General

  • Target

    IMG_F2A69CB1D0CD-1.jpeg

  • Size

    202KB

  • Sample

    230429-3cwkhsed8z

  • MD5

    4adf394b62000084d383fe8286945cc2

  • SHA1

    fe9110c7c6a98d41863705aff00f83d5bd874f80

  • SHA256

    ad0cfbeb1f0290826790e561d36f12c088813d41c7f62c1307a3e976edaab10d

  • SHA512

    b78ae3e8d20c800dc20e65b7d1831a6a6db39297e56f1405434833fb93d3b6cf37edd47d4d33b30735e0b700108ed463a0cfd0e217f4918983fef13fb9730599

  • SSDEEP

    3072:YyVZLoWbAapsSnHprzqFO+Ny/XB6bdt5QRby68ilm5HeJ5fHCv3KKlA:YG95dJPlN/XytSwTioeo3KKlA

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1102013447467696189/X2EPk6Eghk0_VSVfWoxxI1jhhmJws3jaP0srs2z-qGBe1kNQAmpH9LqJm_iAArUVB2uD

Targets

    • Target

      IMG_F2A69CB1D0CD-1.jpeg

    • Size

      202KB

    • MD5

      4adf394b62000084d383fe8286945cc2

    • SHA1

      fe9110c7c6a98d41863705aff00f83d5bd874f80

    • SHA256

      ad0cfbeb1f0290826790e561d36f12c088813d41c7f62c1307a3e976edaab10d

    • SHA512

      b78ae3e8d20c800dc20e65b7d1831a6a6db39297e56f1405434833fb93d3b6cf37edd47d4d33b30735e0b700108ed463a0cfd0e217f4918983fef13fb9730599

    • SSDEEP

      3072:YyVZLoWbAapsSnHprzqFO+Ny/XB6bdt5QRby68ilm5HeJ5fHCv3KKlA:YG95dJPlN/XytSwTioeo3KKlA

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v6

Tasks