General

  • Target

    6a36615061e2320a5f8351a09e63355e

  • Size

    3.0MB

  • Sample

    231222-fjrtkshce2

  • MD5

    6a36615061e2320a5f8351a09e63355e

  • SHA1

    7b7aa5ae3404ca23ce4e166fea61de2fa07dcc9d

  • SHA256

    d123ab9c133d277975f53b3256a36bb0de0420ed640d58ef870bbe8fbb2f5c05

  • SHA512

    b474dd4d104410026368917048aa37a3e2157f157022095b8aff2cb2781ea74953ebca07e94dbee90c1b65f387df8f1a8cd20fa5be817ecc6b8749cc5b498e2a

  • SSDEEP

    49152:OWg2oTp3etXb9FXS1z6N7W5BvKrtkHJsOTHbV/slZl7Ujm/LO6Bfb8aqXVm5N:O7RFRzarSHJhTHbc7UaC6BDDqXVm5N

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/881502707700105217/B6aKQajpJtqb5ssOTXvBCeC3LWkHHur-i9fCbEepLakdzqKmOimtcbyJhd08eg0K4zZt

Targets

    • Target

      6a36615061e2320a5f8351a09e63355e

    • Size

      3.0MB

    • MD5

      6a36615061e2320a5f8351a09e63355e

    • SHA1

      7b7aa5ae3404ca23ce4e166fea61de2fa07dcc9d

    • SHA256

      d123ab9c133d277975f53b3256a36bb0de0420ed640d58ef870bbe8fbb2f5c05

    • SHA512

      b474dd4d104410026368917048aa37a3e2157f157022095b8aff2cb2781ea74953ebca07e94dbee90c1b65f387df8f1a8cd20fa5be817ecc6b8749cc5b498e2a

    • SSDEEP

      49152:OWg2oTp3etXb9FXS1z6N7W5BvKrtkHJsOTHbV/slZl7Ujm/LO6Bfb8aqXVm5N:O7RFRzarSHJhTHbc7UaC6BDDqXVm5N

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks