Overview

overview

10

Static

static

1

standard (1).gif

windows10-2004-x64

7

standard (1).gif

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    standard (1).gif

  • Size

    6.3MB

  • Sample

    240319-mz79tsab97

  • MD5

    058d19466e57a3640305f65851da3eaf

  • SHA1

    c165d4eb4ed9a34fcd9512865e28996979f2a920

  • SHA256

    d0e639e77b38431766278ad13dc34be9c510f1f5bdedc1fc8c0233b83b4da511

  • SHA512

    40ea71ef7291e18c58310f57bae5d2f7acfda0799b56b3f35bbd89618f6c78f4db85c35640c7481f4d2d7f1bbd9092dd561c8edf7527ba9ffecddea3b0dcbad5

  • SSDEEP

    98304:7h+LLt0vKx1xnltw9VL70QnYaz8xqbRuLJk/xvJgrCLCBVMh:N+Lp0v+1FlOL7NYaw82aJvmvVo

Score
10/10
mercurialgrabberstormkittyagilenetevasionspywarestealerupx

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1219602363208175698/OSDsnD9yHOLj3aH-D90pq9RU-hFF8_RoPqPGo4tlAHhLKB8vjtLUA94iFiTFB0wzNhjc

Targets

    • Target

      standard (1).gif

    • Size

      6.3MB

    • MD5

      058d19466e57a3640305f65851da3eaf

    • SHA1

      c165d4eb4ed9a34fcd9512865e28996979f2a920

    • SHA256

      d0e639e77b38431766278ad13dc34be9c510f1f5bdedc1fc8c0233b83b4da511

    • SHA512

      40ea71ef7291e18c58310f57bae5d2f7acfda0799b56b3f35bbd89618f6c78f4db85c35640c7481f4d2d7f1bbd9092dd561c8edf7527ba9ffecddea3b0dcbad5

    • SSDEEP

      98304:7h+LLt0vKx1xnltw9VL70QnYaz8xqbRuLJk/xvJgrCLCBVMh:N+Lp0v+1FlOL7NYaw82aJvmvVo

    Score
    10/10
    agilenetmercurialgrabberstormkittyevasionspywarestealerupx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks