Loading ...

Play interactive tourEdit tour

Windows Analysis Report XdPHZWGz4k.exe

Overview

General Information

Sample Name:XdPHZWGz4k.exe
Analysis ID:477026
MD5:e9a07674a035bb2a1e4f233c41269edd
SHA1:503908c418187bfc8f48533338aed01e667bf5fa
SHA256:c2603d684ad273865985ea6e7ce27c9236e173d7633a72f2378a1309d9ec77ac
Tags:exe
Infos:

Most interesting Screenshot:

Detection

MercurialGrabber
Score:78
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected MercurialGrabber
Queries memory information (via WMI often done to detect virtual machines)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Drops PE files
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • XdPHZWGz4k.exe (PID: 6384 cmdline: 'C:\Users\user\Desktop\XdPHZWGz4k.exe' MD5: E9A07674A035BB2A1E4F233C41269EDD)
    • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • XdPHZWGz4k.exe (PID: 3208 cmdline: 'C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe' MD5: E9A07674A035BB2A1E4F233C41269EDD)
    • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • XdPHZWGz4k.exe (PID: 6372 cmdline: 'C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe' MD5: E9A07674A035BB2A1E4F233C41269EDD)
    • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: MercurialGrabber

{"Webhook Url": "https://discord.com/api/webhooks/882954273980284939/Oo5CKwHMkILgJiucQhx_aJyEIHFxNaStS_Rgc-0H9Qm-hz7qs9oDqPvJxh_FmBs3dflH"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
XdPHZWGz4k.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
    XdPHZWGz4k.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
    • 0xb18:$s1: 73 40 00 00 0A 0B 07 72 D9 0B 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 ...
    • 0x1d44:$s2: 72 24 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 36 18 00 70 02 7B 36 00 00 04 28 2F 00 ...
    • 0x1f48:$s3: 72 0A 19 00 70 73 81 00 00 0A 0A 06 6F 82 00 00 0A 6F 83 00 00 0A 0C 2B 75 08 6F 84 00 00 0A 74 ...
    • 0x7b67:$x1: ---------------- mercurial grabber ----------------
    • 0x7daf:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 ...
    • 0x7fc9:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 ...

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
      C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
      • 0xb18:$s1: 73 40 00 00 0A 0B 07 72 D9 0B 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 ...
      • 0x1d44:$s2: 72 24 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 36 18 00 70 02 7B 36 00 00 04 28 2F 00 ...
      • 0x1f48:$s3: 72 0A 19 00 70 73 81 00 00 0A 0A 06 6F 82 00 00 0A 6F 83 00 00 0A 0C 2B 75 08 6F 84 00 00 0A 74 ...
      • 0x7b67:$x1: ---------------- mercurial grabber ----------------
      • 0x7daf:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 ...
      • 0x7fc9:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 ...

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000C.00000000.298642309.0000000000BC2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
        00000010.00000002.339741238.0000000000AF2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
          00000001.00000002.273139663.00000000003A2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
            00000010.00000000.315911277.0000000000AF2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
              00000001.00000000.253502407.00000000003A2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                12.2.XdPHZWGz4k.exe.bc0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                  12.2.XdPHZWGz4k.exe.bc0000.0.unpackMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
                  • 0xb18:$s1: 73 40 00 00 0A 0B 07 72 D9 0B 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 ...
                  • 0x1d44:$s2: 72 24 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 36 18 00 70 02 7B 36 00 00 04 28 2F 00 ...
                  • 0x1f48:$s3: 72 0A 19 00 70 73 81 00 00 0A 0A 06 6F 82 00 00 0A 6F 83 00 00 0A 0C 2B 75 08 6F 84 00 00 0A 74 ...
                  • 0x7b67:$x1: ---------------- mercurial grabber ----------------
                  • 0x7daf:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 ...
                  • 0x7fc9:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 ...
                  1.0.XdPHZWGz4k.exe.3a0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                    16.2.XdPHZWGz4k.exe.af0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                      1.0.XdPHZWGz4k.exe.3a0000.0.unpackMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
                      • 0xb18:$s1: 73 40 00 00 0A 0B 07 72 D9 0B 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 ...
                      • 0x1d44:$s2: 72 24 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 36 18 00 70 02 7B 36 00 00 04 28 2F 00 ...
                      • 0x1f48:$s3: 72 0A 19 00 70 73 81 00 00 0A 0A 06 6F 82 00 00 0A 6F 83 00 00 0A 0C 2B 75 08 6F 84 00 00 0A 74 ...
                      • 0x7b67:$x1: ---------------- mercurial grabber ----------------
                      • 0x7daf:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 ...
                      • 0x7fc9:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 ...
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 12.2.XdPHZWGz4k.exe.bc0000.0.unpackMalware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/882954273980284939/Oo5CKwHMkILgJiucQhx_aJyEIHFxNaStS_Rgc-0H9Qm-hz7qs9oDqPvJxh_FmBs3dflH"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: XdPHZWGz4k.exeVirustotal: Detection: 53%Perma Link
                      Yara detected MercurialGrabberShow sources
                      Source: Yara matchFile source: XdPHZWGz4k.exe, type: SAMPLE
                      Source: Yara matchFile source: 12.2.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000000.298642309.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.339741238.0000000000AF2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.273139663.00000000003A2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.315911277.0000000000AF2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.253502407.00000000003A2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.318186750.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272744068.000000001C9D5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 6384, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 3208, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 6372, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe, type: DROPPED
                      Machine Learning detection for sampleShow sources
                      Source: XdPHZWGz4k.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeCode function: 1_2_00007FFA1680B24E CryptUnprotectData,1_2_00007FFA1680B24E
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA1658B25E CryptUnprotectData,12_2_00007FFA1658B25E
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 16_2_00007FFA165AB24E CryptUnprotectData,16_2_00007FFA165AB24E
                      Source: XdPHZWGz4k.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49703 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49706 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49709 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49711 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49714 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49716 version: TLS 1.0
                      Source: XdPHZWGz4k.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\a0f6e3585453700574fc42ba3653c021\System.Net.Http.ni.dllJump to behavior

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeDNS query: name: ip-api.com
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeDNS query: name: ip-api.com
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeDNS query: name: ip-api.com
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/882954273980284939/Oo5CKwHMkILgJiucQhx_aJyEIHFxNaStS_Rgc-0H9Qm-hz7qs9oDqPvJxh_FmBs3dflH
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49703 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49706 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49709 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49711 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.5:49714 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.5:49716 version: TLS 1.0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272829886.000000001C984000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274321032.000000000267E000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272829886.000000001C984000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272829886.000000001C984000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: XdPHZWGz4k.exe, 00000010.00000002.343098466.000000001D0D3000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digic
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319503161.0000000002E58000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://discord.com
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272968518.00000000007F9000.00000004.00000001.sdmpString found in binary or memory: http://go.micz
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274271699.000000000264C000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319475097.0000000002E4B000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
                      Source: XdPHZWGz4k.exeString found in binary or memory: http://ip-api.com//json/
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274383164.00000000026A4000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319475097.0000000002E4B000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340390852.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com//json/84.17.52.41
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274271699.000000000264C000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319342827.0000000002E1D000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.comx
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274298274.000000000266D000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319342827.0000000002E1D000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://ip4.seeip.org
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274321032.000000000267E000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274321032.000000000267E000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274271699.000000000264C000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319252949.0000000002DF9000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340284669.0000000003029000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272829886.000000001C984000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: XdPHZWGz4k.exe, 00000001.00000003.272829886.000000001C984000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.321493569.000000001CFC0000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340329280.000000000304D000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274650996.0000000002811000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254211461136404/cookies.txt
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274686155.0000000002830000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254213243719690/passwords.txt
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274730267.0000000002850000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254216330711070/Capture.jpg
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.319787894.0000000002EFA000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254299721863178/cookies.txt
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.320128808.0000000002FE9000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254301399584779/passwords.txt
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.320190582.0000000003000000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254304713080833/Capture.jpg
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340579707.00000000031F1000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254341446795304/cookies.txt
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340604241.0000000003210000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254343187447818/passwords.txt
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340625873.0000000003230000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://cdn.discordapp.com/attachments/882953645983957012/883254346521927710/Capture.jpg
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://cdn.discordapp.com/avatars/
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319503161.0000000002E58000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: https://discord.com
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://discord.com/api/webhooks/882954273980284939/Oo5CKwHMkILgJiucQhx_aJyEIHFxNaStS_Rgc-0H9Qm-hz7q
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274686155.0000000002830000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.320190582.0000000003000000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340625873.0000000003230000.00000004.00000001.sdmpString found in binary or memory: https://discord.com8
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319503161.0000000002E58000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: https://discord.comx
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://discordapp.com/api/v8/users/
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://i.imgur.com/vgxBhmx.png
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274650996.0000000002811000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319787894.0000000002EFA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340579707.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://ip4.seeip.org
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340284669.0000000003029000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.org/
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274271699.000000000264C000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.319252949.0000000002DF9000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340284669.0000000003029000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.orgx
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274650996.0000000002811000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254211461136404/cookies.txt
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274686155.0000000002830000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254213243719690/passwords.txt
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274730267.0000000002850000.00000004.00000001.sdmp, ConDrv.1.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254216330711070/Capture.jpg
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.319787894.0000000002EFA000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254299721863178/cookies.txt
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.320128808.0000000002FE9000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254301399584779/passwords.txt
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.320190582.0000000003000000.00000004.00000001.sdmp, ConDrv.12.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254304713080833/Capture.jpg
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340579707.00000000031F1000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254341446795304/cookies.txt
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340604241.0000000003210000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254343187447818/passwords.txt
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340625873.0000000003230000.00000004.00000001.sdmp, ConDrv.16.drString found in binary or memory: https://media.discordapp.net/attachments/882953645983957012/883254346521927710/Capture.jpg
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274686155.0000000002830000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000001.00000002.274298274.000000000266D000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000002.320190582.0000000003000000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340625873.0000000003230000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: XdPHZWGz4k.exeString found in binary or memory: https://www.countryflags.io/
                      Source: XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: https://www.countryflags.io/CH/flat/48.png
                      Source: XdPHZWGz4k.exe, 00000001.00000002.274406226.00000000026AA000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 0000000C.00000003.318001084.000000001D007000.00000004.00000001.sdmp, XdPHZWGz4k.exe, 00000010.00000002.340408555.000000000308A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownDNS traffic detected: queries for: ip4.seeip.org
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //json/84.17.52.41 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

                      E-Banking Fraud:

                      barindex
                      Yara detected MercurialGrabberShow sources
                      Source: Yara matchFile source: XdPHZWGz4k.exe, type: SAMPLE
                      Source: Yara matchFile source: 12.2.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000000.298642309.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.339741238.0000000000AF2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.273139663.00000000003A2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.315911277.0000000000AF2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.253502407.00000000003A2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.318186750.0000000000BC2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272744068.000000001C9D5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 6384, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 3208, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: XdPHZWGz4k.exe PID: 6372, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe, type: DROPPED

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: XdPHZWGz4k.exe, type: SAMPLEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 12.2.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 1.0.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 16.2.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 1.2.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 12.0.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: 16.0.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe, type: DROPPEDMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                      Source: XdPHZWGz4k.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: XdPHZWGz4k.exe, type: SAMPLEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 12.2.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 1.0.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 16.2.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 1.2.XdPHZWGz4k.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 12.0.XdPHZWGz4k.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: 16.0.XdPHZWGz4k.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe, type: DROPPEDMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeCode function: 1_2_00007FFA16806F921_2_00007FFA16806F92
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeCode function: 1_2_00007FFA168061E61_2_00007FFA168061E6
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA16586FA212_2_00007FFA16586FA2
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA1658BD9912_2_00007FFA1658BD99
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA165861F612_2_00007FFA165861F6
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA16585CF912_2_00007FFA16585CF9
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 16_2_00007FFA165A6F9216_2_00007FFA165A6F92
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 16_2_00007FFA165A61E616_2_00007FFA165A61E6
                      Source: XdPHZWGz4k.exeBinary or memory string: OriginalFilename vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 00000001.00000002.273139663.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDiscordpro.exe4 vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 00000001.00000002.273171481.0000000000750000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exeBinary or memory string: OriginalFilename vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 0000000C.00000000.298642309.0000000000BC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDiscordpro.exe4 vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 0000000C.00000002.318381575.0000000000FBB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exeBinary or memory string: OriginalFilename vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 00000010.00000002.339741238.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDiscordpro.exe4 vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exe, 00000010.00000002.339841701.0000000000F95000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exeBinary or memory string: OriginalFilenameDiscordpro.exe4 vs XdPHZWGz4k.exe
                      Source: XdPHZWGz4k.exeVirustotal: Detection: 53%
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile read: C:\Users\user\Desktop\XdPHZWGz4k.exeJump to behavior
                      Source: XdPHZWGz4k.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\XdPHZWGz4k.exe 'C:\Users\user\Desktop\XdPHZWGz4k.exe'
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe 'C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe'
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe 'C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exe'
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XdPHZWGz4k.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile created: C:\Users\user\AppData\Local\Temp\cookies.dbJump to behavior
                      Source: classification engineClassification label: mal78.troj.spyw.evad.winEXE@6/18@9/4
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
                      Source: XdPHZWGz4k.exe, 00000001.00000002.273171481.0000000000750000.00000004.00000020.sdmpBinary or memory string: ;.VBP
                      Source: XdPHZWGz4k.exeString found in binary or memory: copy to : /\launcher_profiles.json5Minecraft Session Profiles-launcher_profiles.json'multipart/form-data
                      Source: XdPHZWGz4k.exeString found in binary or memory: #Minecraft SessionKUnable to find launcher_profiles.jsonE\.minecraft\launcher_accounts.json/\launcher_accounts.json-launcher_accounts.jsonKUnable to find launcher_accounts.json
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeAutomated click: OK
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeAutomated click: OK
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: XdPHZWGz4k.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: XdPHZWGz4k.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeCode function: 1_2_00007FFA16800442 pushad ; ret 1_2_00007FFA16800451
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeCode function: 12_2_00007FFA16580442 pushad ; ret 12_2_00007FFA16580451
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeFile created: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeJump to dropped file
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\XdPHZWGz4k.exeProcess information set: NOOPENFILEERRORBOX