General

  • Target

    Guna.UI2.dll

  • Size

    3.7MB

  • Sample

    230903-n4g4waaa55

  • MD5

    de97f5f8b11269f60e9b0a0d66266a4c

  • SHA1

    ac01b2bf4238810c5db34b436f77de4c9182b1d7

  • SHA256

    7c6196edac2b156e5da4556f391d3486250960dab1d1ca093cd6cfdde59a3a84

  • SHA512

    9f196e961b8d4a1e4b3f2bf1ae4f2145978503f54460c28e95fd49b1998964f6d1c8fe8da3a6a48183d00c5645fbc28ba9d1dd1e875f008739085fb6e466ff87

  • SSDEEP

    24576:X8Svg5GTdeww/MRvUtyfaFVIefE4A4HXvcrZLMpsWM4RjmcPhL+HQ/jz:LTq/MGuKIh+XMCa7c

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/960950114506137713/2VnEvTnRUjX3Q7jSvAeHvgUeWoeWrHD-r2E7c3d8XPPxFaj_tSm0MlikzmnIxO4nnsn0

Targets

    • Target

      Guna.UI2.dll

    • Size

      3.7MB

    • MD5

      de97f5f8b11269f60e9b0a0d66266a4c

    • SHA1

      ac01b2bf4238810c5db34b436f77de4c9182b1d7

    • SHA256

      7c6196edac2b156e5da4556f391d3486250960dab1d1ca093cd6cfdde59a3a84

    • SHA512

      9f196e961b8d4a1e4b3f2bf1ae4f2145978503f54460c28e95fd49b1998964f6d1c8fe8da3a6a48183d00c5645fbc28ba9d1dd1e875f008739085fb6e466ff87

    • SSDEEP

      24576:X8Svg5GTdeww/MRvUtyfaFVIefE4A4HXvcrZLMpsWM4RjmcPhL+HQ/jz:LTq/MGuKIh+XMCa7c

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks