Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
555s -
max time network
869s -
platform
windows11-21h2_x64 -
resource
win11-20250210-en -
resource tags
arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/02/2025, 15:05
Behavioral task
behavioral1
Sample
Fr skibidi.exe
Resource
win11-20250210-en
General
-
Target
Fr skibidi.exe
-
Size
41KB
-
MD5
4bbb23adbc1cafec977fc52a786c1c7a
-
SHA1
95602a3060dd058abfa3ba6a1384b4023fea5c57
-
SHA256
7bf62b6bf5ffbf4a72069d4a365bfc99f0c3552ccaf16c28f8845705d2f7df50
-
SHA512
e28fcdf2db2b4cd75f14df55a287c50db302daf51e4e337fcb886d71ca015f49e414558640f31b7e1065ddac3c0a10680ae5b4939f063d9d0bd1f87d52d9b286
-
SSDEEP
768:SscaIiIJVE64/ywruZye0WTj8KZKfgm3EhrF:Bc1jVElLe0WTIF7ENF
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1340699331883307028/16tpnAYBByHiVAI4QQLfQk-oiOtbEf2bDhtVR0QMI8eY0P03LzqokziuamktrNpiopq2
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Downloads MZ/PE file 3 IoCs
flow pid Process 11 3464 Process not Found 31 3464 Process not Found 29 1196 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 13 discord.com 16 discord.com 17 discord.com 7 discord.com 12 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip4.seeip.org 4 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2124 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Fr skibidi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fr skibidi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4436 Fr skibidi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe"C:\Users\Admin\AppData\Local\Temp\Fr skibidi.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODg5NTc0RTktRjBCNy00MjA2LTkwRkYtRTZCQjc4MEZGNDhGfSIgdXNlcmlkPSJ7RTJDNDlCOEYtRkJFMy00RTE1LUJCMTgtMTlGQzVEODc1QzVDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkMyRjYyQjEtNTIxRi00N0I4LUJBNEEtRTUwNkU4NTUyMzQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRldGltZT0iMTczOTE4MzgwMSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTYyMTc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5ODA3MDEyNzMiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2124
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1