Resubmissions

12-05-2024 18:09

240512-wrsnvahe71 10

12-05-2024 17:56

240512-wh2v6acb26 10

12-05-2024 17:50

240512-we2qzsbh82 10

General

  • Target

    RGF-main.zip

  • Size

    54KB

  • Sample

    240512-wrsnvahe71

  • MD5

    7bcc565dfb0ce789f9a984870a64414c

  • SHA1

    7918e05800b7d02be5aa3670259709fde7f5c268

  • SHA256

    33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb

  • SHA512

    0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0

  • SSDEEP

    768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6

Targets

    • Target

      RGF-main.zip

    • Size

      54KB

    • MD5

      7bcc565dfb0ce789f9a984870a64414c

    • SHA1

      7918e05800b7d02be5aa3670259709fde7f5c268

    • SHA256

      33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb

    • SHA512

      0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0

    • SSDEEP

      768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      RGF-main/Input.zip

    • Size

      36KB

    • MD5

      45102f2509fb9913e768c47a8a7700e5

    • SHA1

      f853f5b887bba4aab056400fc4cfa09aa77dae26

    • SHA256

      f1db00cc9a4d36920d6d360187e36f96e649ed9e8543e3941773b3c5df4bf9a6

    • SHA512

      e2571fa2085b34ab28b5a75908222c3c00b6a398349bde0aaf52d5f5fc66f03a9e010ca7be72bced5eff00a050a5fc02e78abeb748df0ecd8e48f798fd72a66a

    • SSDEEP

      768:0CER7pNX8nL9XhVCbS3O7hCPWLp7BKgRfIa700K/2x6qKEEa6:5ER7jMnxXhwbS3iKWLp7BTeilEa6

    Score
    1/10
    • Target

      RoBrute-master/LICENSE

    • Size

      34KB

    • MD5

      1ebbd3e34237af26da5dc08a4e440464

    • SHA1

      31a3d460bb3c7d98845187c716a30db81c44b615

    • SHA256

      3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986

    • SHA512

      d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686

    • SSDEEP

      768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum

    Score
    1/10
    • Target

      RoBrute-master/README.md

    • Size

      109B

    • MD5

      dc61560cdd468151c7fef791de909f86

    • SHA1

      3da83b6867610344eaad4dccc9d3517556bbda65

    • SHA256

      7d643c26f93104ed744e9661b98ff575f3efdd2081bf5bba3d0412bb4200acb4

    • SHA512

      e2ce9365ad750bad9bd32631bcb42d84e1e1399c0066e0d1977e61543cf672df9be84671193a5d09839a15d736f2ddb91772f9a1e7726aa1f4bf6bb2d0c324e7

    Score
    3/10
    • Target

      RoBrute-master/RoBrute.py

    • Size

      6KB

    • MD5

      459ffbe4a551223287035714b6e274c2

    • SHA1

      98151335d6fcf0630f03092fee504aa05563d2db

    • SHA256

      418ab9d7b1c9ee04596bf868b74ba50f7105b3a150f6989d74d445f9810aaef9

    • SHA512

      385d9317c7b823eef361ae294635697c07b1bf93d4d8d17da703911688f9b2b478532ff800c670507bf6269e7addbba7eb8f057357754e3565999d36af804cee

    • SSDEEP

      192:aIzopckmTzso484ijEF3VvGK4F21p54wfFaep6D:aIkukwIijEF3VVs6htaepA

    Score
    3/10
    • Target

      RoBrute-master/mainLib.py

    • Size

      481B

    • MD5

      d605f4316cf7dd5b2f4d68e5534903a5

    • SHA1

      1d9f87b0316cacdbc97c265a2005ceb9f04dd0e2

    • SHA256

      930cac6585d68eef349b1db9e376c3c9cef6a764a51c6e19a55b3d23cbe4acbd

    • SHA512

      384a3e39dad72d77fa8da085714b08ea8bddaa49c70df389febf9290c9ce09114646c417d31d6888437d237817b2eea67d183c7c65e5e985faa66a02b05a746b

    Score
    3/10
    • Target

      RoBrute-master/mainLib.pyc

    • Size

      806B

    • MD5

      a69353c0a05226a823732ff09def0462

    • SHA1

      29d202a58960848f8a74c52cc5e0f28c239cbe1d

    • SHA256

      14db2c7373b04e3767f4210e473906661b5251afceb5f9e445ab276f13b51a01

    • SHA512

      b40d9ec41b4ef60d7d84400d4bcbcf11d0f469bd0365e84ff4a6b92f0dc71e12fd1f7ee4af5dd7d47dc2bd4548ecb1e75631a20829717f7ab5c46e80ed8cdfaa

    Score
    3/10
    • Target

      RoBrute-master/pass.lst

    • Size

      83B

    • MD5

      efb3936c5ce7f19cf68b03e5dab18dcb

    • SHA1

      0982314f06d31e1fcecf94175d1f90e85a67a7df

    • SHA256

      688d412436709a41b77ee0500cee157f4cc6b023c436a005e1f73e5fd5b4dfc1

    • SHA512

      773c18edfe78c9fa5b8bfd9aea8dadf036e5f012905d5dc99e46aea181b843ee8fdd0e2ffc2fee54b50026cc50aead52b37c0d827d7334ebb3d1d5482e28843f

    Score
    3/10
    • Target

      RoBrute-master/proxy.yaml

    • Size

      103B

    • MD5

      232b7ad6ace65f83f66c840d8bed9ab1

    • SHA1

      f94b2b8970f26ea9678fcfaa73abf606e6848052

    • SHA256

      f1e9af216da7c7dec44e58e4af4a814f6be742ca4c8f18f0fbe06e1fbd33cc36

    • SHA512

      68240f638da51862c556a2edfa79cbfabb071d724651341a804e14462845ad134c3a4c4bd82117dc6c00ee6525fb9bc2b25b7d2ed57a905643de63d1df0c94b9

    Score
    3/10
    • Target

      RoBrute-master/requirements.txt

    • Size

      92B

    • MD5

      b7fd4d83be560cecca09b49b32fb3448

    • SHA1

      80b297c02ca2496e919797e7687b0245a4354a24

    • SHA256

      5a5133343eb916a24603a35d4d4bff4aecec4012e0c6297ce5469930a081ad57

    • SHA512

      867d4baa56724b46d30e7c7f328f4817cbbd70a9afdbbc9b48c94356978ea2cba2d0526a6aa4ab54874e56605735c811e1abb972d17bc5d5efaaa3b0d1abc715

    Score
    1/10
    • Target

      RoBrute-master/socks.py

    • Size

      31KB

    • MD5

      48785c4abab003e3567e381d81a4e3fe

    • SHA1

      b78b23d63ac8d301e24e9a0f2c709f4d02abba87

    • SHA256

      bc89e89dcd6a255af82c73cbd6cbbaaddba2aa83380188bbb8282aef40b0a11a

    • SHA512

      52d7002548b3dc31ba4c355270577b92980c4a569dcad45c6af518da7355fcec0ace7c9ce5fabcf68dc04b2211d0d31a5cac1e7dc92a5017a1c3f1ed74cbb09a

    • SSDEEP

      768:MTMqwGwX3Q/28zGh9czigrcQcJWN2hqoJRBLXo:M1rwXl8zGhCzig4QIWN0JRBjo

    Score
    3/10
    • Target

      RoBrute-master/socks.pyc

    • Size

      26KB

    • MD5

      c59597fcf54f22c79d319b129c33a62a

    • SHA1

      316daa8cc82926af92ae9400c83c172681f427be

    • SHA256

      245adcd5c71c12585d86e4cee0370781d99bd3ea8029e9869744028ed26bb7d5

    • SHA512

      bf1b978029e2500ef16c4f201ef456324752f2dfc5e213153a861c990010518520e7e2d4b501deab30056302201537291ceff77312f5adae2d3845c8bce2a9c9

    • SSDEEP

      768:x+TMqK0DoOgVH8zD5x50Y8a6RA516g0QsCh:k1DIVczDbXr6Ku4h

    Score
    3/10
    • Target

      RGF-main/RBF.exe

    • Size

      41KB

    • MD5

      09d12c328c88bfdfef9dcc0927dca671

    • SHA1

      4f61a36bc05dbd9229b56db5ead4ea3d37e4308a

    • SHA256

      64e772d1da472d9da1dde4d9b070c1d9acf98d9819ec04058a0161f020022e49

    • SHA512

      4774119f1eb6f3f712fc29f7c7cceb31a67c62c01a6b7f09ccf17a85a4d78b3fed4f3a9532c353490f9058aae5db58d305a92a65a8e8039e7c123f48e73d1d51

    • SSDEEP

      768:escGoAxWdPN+wauZLePWTjZKZKfgm3Ehpe:tcVdPN9ePWTVF7Ebe

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      RGF-main/README.md

    • Size

      1KB

    • MD5

      ba7441cf8e6b64295991386b6a64a691

    • SHA1

      a63205b8c8d61671fe18795cf221d69ebfebbccc

    • SHA256

      0872676eb9a53148886bef0e90b21565c064dea7e8e629cdb5c22adb7ae0d465

    • SHA512

      2b88805e2090fffddbafe8b5949e0d95b320e800748f935e2764771019e3972904d235602e3ce33bdc40a454d7b7147e532c5ee500516486372a737af718cdfe

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks