Overview

overview

10

Static

static

10

Mercurial.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mercurial.exe

  • Size

    9.8MB

  • Sample

    250128-11r6wswkdk

  • MD5

    3bf880794834e8bcbbbf9060734acfd8

  • SHA1

    52339a5a36704004d492f5216e79a0568c90199d

  • SHA256

    0f9a723b42319e0b131ea7c1dda2907e7766937cc296840621be757d1be83532

  • SHA512

    9f782e3b383243ee26fd9eac9981f84a96f9820705b691c13f74e4a0c18cd06744618486988489113ae2da25df65dae590035dbcc2f85b43797432c9b6ff4cb5

  • SSDEEP

    196608:fsOOjmFQR4MVGFtwKPmF9mhAqaeGq8PHiFRV104:kKtM5KPm7mCeb8PHma4

Score
10/10
blankgrabberagilenetcredential_accessdefense_evasiondiscoveryexecutionspywarestealerupx

Malware Config

Targets

    • Target

      Mercurial.exe

    • Size

      9.8MB

    • MD5

      3bf880794834e8bcbbbf9060734acfd8

    • SHA1

      52339a5a36704004d492f5216e79a0568c90199d

    • SHA256

      0f9a723b42319e0b131ea7c1dda2907e7766937cc296840621be757d1be83532

    • SHA512

      9f782e3b383243ee26fd9eac9981f84a96f9820705b691c13f74e4a0c18cd06744618486988489113ae2da25df65dae590035dbcc2f85b43797432c9b6ff4cb5

    • SSDEEP

      196608:fsOOjmFQR4MVGFtwKPmF9mhAqaeGq8PHiFRV104:kKtM5KPm7mCeb8PHma4

    Score
    8/10
    agilenetcredential_accessdefense_evasiondiscoveryexecutionspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks