Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Mercurial-...al.lnk

windows7-x64

3

Mercurial-...al.lnk

windows10-2004-x64

9

Mercurial-...al.exe

windows7-x64

7

Mercurial-...al.exe

windows10-2004-x64

9

Mercurial-...er.vbs

windows7-x64

1

Mercurial-...er.vbs

windows10-2004-x64

1

Mercurial-...es.vbs

windows7-x64

1

Mercurial-...es.vbs

windows10-2004-x64

1

Mercurial-...Gcm.js

windows7-x64

3

Mercurial-...Gcm.js

windows10-2004-x64

3

Mercurial-...ser.js

windows7-x64

3

Mercurial-...ser.js

windows10-2004-x64

3

Mercurial-...mon.js

windows7-x64

3

Mercurial-...mon.js

windows10-2004-x64

3

Mercurial-...ber.js

windows7-x64

3

Mercurial-...ber.js

windows10-2004-x64

3

Mercurial-...ine.js

windows7-x64

3

Mercurial-...ine.js

windows10-2004-x64

3

Mercurial-...ram.js

windows7-x64

3

Mercurial-...ram.js

windows10-2004-x64

3

Mercurial-...ook.js

windows7-x64

3

Mercurial-...ook.js

windows10-2004-x64

3

Resubmissions

25/07/2024, 21:58

240725-1vjmkaxcql 10

25/07/2024, 21:52

240725-1rgc2axbjp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mercurial.zip

  • Size

    17.9MB

  • Sample

    240725-1rgc2axbjp

  • MD5

    26899a650cebc06e617ebebb7a7a18b0

  • SHA1

    2735474da79cd0f55da18f80ce73c760028f6c4d

  • SHA256

    d7a9021b90b6bd951920b6bb581908454bf73c2147a6a39c26dd16fc85244bf2

  • SHA512

    2492023f248288821a66c81dc653bc13422735065e8b4531ce27ed364c4fceca4e644b8c6ea2401b4ffd70a43b137cb2ad57f350265d08319f5db6c086d2913c

  • SSDEEP

    393216:aIcdIcFHnVHefqkYpRiomc66NQF6vhOU5d:aRdIcFHnV+fDYO8qwEU5d

Score
10/10
empyreancredential_accessdiscoveryexecutionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial.lnk

    • Size

      2KB

    • MD5

      eb68bc0392314c8848b235eb8f1481ad

    • SHA1

      a62663db5c43c4a5f144e4d8530cc3936392795f

    • SHA256

      8dde8d33a446801147e773e6a2d468f3493b75a8604fecb40d76f6d4cac27e1b

    • SHA512

      e7f2ff03a34e938962e7847b6ec6390b8978567cf279d2644d07b9371e2e7748d1cb2374a08ab3d4c24748b52d1e953323e8d2b7f17a5ce13b4638ac52c98680

    Score
    9/10
    credential_accessdiscoverypersistenceprivilege_escalationstealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Mercurial.exe

    • Size

      17.9MB

    • MD5

      de3d9bc8e4813084e2c2a8cdebd02d3f

    • SHA1

      a416b246e20bbcb37db35b0a4a36b917da34dfd7

    • SHA256

      23a9e3fe0e20da93ccf9b8208cc852c5199fc4dc2489276ef0adaefd6a1aa25a

    • SHA512

      eaa36e3d73a56e25e8980828db19a0f5bca23664e0d4f652d5f7d11c0552f46142e468ba2df4c59225e93685dad3653c98fa011e7de726bd041626a43a8ac12b

    • SSDEEP

      393216:AqPuYXJBft6k/m3pgDOEkSgsvLgf/3Jo:BPuYXJBf0kKlAzgfRo

    Score
    9/10
    upxcredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Properties/Resources.Designer.cs

    • Size

      12KB

    • MD5

      e7bbd3ec488fd9a129f346636fdb6816

    • SHA1

      d481a7f1f0baea15eb14480ea31c965a598c8fdc

    • SHA256

      a5348378d71c60545fe383b1fce151c6d8d6081b9c3bbedcc58ab8da5c45f6b7

    • SHA512

      11f667bacbad2d3ea042a67d25b3e4c2f73ccd7d91bf4a1ce270036b71c32fd2965c260df78455540f66190795532e8dafc3b2dce8082b50dcb12fa31c936883

    • SSDEEP

      384:agKx1K1HBhTHphgnGhg0RShguW0AEthgMKchgJ37:lDTHbOA/R8cEfTKmi7

    Score
    1/10
    behavioral5behavioral6

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Properties/Resources.resx

    • Size

      7KB

    • MD5

      58467f11104425fb5a573c71dbd37b3b

    • SHA1

      8319ab7aacb06d06162a66cfdf0b97376cfd68e3

    • SHA256

      df4a76464b02f4f7ee34aca6ca710ea0e770e62126f0ba49df74d3a548ffedc6

    • SHA512

      a345e33b7e87c06aedb143f6b80c145b408c32e5fdf472768c5c0ada0c63a7c6e70ce5f114ce973a1b53633ee6249981b20cef9411a45a84c81497a08ef4bed4

    • SSDEEP

      192:Zf+tLPfYnLvFVOiFQaUD7Ug94E2Km2y+2hb2ZT2392WK2cU2jh2X92+:Zf+tLPQnLvDOiFQXD7Ug12H2h2x2R2NT

    Score
    1/10
    behavioral7behavioral8

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/AesGcm.cs

    • Size

      5KB

    • MD5

      f2377a77efc93d8f72a0d26931a269c7

    • SHA1

      664c5d78dda24851864326619eb80121c6c7e76c

    • SHA256

      7469f986176f35936b67ef76eb7525cc4b970870a852777b5802c16b4d401ca9

    • SHA512

      5f65eccf6b3d3736ce93f0b28ab0b9f9ba24144891458647f09738d196d2e04803b7294b345382ba62607617e8b3cd229270caa526425768ee18e990a55ec2dc

    • SSDEEP

      96:JjMXclvkCl1IMF+lNlUgQldKlySSfd1FC4MJ4UabIL:h8CPIeyfUgIdmySUGn4UakL

    Score
    3/10
    discoveryexecution
    behavioral10behavioral9

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Browser.cs

    • Size

      7KB

    • MD5

      c415b2031fabcbcb6a5007d988a14355

    • SHA1

      7fcfd7b387fd08700ff9570e5ec10ead9488b649

    • SHA256

      33f92b991af62d99299b95998fbec26b25fc2054f2572150c89fca594824758a

    • SHA512

      9ed10b0768ddf90a2cae06eb4923e1f43659bfa39aa01f92b222809195f9e4df679b23201722238e3b1cee856d97fa150243238763e0f67b7ad1d25d3b22135d

    • SSDEEP

      192:QA5fJUyUOzllsWbzpQv33V2vXqGHMvK6tGRO79yp+ggX6vL:VwOEWbzqH2XqfKFf+1O

    Score
    3/10
    execution
    behavioral11behavioral12

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Common.cs

    • Size

      2KB

    • MD5

      be28593f99ed1c9d586ff11fe231692f

    • SHA1

      18a95ea4f4aedf384fe885a856904d235216e021

    • SHA256

      555ab4fbe718589fdfbd39007c7840bf50822fdaeb781a94e05a99c7784b0c4a

    • SHA512

      7d3a8819f2ee4c2bc052730c080ba6df2c2684c0fb8caefe695254d0b14289b029cfdbdc5d48591b6a091b16dfe45720d833ecaf7f73ee066ae61dfd9a33b769

    Score
    3/10
    execution
    behavioral13behavioral14

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Grabber.cs

    • Size

      4KB

    • MD5

      11e1326e7a72627aa57b2d0449ffcc75

    • SHA1

      97ba9b8d6cebacf6de762d1052bab1a1d7a8bb07

    • SHA256

      1b3efea0c78f1caada48c61c672dab02bed5d9326d5dee83220abe6ece1cf5cf

    • SHA512

      5afab603fabf1227471e88d64daf3be66a82bb0bb48e11b68427ac04791ddabb2577b43403a5ee184638a4190a2a5a81b9512fed0f383d1cd0b15bb3fcc759b0

    • SSDEEP

      96:Jj4Y26KV7VPR+7Gs591qaq8IyI2SCfK1zMu8Bywy8RVV+QjykQfgKhL:iFPv+7H591qaq8IyHSCcz1Cywy8RVV+F

    Score
    3/10
    execution
    behavioral15behavioral16

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Machine.cs

    • Size

      6KB

    • MD5

      cd6356021fc591d6b5b3f9f8eae24415

    • SHA1

      f620ed211d76caaa6fe8e82cf76f833a9994bd67

    • SHA256

      53efd19d43814969acd579b6003273971baa31a25905eb536b50b0c9615c9018

    • SHA512

      b6511d0c97473086e5b6c578d3130082d197b7bd8e2f82db33c97c2f01606b48d10ea4cbcfa7343d0b40d6602967c157ec14b675d9407a1e3e045b462865d660

    • SSDEEP

      192:+khfoitAbWfWW2C9WFYCMCyvwXcxCTqUGup3X19L:Ar

    Score
    3/10
    execution
    behavioral17behavioral18

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Program.cs

    • Size

      9KB

    • MD5

      f945d3beeb05d37ee2c723197b15a19e

    • SHA1

      b64792711caca858a522317c01899f0ab55913f0

    • SHA256

      c4d8efc12d3083a1367b396a1000f7ac978673e673d9d7db334836a3a469a5fa

    • SHA512

      afd63758153c59e9ba06afad277623e46ebe77cdaa364b6a16c8c8d5ecd2a4fe27ecf9cc5d0fc4b0507e6a01f5c6bbf3ad388af2e1f7792040dc04b9e6071117

    • SSDEEP

      192:iFPhRrA43Dt56B0WOGXSCHKXXOCNegUz++TwA8BYs6S6vSdfCPyY1KMQCjGEZ:ithRrAqD7GY0gUzcpBY1

    Score
    3/10
    execution
    behavioral19behavioral20

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Resources/Webhook.cs

    • Size

      10KB

    • MD5

      167312d0bd902f5d9511bb5b66cb225f

    • SHA1

      66c4f63ca7e0332ba781d4b1650f36b0e811d085

    • SHA256

      c6306d6bbfc3d62454f8d33cd5daf7e01f1938be38cc1c61eefa2f4f25e0ec8c

    • SHA512

      a692f9f1e24423ca6787cf618a296d4805ed5ec02bb39754413d37b536032488b874d4999f10a3a8d524dce47e82091b73edc194f19394d04057f6018771c743

    • SSDEEP

      192:iFPGQeyzXjwwIsl9DHk1qmVTJYUAB91LXT4OUr2yiBQbTsAJAZT6xV82+ItuKxAH:itGQfjwVk9DHk3NJYUAB91Lkn3YZ

    Score
    3/10
    execution
    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

pyinstallerempyrean
Score
10/10

behavioral1

Score
3/10

behavioral2

credential_accessdiscoverypersistenceprivilege_escalationstealerupx
Score
9/10

behavioral3

upx
Score
7/10

behavioral4

credential_accessdiscoverypersistenceprivilege_escalationspywarestealerupx
Score
9/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

execution
Score
3/10

behavioral10

discoveryexecution
Score
3/10

behavioral11

execution
Score
3/10

behavioral12

execution
Score
3/10

behavioral13

execution
Score
3/10

behavioral14

execution
Score
3/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

execution
Score
3/10

behavioral19

execution
Score
3/10

behavioral20

execution
Score
3/10

behavioral21

execution
Score
3/10

behavioral22

execution
Score
3/10