General

  • Target

    BDevsHwidSpoofer.rar

  • Size

    87.8MB

  • Sample

    250221-3baxesvk14

  • MD5

    16d8c15ac98b515fb77fd83e64b39554

  • SHA1

    e64f1e4e57ba98292e433e0e67d48bf50e20a4c0

  • SHA256

    884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb

  • SHA512

    9c0b630f02eb36678c6b9266c6c18e51dc12938b1139e0f08551baf9db7818f82e709b2c9c25a2bc1de7201ee27b5074fdd4b7333eb33aebea25dd8d723cc4b2

  • SSDEEP

    1572864:Wz9YaNI37Zdc/yFMlhngLFFKWmqAlIlfz9YaNI37Zdc/yFMM:e9YP3FSbgLF8lYr9YP3FSM

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1342592218795479070/gAprajht67Sa8ORePbAXrGT6sIbifHi5L7oiHuXxWUdAHMtuuCdTAvGCQzuS79w1C7lM

Targets

    • Target

      BDevsHwidSpoofer/Key.exe

    • Size

      41KB

    • MD5

      e9eb8c9e977dffcaa7fd50792ec087c3

    • SHA1

      3a916bff3fa8488d4678ad48c397f8e248db8d0d

    • SHA256

      eb1ec5ac218ee4620daae85d52eb2f28d09147930667fc870e6640d5223eecde

    • SHA512

      d231da2f1c0e5fcecfd313389642d23ece8f339c8a09c2b1737bbca914feb4942265a7d197715634793c4b9686205a4208665cfd9ae06011579c0c968335230c

    • SSDEEP

      768:hscaIyIEL/gB1wqyuZjecWTjgKZKfgm3Eh8B:ec1irgBvecWT0F7E6B

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      BDevsHwidSpoofer/ScoFucker.exe

    • Size

      28.9MB

    • MD5

      5a924a768e25268747e26c60d44e2722

    • SHA1

      37109a60a000c57c7c321afb44585064cbccb0b6

    • SHA256

      6f9c20d90db779845264dee3eb25a2f5cef15be1a95bf85e82e469c4b6cd6f54

    • SHA512

      5670efb26e28165b23922e4914eade005819621dbfd9c16a3c16eaccaaa528e18901c334c6ab5bc14ad97ca4eff7d7435e6c50b602647ef1f8aef9b303913e03

    • SSDEEP

      786432:H/ls88jgftK8fCqoeeyMHaivfIv55pg/o+:H/lsRcfX6qg3HaivG5vgA

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      BDevsHwidSpoofer/Updater.exe

    • Size

      32.1MB

    • MD5

      d44d855c8e89b6cdb48b318ab9706e95

    • SHA1

      5282b70475ddba9ac51a2c3f734e1c90b729c434

    • SHA256

      0206963bd92cd09d570d1891963eec416665ed117357c0ec6a060d279973dd63

    • SHA512

      3a6a956b4957ab5b13cf72a544a1abd8a8336e4956e59c9e4ba4e4e7f8cacdbbceba9d3aeaf85b95d4c7e760c90e3a435fc0a6d65d9bb392ff64ffe9c7f40943

    • SSDEEP

      786432:8QgHEFNLewZZTftqapqtO90SBbUwgyRvOjqhKjaJyHOQ3SRk:8QgkFNLdtq4EyRvOGgeyHOQC+

    Score
    1/10
    • Target

      BDevsHwidSpoofer/data/Updater.exe

    • Size

      32.1MB

    • MD5

      d44d855c8e89b6cdb48b318ab9706e95

    • SHA1

      5282b70475ddba9ac51a2c3f734e1c90b729c434

    • SHA256

      0206963bd92cd09d570d1891963eec416665ed117357c0ec6a060d279973dd63

    • SHA512

      3a6a956b4957ab5b13cf72a544a1abd8a8336e4956e59c9e4ba4e4e7f8cacdbbceba9d3aeaf85b95d4c7e760c90e3a435fc0a6d65d9bb392ff64ffe9c7f40943

    • SSDEEP

      786432:8QgHEFNLewZZTftqapqtO90SBbUwgyRvOjqhKjaJyHOQ3SRk:8QgkFNLdtq4EyRvOGgeyHOQC+

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks