mercurialgrabber | hxxps://github[.]com/Obey7/Synapse-X-Crack

General

Target

https://github.com/Obey7/Synapse-X-Crack
Sample

240820-3fj1wsyemh

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

skbidiooiilet-31205.portmap.host:31205

Mutex

7357b58d-e5d4-42be-8b74-db6eee6cde6d

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
Windows Update

Extracted

Family

xenorat

C2

anyone-blogging.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes

delay
500
install_path
temp
port
22284
startup_name
Windows

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/921810742020276324/oy5WUJBM9c9aVxQdFK2oXYeKkOKvk_yVdVaJEUFoVwHMqgDucV43ot4Qysobx87iaZTf

https://discord.com/api/webhooks/894999664762445854/TpfIb0rr_07lU027UuRzVpEL0hcMj7142ONS03Lnxe8C9sZVf2ccQfateH8Idqb7A448

Targets

- Target
  
  https://github.com/Obey7/Synapse-X-Crack
Score

10^/10

mercurialgrabber quasar xenorat windows update adware credential_access discovery evasion persistence privilege_escalation rat spyware stealer trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1