General

  • Target

    Scarlet Fire.mp3.exe.vir

  • Size

    70KB

  • Sample

    220617-yalkbaffc5

  • MD5

    57924054a1b3516c97641003c14c58e8

  • SHA1

    9270f1beecf71d576a62eeb9bd72bfef62630fcf

  • SHA256

    3a4749bc15a6dc1d86629e0bdac7c7ab8b928ce48e3f52d64adf191eef785cb3

  • SHA512

    5cf2ba72fc2163a40398ec98cdeb9d631d5d9fe870488f63fe1092f3ae2aa4c68f226059c7acf1eff36695c00dc7afbdc36016ebc643b46b5e41dd9a24e36e60

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/987060454520143972/rPz8q4JjnA4mh1R92et8VKh7pvMkSOZ4EGEy_g6NnzZinjwIOl7CP5pwIMe1ys9bICw9

Targets

    • Target

      Scarlet Fire.mp3.exe.vir

    • Size

      70KB

    • MD5

      57924054a1b3516c97641003c14c58e8

    • SHA1

      9270f1beecf71d576a62eeb9bd72bfef62630fcf

    • SHA256

      3a4749bc15a6dc1d86629e0bdac7c7ab8b928ce48e3f52d64adf191eef785cb3

    • SHA512

      5cf2ba72fc2163a40398ec98cdeb9d631d5d9fe870488f63fe1092f3ae2aa4c68f226059c7acf1eff36695c00dc7afbdc36016ebc643b46b5e41dd9a24e36e60

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • suricata: ET MALWARE NightfallGT Mercurial Grabber

      suricata: ET MALWARE NightfallGT Mercurial Grabber

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks