Analysis
-
max time kernel
440s -
max time network
549s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/03/2025, 15:02
Behavioral task
behavioral1
Sample
Sigma.exe
Resource
win10ltsc2021-20250217-en
General
-
Target
Sigma.exe
-
Size
41KB
-
MD5
9aff73f27f7afc4251dfe1ac8fe52d7d
-
SHA1
deef8ffa68978c9c8b398e5f7c4c026faf63fa5d
-
SHA256
546b7e985765d0a21e915869dad863133255bb081e8de5407f7104cd5bdcb77b
-
SHA512
ee2f3c18744b749dc68003f7e81c800c288060c9e56f74e61c706b3c61c17198b42401da49e524e4e77ae8a5f5847adf387034f12898a9fdeabddfc465b7a3a9
-
SSDEEP
768:yscaIiIEI/gB1wtduZ0e6WTj8KZKfgm3Eh3/:hc1yYgBEe6WToF7EJ/
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1347218786394050560/25E1MnN6tM_9Plb5-he1mualyMBpKwbwpRNDgFeexEvlMFJngDEgVT6C2DE0Vpotbp-Y
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 23 discord.com 25 discord.com 46 discord.com 22 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip4.seeip.org 20 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Sigma.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sigma.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3168 Sigma.exe