Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/02/2025, 00:11
Behavioral task
behavioral1
Sample
GorillaUnbanner.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
GorillaUnbanner.exe
Resource
win10v2004-20250217-en
General
-
Target
GorillaUnbanner.exe
-
Size
42KB
-
MD5
2f0e33a107758d9752b5d8caafefda2a
-
SHA1
1cdd6766b17aad972cedd7e448f9704161709d08
-
SHA256
8ce381455c6cc7f68574f0e258e4aaa7a8856e439b9650bf2b110e922a73d791
-
SHA512
9f55614d1ce6296ad9212eece2ed5a64710a8566be8e660c830f554c567ebb28f9a0c0c345542fefda71bd7279a02bcec170f7d229893defde4485edfe2b59ea
-
SSDEEP
768:vFFGAUvRHCTuZSLRVTj75KZKfgm3EhYh:WRHCPLRVT35F7EOh
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1341192836023848981/MHmt34PTZZ_P_jTTneScbh_QIw9mlThCTekNBxgsaOnuwkBHwRizs2_F6x5ofxMBehpH
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 discord.com 11 discord.com 12 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 8 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GorillaUnbanner.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GorillaUnbanner.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 GorillaUnbanner.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2016 1628 GorillaUnbanner.exe 32 PID 1628 wrote to memory of 2016 1628 GorillaUnbanner.exe 32 PID 1628 wrote to memory of 2016 1628 GorillaUnbanner.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\GorillaUnbanner.exe"C:\Users\Admin\AppData\Local\Temp\GorillaUnbanner.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1628 -s 14402⤵PID:2016
-