General

  • Target

    14-11-2023_VUBSUFEkriWDh1D.rar

  • Size

    11.6MB

  • Sample

    231114-lajz9sad3z

  • MD5

    4be2e7f28c6fd64cee77c73f46359548

  • SHA1

    327a78d1f0b87418d612c656592b7d5b57d260d3

  • SHA256

    ba21c2f23d365ac2809dac09e2b41c2b345d17bef526ad6623b6920ea28dc61b

  • SHA512

    243bdf001ec81fcfb23c22806be8e12cf273053aeb62a10c2051f3c2943c8e35d687bca1d0e5f0a2335a96666d928ed6c3cf1e0063b70d9e4f7a6bb9c0ff9191

  • SSDEEP

    196608:L1ePaxxQJH2eFEdbHBhg2Xkb/8tz6GSh41KTx6G981T2JV15sjl+oBnlTyZW+mrn:LgPmeN6AjE6GSCKNL15gllnMPoEfENAq

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/887304484844339250/sTQt9knbeiUf2bJPMZ4uxOEZ2mFmxtbw1S3JZvhKpMU-hSQtSzNllJidmjM8oJmI2wpt

Targets

    • Target

      AveryNuker-main/RUN THIS.bat

    • Size

      36B

    • MD5

      ac5a055121ce64833b6f28e89d4e0f97

    • SHA1

      b0404dc53ce85b2dedf78fda85b78e05f11df767

    • SHA256

      e66438d809880170de240ae93b75cbe261aeb2532051f58d3cb0fad276555d9d

    • SHA512

      b1ceac00c176195c642497f7a19025f2d9b4487b7db35a29434b4a56eef0eb2dba0ebed17b802e90b37b7ac3c472d0e9dfc7cfb6e4489d49510f31ed306eb417

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      AveryNuker-main/Scraped/avery.exe

    • Size

      11.8MB

    • MD5

      3787b2b88bacbc10782d9ff6f9fe7d9a

    • SHA1

      d7d4f3fdd821981a9f30ce26f93bb8dd09f7a36d

    • SHA256

      7e4422eb6169de27b1eec071c4fdbdb82ec4b91f73c09b27cd6015403f717ca8

    • SHA512

      b02dfd7d21ff3229be32aac1ac4f05713cb157b0f5ee758bfd67ca81047be95979df022796014757272d8c47a1148fcbe3c83ccb2f9a9e36f580d34c9d7322a6

    • SSDEEP

      196608:Zm0DeG/M9onJ5hrZERdW3q+09iq2pPefB2WZufOuD9LaKyPgVFccckLQuxHGvi9v:neGk9c5hlERblh2pW2WmfDZhkUL+OGq

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      AveryNuker-main/avery.exe

    • Size

      41KB

    • MD5

      975e8aed42ef6368efd5a66204d4818a

    • SHA1

      5d48ef440ba147a27dfa5236fcbf426a34a21e2a

    • SHA256

      24e33a4716587fc8f330f77da68493f52b46311cf0e87681dd35e4ce6b912e51

    • SHA512

      07ea3d9d56f897021858490da38ce84747e788c8c5a8b49e8d9c021e8b57a97a9d54efe851b06afc08bfc4687c374ad7d5d02baa94188ae3d0f13fd8727caee6

    • SSDEEP

      768:TscG4ApfT6aGpDXswguZkeVWTjUHKZKfgm3Ehqt:IcKfnGEeVWTUF7EEt

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      AveryNuker-main/avery.py

    • Size

      17KB

    • MD5

      f7f34aad4e7521d7e4358abfa3f6f715

    • SHA1

      dfc0b706cfe3e634a56d7c06be2efca5a3cabfa7

    • SHA256

      d8b1d13e052ad38bd7e88f325d94aaf8ca245d96fa310545cb6d618ab1ab4d7d

    • SHA512

      0c5d9e34479a1d1bfff7117dfc943c84882e26beb5a26bdfc8e79f1309179428fe40e1ea2aa65f94006be9725f98b6c0ac372b8cad1d6803129d2ae5cb65cdb6

    • SSDEEP

      192:ADhumGIrgD51a3de6kklVkpK6/fB/dzB0po2E/4/Jll71JQj5fh81JhT8c0ONsEZ:ADhumGz543Q6kell71JQhh81JhLNso

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks