Analysis Overview
SHA256
fa260554c8c655b07cd603d2e67d24931b47eb3510c9cf2a06fd9888967cc61b
Threat Level: Known bad
The file discord token grabber.exe was found to be: Known bad.
Malicious Activity Summary
Mercurialgrabber family
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Looks up external IP address via web service
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Checks processor information in registry
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 09:58
Signatures
Mercurialgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 09:58
Reported
2025-05-19 10:02
Platform
win10v2004-20250502-en
Max time kernel
125s
Max time network
138s
Command Line
Signatures
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe
"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
memory/6076-0-0x00007FFC515B3000-0x00007FFC515B5000-memory.dmp
memory/6076-1-0x00000000002D0000-0x00000000002E0000-memory.dmp
memory/6076-2-0x00007FFC515B0000-0x00007FFC52071000-memory.dmp
memory/6076-3-0x00007FFC515B3000-0x00007FFC515B5000-memory.dmp
memory/6076-4-0x00007FFC515B0000-0x00007FFC52071000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-19 09:58
Reported
2025-05-19 10:02
Platform
win11-20250502-en
Max time kernel
123s
Max time network
124s
Command Line
Signatures
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe
"C:\Users\Admin\AppData\Local\Temp\discord token grabber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
memory/5996-0-0x00007FF881393000-0x00007FF881395000-memory.dmp
memory/5996-1-0x0000000000A60000-0x0000000000A70000-memory.dmp
memory/5996-2-0x00007FF881390000-0x00007FF881E52000-memory.dmp
memory/5996-3-0x00007FF881393000-0x00007FF881395000-memory.dmp
memory/5996-4-0x00007FF881390000-0x00007FF881E52000-memory.dmp