Overview

overview

10

Static

static

3

2024-06-11...uk.exe

windows7-x64

10

2024-06-11...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk

  • Size

    17.5MB

  • Sample

    240611-f4y4dswcng

  • MD5

    2d2da9e3a1b925524f8f3beded725a51

  • SHA1

    3a854d9eadb761f41fc97cac483a07b2c223fcf2

  • SHA256

    baf1e179e63392ebdd6e59a1765d9ffe307ca28e22681f855bf2f71a0280d538

  • SHA512

    c1ed6de456dafbda4a38071e6021b3387ac69d56eb7e70209ca8085f28a1270161b8d82990731e21538ab03e5d7f95ec79b83839cbbc3e181f25ed8e03a76107

  • SSDEEP

    393216:lqTHLS9CQ+rxdiJjxpQnwZch9BbKy/H3EbN/nww71ekGVhU9nC:87O2rxdi3pQnwZ+/gR/nwwUVh7

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/927257108951486515/GbBnf4EBb2a3JwBZqh5mpUFw3MuJDHB8lxKcjmyg9c1-L8tXje_7OreKQrCr9Qsh7ruT

Targets

    • Target

      2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk

    • Size

      17.5MB

    • MD5

      2d2da9e3a1b925524f8f3beded725a51

    • SHA1

      3a854d9eadb761f41fc97cac483a07b2c223fcf2

    • SHA256

      baf1e179e63392ebdd6e59a1765d9ffe307ca28e22681f855bf2f71a0280d538

    • SHA512

      c1ed6de456dafbda4a38071e6021b3387ac69d56eb7e70209ca8085f28a1270161b8d82990731e21538ab03e5d7f95ec79b83839cbbc3e181f25ed8e03a76107

    • SSDEEP

      393216:lqTHLS9CQ+rxdiJjxpQnwZch9BbKy/H3EbN/nww71ekGVhU9nC:87O2rxdi3pQnwZ+/gR/nwwUVh7

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables Discord URL observed in first stage droppers

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks