Analysis

  • max time kernel
    122s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/03/2025, 15:44

General

  • Target

    GrimLoader.exe

  • Size

    42KB

  • MD5

    735eb25f877a4980b0b76c2f065d4a70

  • SHA1

    4a8b6aed9b6a1f849d5ad34a2c362afbfbc74005

  • SHA256

    135fdc6be56667ccda9e1171eaee2adb19d13e2ec18768b9ecc029c29ed17ad9

  • SHA512

    0c50c594be3552ab274d1750a097f0439678190d4cb5eb890e86bde1a8c018a71ff13ea86daaf9aa84dff600b552ce015040e4aa6b9543b0fbc213b6c8c04c90

  • SSDEEP

    768:MmtZ5E9E//4MluZNLL9Tj+EKZKfgm3Ehkz:ZEIDkLL9TKEF7E2z

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1351217330234851339/6y7ZFPB3atPFLb0xPM7cN5NPowrs6q29FzdK-4qDAFOjpV_eXwVJoAJmvEsfgiZwHomE

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GrimLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\GrimLoader.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2964
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\73f75f37-38d7-43cd-8c06-417a233703f8.down_data

    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

  • memory/2964-0-0x00007FF954F33000-0x00007FF954F35000-memory.dmp

    Filesize

    8KB

  • memory/2964-1-0x0000000000970000-0x0000000000980000-memory.dmp

    Filesize

    64KB

  • memory/2964-2-0x00007FF954F30000-0x00007FF9559F2000-memory.dmp

    Filesize

    10.8MB

  • memory/2964-3-0x00007FF954F33000-0x00007FF954F35000-memory.dmp

    Filesize

    8KB

  • memory/2964-4-0x00007FF954F30000-0x00007FF9559F2000-memory.dmp

    Filesize

    10.8MB