Overview

overview

10

Static

static

10

TrayStatus.exe

windows7-x64

1

TrayStatus.exe

windows10-2004-x64

1

akrien_315727800.exe

windows7-x64

10

akrien_315727800.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    akrien315727800.rar

  • Size

    4.9MB

  • Sample

    240704-ktgtksshqq

  • MD5

    3c8b08e4ff2d56c08639764b951b553e

  • SHA1

    41b2315ba593d39165c85ca6b96cbbfa625dc3c1

  • SHA256

    2b4973b609c72e3b6cb5a2aec425b3a70d937b42d9e3a443a4ce956384f29154

  • SHA512

    367ea82445d58dc69fc905208ddde7ba1bcb8a86f869bcdaa1a34154f545dc9f94e94ea466dbe36f17322cd3a01c96d26a7f7f07d712ce3a816a3785fbc96e58

  • SSDEEP

    98304:McjZl79Nrp1Za8y0N5IbPIoym+UZZ+Vi+MyqwdmI8tNb7bZFHr+8suS:lo0IsocUZZOi+Mav8TdF+ruS

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/903016099652714568/4LAokuhDJs5h0vO5CXmMK0YYuFKTGnU4CjbaT5KQ7MbcniuaxcFR9w9xhFWgtXEZyg2U

Targets

    • Target

      TrayStatus.exe

    • Size

      3.4MB

    • MD5

      659ddd8e403cde0e6403d605829d0f3b

    • SHA1

      c76efe026ba7761563b889d7ff5dc47f37ce8e89

    • SHA256

      bf5d0e8f30d74f2b00fcd1c5ee90c800b81c9b371e162b884278518925daab84

    • SHA512

      44eb56bd5bd77dc886d3cc8eda1e2c2b503d605766b2e72444141f3c48b691bbd2ee807b54242c9530f9b9cc17f2a413b69256b5f8302b9946efa0c77be72906

    • SSDEEP

      24576:zSmQNUVspfgt3kkdz4xnZIRRhF4B/2xGUBd9XEln7PyxOHjKGEPQEGXdnExQ8h76:/8oxYB/2xDXynSOHjkoFXqy8yN+fF14

    Score
    1/10
    behavioral1behavioral2

    • Target

      akrien_315727800.exe

    • Size

      3.5MB

    • MD5

      887d3ac7ee69d7c63082f8871ab10959

    • SHA1

      0235f732d4f08dae6354f648d1413acbdcda6b32

    • SHA256

      4901acc3d2f993fb841c4e15e80dcc04f3ac1543f0758bc042fa57559a75e834

    • SHA512

      881ec672a1991e659c327737667f83b9b127903b1bec19b47f83212fa364f68db49cc3ede06163f906951c96aa7869b786abece410abe669420b463a4c93ef24

    • SSDEEP

      98304:LMSHC08rdkn//eESI+Y/nTkSgCwnz/yp/r:LzHC08qxSpQTk0Azy/r

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks