Malware analysis Mercurial.Grabber.v1.03.rar Malicious activity

Add for printing

File name:	Mercurial.Grabber.v1.03.rar
Full analysis:	https://app.any.run/tasks/945d5269-7d27-4e0e-87dd-33cc2f8526d6
Verdict:	Malicious activity
Analysis date:	August 13, 2024, 01:38:39
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	antivm mercurialgrabber
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	635903BAD1ADA856D701F34D3070CCD9
SHA1:	3FF98D91B9A3A47BF9F64BDF161EFB9C5AC99FB0
SHA256:	3759744039346620E9613F40F90E8F318E5F54AD49C070E2BD23B667F7E65BF6
SSDEEP:	49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts Visual C# compiler
  - Mercurial.exe (PID: 3844)
- MERCURIALGRABBER has been detected (YARA)
  - output.exe (PID: 1048)
SUSPICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 6808)
  - csc.exe (PID: 3324)
- There is functionality for taking screenshot (YARA)
  - Mercurial.exe (PID: 3844)
- There is functionality for VM detection (VMWare)
  - Mercurial.exe (PID: 3844)
- There is functionality for VM detection (VirtualBox)
  - Mercurial.exe (PID: 3844)
- Uses .NET C# to load dll
  - Mercurial.exe (PID: 3844)
- Executable content was dropped or overwritten
  - csc.exe (PID: 3324)
- Read disk information to detect sandboxing environments
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Reads the BIOS version
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
INFO
- Reads the computer name
  - Mercurial.exe (PID: 3844)
  - TextInputHost.exe (PID: 6536)
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Reads the machine GUID from the registry
  - Mercurial.exe (PID: 3844)
  - csc.exe (PID: 3324)
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6808)
- Manual execution by a user
  - Mercurial.exe (PID: 3844)
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Checks supported languages
  - Mercurial.exe (PID: 3844)
  - TextInputHost.exe (PID: 6536)
  - cvtres.exe (PID: 4088)
  - csc.exe (PID: 3324)
  - output.exe (PID: 4208)
  - output.exe (PID: 1048)
- Create files in a temporary directory
  - Mercurial.exe (PID: 3844)
  - cvtres.exe (PID: 4088)
- Checks proxy server information
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Reads Environment values
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)
- Disables trace logs
  - output.exe (PID: 1048)
  - output.exe (PID: 4208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1048

"C:\Users\admin\Downloads\output.exe"

C:\Users\admin\Downloads\output.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\downloads\output.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1120

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3324

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\kudz35n5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Mercurial.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3844

"C:\Users\admin\Downloads\Mercurial.exe"

C:\Users\admin\Downloads\Mercurial.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Mercurial

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\mercurial.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESFFA9.tmp" "c:\Users\admin\Downloads\CSCC52ECB602A464B54BAB75D6DD4F99EF3.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.32.31326.0

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4208

"C:\Users\admin\Downloads\output.exe"

C:\Users\admin\Downloads\output.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\downloads\output.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4692

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

output.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5072

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

output.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6536

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

6712

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

10 123

Read events

10 084

Write events

Delete events

Modification events


(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Mercurial.Grabber.v1.03
(PID) Process:	(6808) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.4.cs		text
		MD5:FAE5458A5B3CEE952E25D44D6EB9DB85	SHA256:240478BB9C522341906A0EF376E0188CE6106856A26A3AE0F7B58AF07A377A06
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.0.cs		text
		MD5:F3ED6F312DEBBD5AF986C762050D9542	SHA256:3559CA033CBF3B6B63E0B40EF2191EF0BA8E334D3C6085BE24406A4908D6C6B1
6808	WinRAR.exe	C:\Users\admin\Downloads\Mercurial.exe		executable
		MD5:A9477B3E21018B96FC5D2264D4016E65	SHA256:890FD59AF3370E2CE12E0D11916D1AD4EE9B9C267C434347DBED11E9572E8645
6808	WinRAR.exe	C:\Users\admin\Downloads\readme.txt		text
		MD5:77976AB4F7B14569DD64F212CE6EE64E	SHA256:044B863E9895E669D45D97D44A4F80F2B9AC5F941635EF3C1E9F39AD12747ECF
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.6.cs		text
		MD5:8EC0F0E49FFE092345673AB4D9F45641	SHA256:93B9F783B5FAED3ECFAFBE20DFCF1BEE3CE33F66909879CD39AE88C36ACBDFAC
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.3.cs		text
		MD5:6BA707982EE7E5F0AE55CE3FA5CCAD17	SHA256:19AF9BEA270F830354AF8250CD82DB32FDCAB6327D139E2720713FB7D43A5797
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.7.cs		text
		MD5:05206D577CE19C1EF8D9341B93CD5520	SHA256:E2BBDC7BA4236F9C4CB829D63137FDAC3A308FD5DA96ACEA35212BEAFE01B877
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.5.cs		text
		MD5:42F157AD8E79E06A142791D6E98E0365	SHA256:E30402CD45589982489719678ADF59B016674FAA6F7A9AF074601E978CC9A0ED
3844	Mercurial.exe	C:\Users\admin\AppData\Local\Temp\kudz35n5.8.cs		text
		MD5:7AE06A071E39D392C21F8395EF5A9261	SHA256:00E152629BDBF25A866F98E6FC30626D2514527BEEF1B76EBB85B1F5F9C83718
6808	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Mercurial.Grabber.v1.03\Mercurial.exe		executable
		MD5:A9477B3E21018B96FC5D2264D4016E65	SHA256:890FD59AF3370E2CE12E0D11916D1AD4EE9B9C267C434347DBED11E9572E8645

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6508	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6456	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4016	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5240	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5336	SearchApp.exe	104.126.37.176:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1360	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
www.bing.com	104.126.37.176 104.126.37.163 104.126.37.139 104.126.37.123 104.126.37.130 104.126.37.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.2 20.190.159.23 20.190.159.73 20.190.159.4 40.126.31.69 20.190.159.64 20.190.159.75 20.190.159.68	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
th.bing.com	104.126.37.130 104.126.37.139 104.126.37.176 104.126.37.163 104.126.37.131 104.126.37.123	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
arc.msn.com	20.199.58.43	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Mercurial.Grabber.v1.03.rar

635903BAD1ADA856D701F34D3070CCD9

3FF98D91B9A3A47BF9F64BDF161EFB9C5AC99FB0

3759744039346620E9613F40F90E8F318E5F54AD49C070E2BD23B667F7E65BF6

49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts Visual C# compiler

MERCURIALGRABBER has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

There is functionality for taking screenshot (YARA)

There is functionality for VM detection (VMWare)

There is functionality for VM detection (VirtualBox)

Uses .NET C# to load dll

Executable content was dropped or overwritten

Read disk information to detect sandboxing environments

Reads the BIOS version

INFO

Reads the computer name

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Manual execution by a user

Checks supported languages

Create files in a temporary directory

Checks proxy server information

Reads Environment values

Disables trace logs

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings