Overview

overview

10

Static

static

3

Celesty.exe

windows7-x64

10

Celesty.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Celesty.exe

  • Size

    1.7MB

  • Sample

    240813-etl6eateng

  • MD5

    8966d25141f5e150ff7d02ac502cce46

  • SHA1

    f882485d1ffac1b75b60794824b771e4ce33d7b7

  • SHA256

    8694257c04deed3937833145954c65564627f7d40cd20f8401696933a03b7e3f

  • SHA512

    caedef6e8fdc042d6586816bdc87c36b3d40c22a8e4e331d46296b669ed03f2e295f4b44ed4092f43e8d0dad8cc40766982d6938d1d638fb4e4eecaddd529df3

  • SSDEEP

    49152:6PxCjaDpascfyHTtgWc79pGvFog9hlQ0xM7QYeYnUgy:mCq4sokTtlPFooQzzU/

Score
10/10
mercurialgrabbercredential_accessdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/935223250571640882/ViB43kUXE9CCFxm2v1jxJfLyHYVNk3Y3-laU94OpWmJjw7id0TwbDJUP1by4-O7zvfZu

Targets

    • Target

      Celesty.exe

    • Size

      1.7MB

    • MD5

      8966d25141f5e150ff7d02ac502cce46

    • SHA1

      f882485d1ffac1b75b60794824b771e4ce33d7b7

    • SHA256

      8694257c04deed3937833145954c65564627f7d40cd20f8401696933a03b7e3f

    • SHA512

      caedef6e8fdc042d6586816bdc87c36b3d40c22a8e4e331d46296b669ed03f2e295f4b44ed4092f43e8d0dad8cc40766982d6938d1d638fb4e4eecaddd529df3

    • SSDEEP

      49152:6PxCjaDpascfyHTtgWc79pGvFog9hlQ0xM7QYeYnUgy:mCq4sokTtlPFooQzzU/

    Score
    10/10
    mercurialgrabberdiscoveryevasionspywarestealercredential_access

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks