Overview

overview

10

Static

static

10

zeo custom...ps.exe

windows7-x64

10

zeo custom...ps.exe

windows10-2004-x64

10

zeo custom...en.exe

windows7-x64

7

zeo custom...en.exe

windows10-2004-x64

7

Sharing

Copy URL Twitter E-mail

General

  • Target

    zeo customize by existed.zip

  • Size

    6.5MB

  • Sample

    230418-j7nzdacb31

  • MD5

    c8c4dfbcdef1f1d5b4d4fe904dcbe12b

  • SHA1

    200edc7afa66bebd8cd3fa3eb0b8e2a74b2ab48e

  • SHA256

    daefb71169cc93b902ab3ae0a751112c778cdffead65a7f61415941d7b3dc8ab

  • SHA512

    d242e861067cb45147906bfd23119661e921410c9b3493e381d4942a04b2fa55dedc1fedfd709be04306a82c97a6b2225957628adaf65dc40281dfcf9eeca7bc

  • SSDEEP

    196608:BDdIsVIv6U1gZZDg5aeiQCjp6OB3NAbTj6r:RdIsVIv6agZZDg5aeiDB3NAbQ

Score
10/10
mercurialgrabberevasionpyinstallerspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1096249713898049616/jTQtBnFPwtNZuwkWUgtygCMCRjQvSCBdssFDworAO3LYt9HOwNz5jq-g2jHg1mqm4gtB

Targets

    • Target

      zeo customize by existed/Aiohttps.exe

    • Size

      42KB

    • MD5

      9ecd8b63174404bef96d09438f19141e

    • SHA1

      5bfeb4dddeb4b486c314ecfc039c7bce00001bd4

    • SHA256

      87b1e00f45b839c84d501004e5ad4f44963d1b8ab78e02eff59170c137ea0507

    • SHA512

      d38c63c1440b67e875d7ff690ec1964e10879e24e8f35ee12e44bcac74074de9b60b0d7f4c1044e3e809d97ac39746030ba7856c59ef57509055d6c25b80b374

    • SSDEEP

      768:FqevTetQDGm8juZNLoSTje6KZKfgm3EhUP:wYSQD8SLoST66F7EyP

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

    • Target

      zeo customize by existed/zeogen.exe

    • Size

      6.6MB

    • MD5

      c6c519e43407eaaaf240077f1e8fa418

    • SHA1

      d5b20223f96619e997ab58d5e98cd10322a2abd3

    • SHA256

      43717d6c756379b64d7f8289e2bcd7a585ced7fcde720db6171a190de648dbd2

    • SHA512

      db7c66076db109c245104b90e82cf9bb2773e9d501501e752bf91fd3b59b03f2d1c33afd1f86f558f2930f4aa80a2a2aa449ea4d4a588bf12b06cd3d2fe870a6

    • SSDEEP

      196608:8T6DSL2Vmd6+D0JJVAzDaku99mEQcy6d/AyfRL6:PSL2Vmd6m0JJVAzDakArZd/Ayf

    Score
    7/10

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks