General

  • Target

    ICEY LOADER 2022.exe

  • Size

    4MB

  • Sample

    220924-ndvbhscedq

  • MD5

    170343dae67f141321e31a6b1bf981f4

  • SHA1

    322d6493902eb57c4459e87dfea219b8aed9ba44

  • SHA256

    c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2

  • SHA512

    f89895ea2778362866408fbbd7d12164440d9a98b02eb325d7d820a6fcdac4c4046460909b7c62f1937cd60c0546dd74c4dc4d502fd58722183f9c7b951ef727

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1001432779277488129/ds6qwagh9qP4fRBOS0tRY_aM9hwOb5u7JARhwuzCEBGuhKBT8AQuW2d7u1RzTBLa_LSp

Extracted

Family

nanocore

Version

1.2.2.0

C2

hackenamin.duckdns.org:8080

127.0.0.1:8080

Attributes
activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-07T11:48:21.790283936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8080
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
35523077-e7cb-4a73-80a9-6f6f0dc2b313
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hackenamin.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

    • Target

      ICEY LOADER 2022.exe

    • Size

      4MB

    • MD5

      170343dae67f141321e31a6b1bf981f4

    • SHA1

      322d6493902eb57c4459e87dfea219b8aed9ba44

    • SHA256

      c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2

    • SHA512

      f89895ea2778362866408fbbd7d12164440d9a98b02eb325d7d820a6fcdac4c4046460909b7c62f1937cd60c0546dd74c4dc4d502fd58722183f9c7b951ef727

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Looks for VirtualBox Guest Additions in registry

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation