826b1cb4e3fe28e73b9d21b45128e2cfe3ebcc00f05210e239824d197588e04e71f5b76ee7763b95efdbab0a4398d24299e153ea1f62f830ae505588f57233
-
Filesize
683KB
MD5692335c727cf1137c396c51e8c11a08e
SHA15a31231348d17a1187f8973fa52b41b729e689fc
SHA256f26f88e7424f93d70ad8ab7e3849c5af6dcac806bcb6e4e776509bf22b94af93
SHA51244026d976f575a1684b9014534272f9f67e770aa6e47987df494ca0338f9c8cbdd385932c76ba25407ace5865029540327e0b57aec98a540a37a817d48162a62