mercurialgrabber | c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f

General

Target

test.bat
Size

23.4MB
Sample

240429-vgtmqaff84
MD5

058512c3d0827870573edbda5ac7e397
SHA1

17e74897a99a396ace8de33a9a2c844fe0d85a55
SHA256

c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f
SHA512

076c6e1966254d2f8edc726e8bd61774c8742c36731616dfbfb5b13b868af66a7b5e04d0958e051a13e0f3bb9f62b63a88df7162ab2a5dba34b5a0fd8c15f233
SSDEEP

49152:r1A4BWF3lwVZsfLZvDY72/3i5iz8WvWWMjNHGeTCK1Bs0+hG4mAK5Pp86mSFzbkz:r4

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1234301738757001307/J48FrxcIY2MznyD-QrXgOrGXbnFfNRD0MMNNy87Y34EWKexlEGM_on4JdcwW4I6PtUzz

Extracted

Family

redline

Botnet

Fake Slinky

C2

ii-restored.gl.at.ply.gg:43416

Targets

- Target
  
  test.bat
- Size
  
  23.4MB
- MD5
  
  058512c3d0827870573edbda5ac7e397
- SHA1
  
  17e74897a99a396ace8de33a9a2c844fe0d85a55
- SHA256
  
  c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f
- SHA512
  
  076c6e1966254d2f8edc726e8bd61774c8742c36731616dfbfb5b13b868af66a7b5e04d0958e051a13e0f3bb9f62b63a88df7162ab2a5dba34b5a0fd8c15f233
- SSDEEP
  
  49152:r1A4BWF3lwVZsfLZvDY72/3i5iz8WvWWMjNHGeTCK1Bs0+hG4mAK5Pp86mSFzbkz:r4
Score

10^/10

mercurialgrabber redline sectoprat fake slinky infostealer rat stealer trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Mercurial Grabber Stealer

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2