General

  • Target

    OTEYZ_Loader.bat

  • Size

    1KB

  • Sample

    241125-pg5gbsspaq

  • MD5

    f3f83ae17a3f81e0265b9ce7e480bd4e

  • SHA1

    994d8d5b533fd09630b45a0d0404f65557e83d5d

  • SHA256

    412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

  • SHA512

    cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      OTEYZ_Loader.bat

    • Size

      1KB

    • MD5

      f3f83ae17a3f81e0265b9ce7e480bd4e

    • SHA1

      994d8d5b533fd09630b45a0d0404f65557e83d5d

    • SHA256

      412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

    • SHA512

      cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Async RAT payload

    • Looks for VirtualBox Guest Additions in registry

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks