Overview

overview

10

Static

static

10

2025-04-03...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_76ea72164dd28c5f3e8a1bc5f2762b5c_amadey_esfury_rhadamanthys_smoke-loader.exe

  • Size

    3.5MB

  • MD5

    76ea72164dd28c5f3e8a1bc5f2762b5c

  • SHA1

    8ce5f0888f5368c091107e9ba77cfc42e0c5f8df

  • SHA256

    aff971e3e4484669c73c912ab3fed84dab8b9ce036d0ac717abe2fbf176276e1

  • SHA512

    42160cf01c583aac9a8280f20eda925cf14588c71bd1c17997bded1618c0901d2f1d03e7ea926458f5abac7a30222f394e78c34e00103d9303acebd4aa06090b

  • SSDEEP

    98304:6kkjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/TY:68zJpjS346t1bIfuq07

Score
10/10
mercurialgrabberagilenetdefense_evasiondiscoveryspywarestealerupx

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/939772339271385098/pb40yymlaC36gJ9lrIZE64Tin0HhFVa5fet-muKugdctzZ9wq34Ecu9RIjcsTOKwswvD

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    defense_evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 11 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_76ea72164dd28c5f3e8a1bc5f2762b5c_amadey_esfury_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_76ea72164dd28c5f3e8a1bc5f2762b5c_amadey_esfury_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3936
    • C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:5492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    Filesize

    3.2MB

    MD5

    a9477b3e21018b96fc5d2264d4016e65

    SHA1

    493fa8da8bf89ea773aeb282215f78219a5401b7

    SHA256

    890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

    SHA512

    66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OK.EXE
    Filesize

    41KB

    MD5

    7472d8466f9cf4de765918e3536454b4

    SHA1

    d8fdbf2838e4721d77addaaef022df1560590eb0

    SHA256

    f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

    SHA512

    a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

    Download Submit

  • memory/3936-34-0x0000000004FC0000-0x0000000004FE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3936-45-0x00000000053E0000-0x0000000005410000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3936-49-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3936-47-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-46-0x0000000006B10000-0x0000000006B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3936-25-0x0000000000270000-0x00000000005AA000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3936-28-0x00000000054A0000-0x0000000005A44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3936-29-0x0000000004EF0000-0x0000000004F82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3936-44-0x0000000005D80000-0x0000000005E96000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3936-31-0x0000000004DF0000-0x0000000004E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3936-32-0x0000000004E60000-0x0000000004E6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3936-33-0x0000000004F90000-0x0000000004FAC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3936-39-0x0000000005050000-0x000000000506E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3936-35-0x0000000004FE0000-0x0000000005000000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3936-22-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-41-0x0000000005240000-0x000000000524E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3936-36-0x0000000005020000-0x0000000005030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3936-38-0x0000000005170000-0x00000000051DE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3936-42-0x0000000005260000-0x000000000526E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3936-37-0x0000000005030000-0x0000000005044000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3936-40-0x0000000005200000-0x0000000005236000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3936-43-0x0000000005BD0000-0x0000000005D1A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4192-0-0x0000000000CA0000-0x0000000001019000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4192-23-0x0000000000CA0000-0x0000000001019000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/5492-30-0x00007FFBC8120000-0x00007FFBC8BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5492-27-0x00007FFBC8123000-0x00007FFBC8125000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5492-26-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5492-48-0x00007FFBC8120000-0x00007FFBC8BE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5492-53-0x00007FFBC8120000-0x00007FFBC8BE1000-memory.dmp

    Filesize

    10.8MB

    Download