General

  • Target

    14-11-2023_VUBSUFEkriWDh1D.rar

  • Size

    11.6MB

  • Sample

    231114-ll8srsbb73

  • MD5

    4be2e7f28c6fd64cee77c73f46359548

  • SHA1

    327a78d1f0b87418d612c656592b7d5b57d260d3

  • SHA256

    ba21c2f23d365ac2809dac09e2b41c2b345d17bef526ad6623b6920ea28dc61b

  • SHA512

    243bdf001ec81fcfb23c22806be8e12cf273053aeb62a10c2051f3c2943c8e35d687bca1d0e5f0a2335a96666d928ed6c3cf1e0063b70d9e4f7a6bb9c0ff9191

  • SSDEEP

    196608:L1ePaxxQJH2eFEdbHBhg2Xkb/8tz6GSh41KTx6G981T2JV15sjl+oBnlTyZW+mrn:LgPmeN6AjE6GSCKNL15gllnMPoEfENAq

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/887304484844339250/sTQt9knbeiUf2bJPMZ4uxOEZ2mFmxtbw1S3JZvhKpMU-hSQtSzNllJidmjM8oJmI2wpt

Targets

    • Target

      14-11-2023_VUBSUFEkriWDh1D.rar

    • Size

      11.6MB

    • MD5

      4be2e7f28c6fd64cee77c73f46359548

    • SHA1

      327a78d1f0b87418d612c656592b7d5b57d260d3

    • SHA256

      ba21c2f23d365ac2809dac09e2b41c2b345d17bef526ad6623b6920ea28dc61b

    • SHA512

      243bdf001ec81fcfb23c22806be8e12cf273053aeb62a10c2051f3c2943c8e35d687bca1d0e5f0a2335a96666d928ed6c3cf1e0063b70d9e4f7a6bb9c0ff9191

    • SSDEEP

      196608:L1ePaxxQJH2eFEdbHBhg2Xkb/8tz6GSh41KTx6G981T2JV15sjl+oBnlTyZW+mrn:LgPmeN6AjE6GSCKNL15gllnMPoEfENAq

    Score
    3/10
    • Target

      AveryNuker-main/README.md

    • Size

      509B

    • MD5

      8c4cc448b17e491a5063c6d4933f34e8

    • SHA1

      773b60c9ce1ef5c67e8d73c81690c62ac30a63df

    • SHA256

      09b8d1616b1abe73c3f610424158555c08858063a25564fe7beb774036dfe91d

    • SHA512

      e3c2b572d79638852ec16e8c86e0c81328533d333a1b89b5ab81681097a77a9eadd632fefd62d15f63033bcd99223874d49ba6aecf1ccf6e0297f16f44bb24d0

    Score
    3/10
    • Target

      AveryNuker-main/RUN THIS.bat

    • Size

      36B

    • MD5

      ac5a055121ce64833b6f28e89d4e0f97

    • SHA1

      b0404dc53ce85b2dedf78fda85b78e05f11df767

    • SHA256

      e66438d809880170de240ae93b75cbe261aeb2532051f58d3cb0fad276555d9d

    • SHA512

      b1ceac00c176195c642497f7a19025f2d9b4487b7db35a29434b4a56eef0eb2dba0ebed17b802e90b37b7ac3c472d0e9dfc7cfb6e4489d49510f31ed306eb417

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      AveryNuker-main/Scraped/avery.exe

    • Size

      11.8MB

    • MD5

      3787b2b88bacbc10782d9ff6f9fe7d9a

    • SHA1

      d7d4f3fdd821981a9f30ce26f93bb8dd09f7a36d

    • SHA256

      7e4422eb6169de27b1eec071c4fdbdb82ec4b91f73c09b27cd6015403f717ca8

    • SHA512

      b02dfd7d21ff3229be32aac1ac4f05713cb157b0f5ee758bfd67ca81047be95979df022796014757272d8c47a1148fcbe3c83ccb2f9a9e36f580d34c9d7322a6

    • SSDEEP

      196608:Zm0DeG/M9onJ5hrZERdW3q+09iq2pPefB2WZufOuD9LaKyPgVFccckLQuxHGvi9v:neGk9c5hlERblh2pW2WmfDZhkUL+OGq

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      avery.pyc

    • Size

      24KB

    • MD5

      721d94f7c25e4f62de411a739ae1633b

    • SHA1

      59e9639c597c7134c28bc42420a56d440ce38185

    • SHA256

      9f85bf1bca3fd5687f9873a56d39732be8616982878f0b3908ee85aa0955aadf

    • SHA512

      806bfe0ff5ae7ad808c9ef67ef5ee35a58fa7fe5844591791434c326e198037864c562a5817048fbb62b43374220383d3b25cc5bd9ddfb52456378133534a9fe

    • SSDEEP

      768:go61VcV5OPr9gSUVojeX8eZp9hzSsHWji+NvUmpzhlN:l61j9PioCrDzSsHV+hUGlN

    Score
    3/10
    • Target

      AveryNuker-main/Scraped/channels.txt

    • Size

      2B

    • MD5

      81051bcc2cf1bedf378224b0a93e2877

    • SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    • SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    • SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Score
    1/10
    • Target

      AveryNuker-main/Scraped/members.txt

    • Size

      2B

    • MD5

      81051bcc2cf1bedf378224b0a93e2877

    • SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    • SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    • SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Score
    1/10
    • Target

      AveryNuker-main/Scraped/roles.txt

    • Size

      2B

    • MD5

      81051bcc2cf1bedf378224b0a93e2877

    • SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    • SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    • SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Score
    1/10
    • Target

      AveryNuker-main/avery.exe

    • Size

      41KB

    • MD5

      975e8aed42ef6368efd5a66204d4818a

    • SHA1

      5d48ef440ba147a27dfa5236fcbf426a34a21e2a

    • SHA256

      24e33a4716587fc8f330f77da68493f52b46311cf0e87681dd35e4ce6b912e51

    • SHA512

      07ea3d9d56f897021858490da38ce84747e788c8c5a8b49e8d9c021e8b57a97a9d54efe851b06afc08bfc4687c374ad7d5d02baa94188ae3d0f13fd8727caee6

    • SSDEEP

      768:TscG4ApfT6aGpDXswguZkeVWTjUHKZKfgm3Ehqt:IcKfnGEeVWTUF7EEt

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      AveryNuker-main/avery.py

    • Size

      17KB

    • MD5

      f7f34aad4e7521d7e4358abfa3f6f715

    • SHA1

      dfc0b706cfe3e634a56d7c06be2efca5a3cabfa7

    • SHA256

      d8b1d13e052ad38bd7e88f325d94aaf8ca245d96fa310545cb6d618ab1ab4d7d

    • SHA512

      0c5d9e34479a1d1bfff7117dfc943c84882e26beb5a26bdfc8e79f1309179428fe40e1ea2aa65f94006be9725f98b6c0ac372b8cad1d6803129d2ae5cb65cdb6

    • SSDEEP

      192:ADhumGIrgD51a3de6kklVkpK6/fB/dzB0po2E/4/Jll71JQj5fh81JhT8c0ONsEZ:ADhumGz543Q6kell71JQhh81JhLNso

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks