Malware Analysis Report

2025-05-28 15:56

Sample ID 250519-lz1z3swnz8
Target discord token grabber.exe
SHA256 fa260554c8c655b07cd603d2e67d24931b47eb3510c9cf2a06fd9888967cc61b
Tags
mercurialgrabber defense_evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa260554c8c655b07cd603d2e67d24931b47eb3510c9cf2a06fd9888967cc61b

Threat Level: Known bad

The file discord token grabber.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber defense_evasion spyware stealer

Mercurialgrabber family

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Looks up external IP address via web service

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Checks processor information in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 09:58

Signatures

Mercurialgrabber family

mercurialgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 09:58

Reported

2025-05-19 10:02

Platform

win10v2004-20250502-en

Max time kernel

125s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Looks for VMWare Tools registry key

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe

"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/6076-0-0x00007FFC515B3000-0x00007FFC515B5000-memory.dmp

memory/6076-1-0x00000000002D0000-0x00000000002E0000-memory.dmp

memory/6076-2-0x00007FFC515B0000-0x00007FFC52071000-memory.dmp

memory/6076-3-0x00007FFC515B3000-0x00007FFC515B5000-memory.dmp

memory/6076-4-0x00007FFC515B0000-0x00007FFC52071000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 09:58

Reported

2025-05-19 10:02

Platform

win11-20250502-en

Max time kernel

123s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Looks for VMWare Tools registry key

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe

"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

memory/5996-0-0x00007FF881393000-0x00007FF881395000-memory.dmp

memory/5996-1-0x0000000000A60000-0x0000000000A70000-memory.dmp

memory/5996-2-0x00007FF881390000-0x00007FF881E52000-memory.dmp

memory/5996-3-0x00007FF881393000-0x00007FF881395000-memory.dmp

memory/5996-4-0x00007FF881390000-0x00007FF881E52000-memory.dmp