General

  • Target

    eulen setup.exe

  • Size

    168KB

  • Sample

    231105-lj9maadg61

  • MD5

    2ca228c7984f45002fca353b6a4bfedc

  • SHA1

    24f37766540dda7110aa3a342e137537b5e7821a

  • SHA256

    fd0d60615c38683ae85a5ef1ab2beaed160ebe700acdcec25312339adad88fda

  • SHA512

    6114dbc03375ba2e4c83af3b92979294743dbb0d674ee8375f94bdb3b05642323d6c597523ccb20f7c61096631600fdb1930e1f92ae7207c36f1735ae597378a

  • SSDEEP

    3072:YAWpXLyTpF7EwQTZyElBXc2gjRTNKKujXjoimNxyJy/gVCp6TGJuDgN5:YAWpXgREBXcrxNUSxJoU6TD4

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/917748860682657832/sSsKt4ikHoi9zkepKqNjrrQK503_MnWsxInF6XnFlC2W3mmbZI320rx6s-R3dnG3i8W3

Targets

    • Target

      eulen setup.exe

    • Size

      168KB

    • MD5

      2ca228c7984f45002fca353b6a4bfedc

    • SHA1

      24f37766540dda7110aa3a342e137537b5e7821a

    • SHA256

      fd0d60615c38683ae85a5ef1ab2beaed160ebe700acdcec25312339adad88fda

    • SHA512

      6114dbc03375ba2e4c83af3b92979294743dbb0d674ee8375f94bdb3b05642323d6c597523ccb20f7c61096631600fdb1930e1f92ae7207c36f1735ae597378a

    • SSDEEP

      3072:YAWpXLyTpF7EwQTZyElBXc2gjRTNKKujXjoimNxyJy/gVCp6TGJuDgN5:YAWpXgREBXcrxNUSxJoU6TD4

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks