Resubmissions

25/07/2024, 21:58

240725-1vjmkaxcql 10

25/07/2024, 21:52

240725-1rgc2axbjp 10

General

  • Target

    Mercurial.zip

  • Size

    17.9MB

  • Sample

    240725-1vjmkaxcql

  • MD5

    26899a650cebc06e617ebebb7a7a18b0

  • SHA1

    2735474da79cd0f55da18f80ce73c760028f6c4d

  • SHA256

    d7a9021b90b6bd951920b6bb581908454bf73c2147a6a39c26dd16fc85244bf2

  • SHA512

    2492023f248288821a66c81dc653bc13422735065e8b4531ce27ed364c4fceca4e644b8c6ea2401b4ffd70a43b137cb2ad57f350265d08319f5db6c086d2913c

  • SSDEEP

    393216:aIcdIcFHnVHefqkYpRiomc66NQF6vhOU5d:aRdIcFHnV+fDYO8qwEU5d

Malware Config

Targets

    • Target

      Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial/Mercurial.exe

    • Size

      17.9MB

    • MD5

      de3d9bc8e4813084e2c2a8cdebd02d3f

    • SHA1

      a416b246e20bbcb37db35b0a4a36b917da34dfd7

    • SHA256

      23a9e3fe0e20da93ccf9b8208cc852c5199fc4dc2489276ef0adaefd6a1aa25a

    • SHA512

      eaa36e3d73a56e25e8980828db19a0f5bca23664e0d4f652d5f7d11c0552f46142e468ba2df4c59225e93685dad3653c98fa011e7de726bd041626a43a8ac12b

    • SSDEEP

      393216:AqPuYXJBft6k/m3pgDOEkSgsvLgf/3Jo:BPuYXJBf0kKlAzgfRo

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks