Overview

overview

10

Static

static

10

5b092b9eae...fa.exe

windows7_x64

10

5b092b9eae...fa.exe

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa

  • Size

    593KB

  • Sample

    220319-n3emcshce2

  • MD5

    c43fe8c5ca00ddf821a56b2b6ccc8584

  • SHA1

    dc0424cf138ae4cd0d6c52d684fb1df3bd5af6f1

  • SHA256

    5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa

  • SHA512

    e29ebd1b452c1dae15ebb7b30f8955be74dec4d07c5a0f48dcf190f638a9bba79ca8fc02c9ad413c10af6081621576d3ebd1b4ffda2c9afb1b61a00cc064af86

Score
10/10
mercurialgrabberquasarvenomratooof testevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/926732875158675478/6csAuzJ3Xvb9h9BDk-AfAIf-_0q1Afnq5Q7F4l1ACtT7yl9nQbX784HIUvIz3kDgK3Fk

Extracted

Family

quasar

Mutex

Attributes
  • encryption_key

  • install_name

  • log_directory

  • reconnect_delay

    3000

  • startup_key

  • subdirectory

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Ooof test

C2

108.46.243.186:666

127.0.0.1:666
Mutex

VNM_MUTEX_65QdrIjc0h275Ml7aF

Attributes
  • encryption_key

    uIglS4TyzvrzJnsc0TSp

  • install_name

    $77-Unreal.exe

  • log_directory

    na

  • reconnect_delay

    3000

  • startup_key

    SR-Client

  • subdirectory

    SubDir

Targets

    • Target

      5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa

    • Size

      593KB

    • MD5

      c43fe8c5ca00ddf821a56b2b6ccc8584

    • SHA1

      dc0424cf138ae4cd0d6c52d684fb1df3bd5af6f1

    • SHA256

      5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa

    • SHA512

      e29ebd1b452c1dae15ebb7b30f8955be74dec4d07c5a0f48dcf190f638a9bba79ca8fc02c9ad413c10af6081621576d3ebd1b4ffda2c9afb1b61a00cc064af86

    Score
    10/10
    mercurialgrabberquasarvenomratooof testevasionratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks