General

  • Target

    Panda.rar

  • Size

    1.6MB

  • Sample

    230903-n3pgkaaa49

  • MD5

    4437ac3835d44b9910b94d2da116b336

  • SHA1

    7aa8fc727102b48d2089aca086340248fd3adc5a

  • SHA256

    31d3809aa0b8e36970d1949551f9a4cdea927cca137ca5a752650209382431d8

  • SHA512

    4f7e0865bcc7285ef2ae8413a9341c1f40831263e223478238770e82913566c764ca7b1a40ba25e905a5cb4554b3b9cebdda0987708bd3421ed4f3afea2eb85e

  • SSDEEP

    24576:9cJreOpXow7eD5dwIG6GzULcFGgG4Zsg2gz33DXXnSecEGjoI+LUl5hJsF8fQR:6XpXowSDvwIcWcF1GKj36EGYWJsFkg

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/960950114506137713/2VnEvTnRUjX3Q7jSvAeHvgUeWoeWrHD-r2E7c3d8XPPxFaj_tSm0MlikzmnIxO4nnsn0

Targets

    • Target

      Panda Regedit/Guna.UI2.dll

    • Size

      3.7MB

    • MD5

      de97f5f8b11269f60e9b0a0d66266a4c

    • SHA1

      ac01b2bf4238810c5db34b436f77de4c9182b1d7

    • SHA256

      7c6196edac2b156e5da4556f391d3486250960dab1d1ca093cd6cfdde59a3a84

    • SHA512

      9f196e961b8d4a1e4b3f2bf1ae4f2145978503f54460c28e95fd49b1998964f6d1c8fe8da3a6a48183d00c5645fbc28ba9d1dd1e875f008739085fb6e466ff87

    • SSDEEP

      24576:X8Svg5GTdeww/MRvUtyfaFVIefE4A4HXvcrZLMpsWM4RjmcPhL+HQ/jz:LTq/MGuKIh+XMCa7c

    Score
    1/10
    • Target

      Panda Regedit/Panda_Panel.exe

    • Size

      889KB

    • MD5

      89a318e3f4ab22a7d59e788628fc4f8c

    • SHA1

      05fd6065f8ff1f356c352ce836bcd25f861a85bf

    • SHA256

      97815efda6c181706b97f3a030a3c0bbc481a5ebb7062ae84b1d2f38c6dd8d41

    • SHA512

      3d0172cedf9b0ef9f859f9eb8426144350adc32258504227749e2a3c6a07ec151123f19f3180edfb5ea4ddfe90c59ffd7297403995da7ba82a0ee29531a81baa

    • SSDEEP

      24576:hFfISEtqavW9da+xzd6IMYLpWvKFFfFfI:D1javWD7nZp/FFV

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      Panda Regedit/Panda_System.exe

    • Size

      52KB

    • MD5

      c8d127e6c857f185024aca7723f51b75

    • SHA1

      d2f5f3393958b6d500619ff4a0e2dd9bfe582ff5

    • SHA256

      03e57f5f5c6b391006c256fe071ce7154048726e7ac3c692418bb8f14fe94317

    • SHA512

      9b0c187f8bcf8168a18779bf509aa53b63f70e3151fc1f96eb1093dfd42b07ecb87d95c439af407d14ad0a2c546c317dde69997439d0465ddcb66c9402242d6b

    • SSDEEP

      768:XscGoApPJOJTwfDuZwe2WTjxAKZKfgm3EhW7liUpuhXQOOhl:8c8PQALe2WTSF7EI7YooQOOh

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks