Overview

overview

10

Static

static

10

Loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.exe

  • Size

    59KB

  • Sample

    240701-3cmydazdrn

  • MD5

    07ac8571846ca0cc9f6fcdbe1d000be2

  • SHA1

    3cbe16f7d24d40b590f97b1999c64c5bb889e8c6

  • SHA256

    2a3bcea7cadf94c65d4462b2297285078f5232e84267dfa641cb23475ffdb1b5

  • SHA512

    56413d14e5ee2e615c19232d93047c9d2cc422e083eda0f9f5ae1dc04798989e73d5ad80e06a7dda166deb0177206fb1ed045773bba3975667c12409d67d1e7e

  • SSDEEP

    1536:oG5dn7tpWah7AuW7ttyCoTf1AZbr4w0eb6giOJ5LX:lD5pHJdOttyxuZbrp2OJ9X

Score
10/10
mercurialgrabberxwormevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

unique-emotions.gl.at.ply.gg:54742

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1256033718615801999/30uWN_aNeK535vYxz4VbBzXef1VOIVGrPIFsTv-L91_8YPN5UWyf6TKGfk-GmCmwftJo

Targets

    • Target

      Loader.exe

    • Size

      59KB

    • MD5

      07ac8571846ca0cc9f6fcdbe1d000be2

    • SHA1

      3cbe16f7d24d40b590f97b1999c64c5bb889e8c6

    • SHA256

      2a3bcea7cadf94c65d4462b2297285078f5232e84267dfa641cb23475ffdb1b5

    • SHA512

      56413d14e5ee2e615c19232d93047c9d2cc422e083eda0f9f5ae1dc04798989e73d5ad80e06a7dda166deb0177206fb1ed045773bba3975667c12409d67d1e7e

    • SSDEEP

      1536:oG5dn7tpWah7AuW7ttyCoTf1AZbr4w0eb6giOJ5LX:lD5pHJdOttyxuZbrp2OJ9X

    Score
    10/10
    mercurialgrabberxwormevasionexecutionpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

9
T1012

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks