Analysis
-
max time kernel
223s -
max time network
226s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
31/03/2025, 17:16
General
-
Target
BigStorage.exe
-
Size
54KB
-
MD5
e4c2d116ff8f8602d7ca81f025036d5e
-
SHA1
94b46e5379e1314ee96ffbaa48593ef326a9a1d4
-
SHA256
1bd799f8311e4ed91a9e07a2d0ab1f0dfb737b2bf781dd15f854a324e837558f
-
SHA512
92564e49328e9e282b18487f1cdf25a6d0badfe981fd02f88f4692f1a8eddd9899de9bae8faf18936e8513338a4aa4e738cb853722678a42246536ae8daf8fe3
-
SSDEEP
768:pscaIyIJVENs/ywjuZeeJWTjOKZKfgm3EhHpUgzkrZEhJJtkAZPmE3OR:2c1TVEgreJWTaF7EFpUmNvzPF
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1356312400638247114/GvA4p92IQSQKZMWJi3SXvoE1endRZG65DVGTN3juCh_-euq8AYz3K3YVPjOQLjStWmTI
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BigStorage.exe"C:\Users\Admin\AppData\Local\Temp\BigStorage.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB