Analysis
-
max time kernel
104s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2025, 02:48
Behavioral task
behavioral1
Sample
2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe
Resource
win11-20250410-en
General
-
Target
2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe
-
Size
20.4MB
-
MD5
74745a68d5842de1a425f2d4b4c633df
-
SHA1
18d75f80637cd7e1e68d4195b58e0f9232454cb4
-
SHA256
aa4e772b706e39b6675bda9d19f7fdf6218c96c3a52552eb7db79987552b756b
-
SHA512
cb20221b72366b389f2acd363447560b99637c02eb3ed2368a57a68518519389df621a9418a690d4049143fc8010fa3508c753b9e49394acf31b879411165279
-
SSDEEP
393216:gfZaKBsRvKt+2JtWNhqKVp1+TtIiF5/QwCPs2Qp7MePjGY6A4YP:IaKc2JtEhqKVp1QtIO/QwWQxPjnP
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1361784872892498110/gIFvYe7mgYi8DSdyPsEA70WvUC10wl2gkxeTQaDNo1SttNSIjE58-QGfTyW-ftP530HP
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe -
Executes dropped EXE 3 IoCs
pid Process 6008 FB_5F27.tmp.exe 3360 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe -
Loads dropped DLL 26 IoCs
pid Process 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe 848 FB_60ED.tmp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 27 discord.com 24 discord.com 25 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip4.seeip.org 22 ip-api.com -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000024291-15.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 FB_5F27.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FB_5F27.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 6008 FB_5F27.tmp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5520 wrote to memory of 6008 5520 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe 89 PID 5520 wrote to memory of 6008 5520 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe 89 PID 5520 wrote to memory of 3360 5520 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe 91 PID 5520 wrote to memory of 3360 5520 2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe 91 PID 3360 wrote to memory of 848 3360 FB_60ED.tmp.exe 93 PID 3360 wrote to memory of 848 3360 FB_60ED.tmp.exe 93 PID 848 wrote to memory of 2908 848 FB_60ED.tmp.exe 94 PID 848 wrote to memory of 2908 848 FB_60ED.tmp.exe 94 PID 848 wrote to memory of 3556 848 FB_60ED.tmp.exe 97 PID 848 wrote to memory of 3556 848 FB_60ED.tmp.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-19_74745a68d5842de1a425f2d4b4c633df_black-basta_elex.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_5F27.tmp.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
-
C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_60ED.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3556
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD57a30cb97048660dce94b1556d82b2df1
SHA15eeb39457c93c7332b7fd238e301d26b601fc3bd
SHA256c492cc3907eb62582e30b0b45dee68b6efdc52f0dc0df4b9fc55da18901fa7f9
SHA5126ea1d4b6fe819dcb1ba5d676a67cddb5b7498772ba7027355f5ec837a301fb1737535a6e4e08ce4f70cdf6ff3ef9a80fbd07ea5705bc5211054f79ca1df2b7c4
-
Filesize
20.3MB
MD5cea77c76938d443b37b3372d36af6cd1
SHA120d7fd6c87087f1459471d564b8bf398ce210359
SHA2563cd434f1d12a2d5da1efb1b15a5ff896aced3e1ca9d94605933696585d25b1af
SHA5124a6d9f2a20588da2e1bd2d446e624f3c82dd73e33cbbe54820fcdc457a77b35d3753b95bc1d1909024bfb69b9623e6ffe61ab76b2c45922b73c805ec3cda78cb
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
Filesize
63KB
MD541806866d74e5edce05edc0ad47752b9
SHA1c3d603c029fdac45bac37bb2f449fab86b8845dd
SHA25676db93bd64cb4a36edb37694456f89bb588db98cf2733eb436f000b309eec3b2
SHA5122a019efaf3315b8b98be93ac4bea15cec8b9ecc6eab298fa93d3947bad2422b5a126d52cb4998363bdc82641fba9b8f42d589afe52d02914e55a5a6116989fde
-
Filesize
82KB
MD537eace4b806b32f829de08db3803b707
SHA18a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA2561be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA5121591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d
-
Filesize
174KB
MD5739d352bd982ed3957d376a9237c9248
SHA1961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA2569aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde
-
Filesize
121KB
MD5a25cdcf630c024047a47a53728dc87cd
SHA18555ae488e0226a272fd7db9f9bdbb7853e61a21
SHA2563d43869a4507ed8ece285ae85782d83bb16328cf636170acb895c227ebb142ac
SHA512f6a4272deddc5c5c033a06e80941a16f688e28179eab3dbc4f7a9085ea4ad6998b89fc9ac501c5bf6fea87e0ba1d9f2eda819ad183b6fa7b6ddf1e91366c12af
-
Filesize
247KB
MD5e4e032221aca4033f9d730f19dc3b21a
SHA1584a3b4bc26a323ce268a64aad90c746731f9a48
SHA25623bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA5124a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c
-
Filesize
63KB
MD5ba682dfcdd600a4bb43a51a0d696a64c
SHA1df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA2562ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA51279c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636
-
Filesize
155KB
MD53273720ddf2c5b75b072a1fb13476751
SHA15fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e
-
Filesize
33KB
MD5758128e09779a4baa28e68a8b9ee2476
SHA14e81c682cf18e2a4b46e50f037799c43c6075f11
SHA2563c5b0823e30810aee47fdfad567491bc33dd640c37e35c8600e75c5a8d05ce2a
SHA5125096f0daacf72012a7ad08b177c366b4fe1ded3a18aebfe438820b79c7cb735350ef831a7fb7d10482eefd4c0b8a41511042bb41f4507bbc0332c52df9288088
-
Filesize
50KB
MD5e2a301b3fd3bdfec3bf6ca006189b2ac
SHA186b29ee1a42de70135a6786cdce69987f1f61193
SHA2564990f62e11c0a5ab15a9ffce9d054f06d0bc9213aea0c2a414a54fa01a5eb6dc
SHA5124e5493cc4061be923b253164fd785685d5eccf16fd3acb246b9d840f6f7d9ed53555f53725af7956157d89eaa248a3505c30bd88c26e04aabdae62e4774ffa4e
-
Filesize
31KB
MD5284fbc1b32f0282fc968045b922a4ee2
SHA17ccea7a48084f2c8463ba30ddae8af771538ae82
SHA256ac3b144d7d7c8ee39f29d8749c5a35c4314b5365198821605c883fd11807e766
SHA512baa75f7553cf595ad78c84cbb0f2a50917c93596ece1ff6221e64272adc6facdd8376e00918c6c3246451211d9dfc66442d31759bd52c26985c7f133cf011065
-
Filesize
77KB
MD5485d998a2de412206f04fa028fe6ba90
SHA1286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA2568f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA51268591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f
-
Filesize
172KB
MD5e5b1a076e9828985ea8ea07d22c6abd0
SHA12a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA5120afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f
-
Filesize
24KB
MD5b21b864e357ccd72f35f2814bd1e6012
SHA12ff0740c26137c6a81b96099c1f5209db33ac56a
SHA256ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53
SHA51229667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3
-
Filesize
1.4MB
MD5842d8d9e0cabf825bf7ba04a0d6f4d0c
SHA17df7e7dbc17f5ac8057ff3af81e6ad7762c13bd8
SHA25601b8cef75f9df12e1b0efc967704f1f48d524fc52ef393a73f4d62b0d6b59cf1
SHA512a9181483ff26ba518bdaa27be2561dcfa4672b64b6a9b1677102844b9cc0790845d673d8a9f128586258c4d3bfdcb1c1e91ad877848b08c787d848373d9e85a7
-
Filesize
290KB
MD5234d271ecb91165aaec148ad6326dd39
SHA1d7fccec47f7a5fbc549222a064f3053601400b6f
SHA256c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7
SHA51269289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed
-
Filesize
10KB
MD5e3d495cf14d857349554a3606a8e7210
SHA1db0843b89a84fb37efd3c76168bcb303174aac29
SHA256e21f4c40c29be0b115463e7bb8a365946a4afc152b9fff602abd41c6e0ce68a2
SHA5128f69a16042e88bc51d30ad4c78d8240e2619104324e79e5f382975486bfb39b4e0a3c35976d08399300d7823d6a358104658374daf36a513ce0774f3611d4d6e
-
Filesize
118KB
MD5bd18f35f8a56415ec604d97bd3dd44c4
SHA163f51eb5dafeb24327e3bcb63828336c920b4fcd
SHA256f3501ebce24205f3dc54192cd917eab9a899fe936570650253d4c1466383eff1
SHA5123c1c268005f494413cd2f9409b64ed3a2c9af558c0f317447af2c27776406c61dcb28ae6720af156145078ec565a14a3e12d409e57389bb3d4d10f8d7a92a7d1
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
768KB
MD519a2aba25456181d5fb572d88ac0e73e
SHA1656ca8cdfc9c3a6379536e2027e93408851483db
SHA2562e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337
-
Filesize
193KB
MD5d7ecc2746314fec5ca46b64c964ea93e
SHA139fc49d4058a65f0aa4fbdc3d3bcc8c7beecaa01
SHA25658b95f03a2d7ec49f5260e3e874d2b9fb76e95ecc80537e27abef0c74d03cb00
SHA512d5a595aaf3c7603804deae4d4cc34130876a4c38ccd9f9f29d8b8b11906fa1a03dd9a1f8f5dbde9dc2c62b89fe52dfe5b4ee409a8d336edf7b5b8141d12e82d2
-
Filesize
65KB
MD535da4143951c5354262a28dee569b7b2
SHA1b07cb6b28c08c012eecb9fd7d74040163cdf4e0e
SHA256920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802
SHA5122976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23
-
Filesize
5.5MB
MD5d06da79bfd21bb355dc3e20e17d3776c
SHA1610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA2562835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a
-
Filesize
656KB
MD56c19942383f17f4e771d18cf8fe54104
SHA1cdb183411114716b4e73dbf6e5abeff916d974cf
SHA2561b1663859d7ee7ca0fcd5328a9d9a57b0d7f03e2a82a026e4749aeed97bac119
SHA5125bd1d44990860110f3c819f605e061a8b45578b1c3213404e72ea995e91e05cec5c94f8d1856962c175feee74426013cdcd9e1df7d564e3113869c7fa715e8af
-
Filesize
132KB
MD53d9895aa25e1f493f38f08f4717a0d67
SHA1459ed374dd8568c4f364d021c2283fb86c16e0e6
SHA256074a73db77cbd9a8a1eed34dbfeddcea2d5772d34f8761b94957ae463c9a16ae
SHA512e0a95f11e1076e25b24421d5b8cbdc8d8fa10d4cb366e1e9416222a739d893e7d60026e0fb55983c954e73881f37b5f27fdbfc58dfaee83f42272266bdcab3af
-
Filesize
29KB
MD5e07ae2f7f28305b81adfd256716ae8c6
SHA19222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4
-
Filesize
1.1MB
MD55cc36a5de45a2c16035ade016b4348eb
SHA135b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA5129cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1
-
Filesize
129KB
MD5a8ee4d01df3cde6a0fed85c278b5ebb8
SHA1dc2ae0fbcc0e92e073e5224466690b95012ac761
SHA2566ba86018ac060effa78e1597310c83408eb5c9f9cacdf86511c442a6f7bc5464
SHA512b12dad7d5dafb80b075e8af5058ada076d5f12664cc3635d3cd7f39a763f5b58cfaceba60b3dfe282311b867526930cf686c0704fab9ace220c0695cff38c389