MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MercurialGrabber


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b
SHA3-384 hash: efe929cab16c86c384d61ad34b7c7217942067115e464e6022a736fe82698c06fca9e3aad5c19887cbc6d633075d95cf
SHA1 hash: 5936e36c3dd39216803c72e0841da6f6df256291
MD5 hash: 1ea3b43e8a8ce761479e26f94ccf9bd5
humanhash: alpha-utah-fruit-stairway
File name:1ea3b43e8a8ce761479e26f94ccf9bd5.exe
Download: download sample
Signature MercurialGrabber
Create hunting rule
File size:9'244'160 bytes
First seen:2022-10-30 16:57:19 UTC
Last seen:2022-10-30 19:10:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:dCdbOITPSUUpIS9u/pRDXvQhAJ4TsHhGgXZQWYhr5bi:WjTPlcI1XDXv8A2TsBGgX
Threatray 3'040 similar samples on MalwareBazaar
TLSH T1B9963305BF8B5467D800A57FD7DA8B815AA4A3CE7C0CBD49577740E72C72B8F2606C8A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe MercurialGrabber

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
modest-menu.exe
Verdict:
Malicious activity
Analysis date:
2021-06-14 00:15:55 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/f7ebfa4b-acbc-4e60-aaec-ed72ddd31ee1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326150/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.32.11129.17538.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Launching a process
Searching for synchronization primitives
Sending an HTTP GET request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer packed razy
Link:
https://www.filescan.io/uploads/635ead1b791bb7e48afddb4c/reports/537293f3-15e6-4a9c-8209-320062013bb7/overview
Result
Verdict:
MALICIOUS
Malware family:
Blitzed Grabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58a80f9d-92ed-49fa-9c06-792af864583d
Result
Threat name:
AnarchyGrabber, Discord Token Stealer, M
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101299
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AnarchyGrabber
Yara detected Beds Obfuscator
Yara detected Discord Token Stealer
Yara detected Generic Downloader
Yara detected MassLogger RAT
Yara detected Matiex Keylogger
Yara detected MercurialGrabber
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733960 Sample: ufU6GyukRT.exe Startdate: 30/10/2022 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 12 other signatures 2->99 9 ufU6GyukRT.exe 8 2->9         started        13 %nmoufstr%.exe 2->13         started        process3 dnsIp4 59 C:\Users\user\AppData\...\vcruntime140.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\...\msvcp140.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\modest-menu.exe, PE32 9->63 dropped 65 2 other malicious files 9->65 dropped 123 Self deletion via cmd or bat file 9->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->125 16 ffmpeg.exe 16 4 9->16         started        21 vcruntime140.exe 14 5 9->21         started        23 modest-menu.exe 5 9->23         started        27 2 other processes 9->27 87 132.226.247.73, 49708, 80 UTMEMUS United States 13->87 89 checkip.dyndns.org 13->89 91 checkip.dyndns.com 13->91 127 Antivirus detection for dropped file 13->127 129 Multi AV Scanner detection for dropped file 13->129 131 May check the online IP address of the machine 13->131 133 Machine Learning detection for dropped file 13->133 25 cmd.exe 13->25         started        file5 signatures6 process7 dnsIp8 67 checkip.dyndns.com 132.226.8.169, 49701, 49709, 80 UTMEMUS United States 16->67 69 checkip.dyndns.org 16->69 75 3 other IPs or domains 16->75 55 C:\Users\user\AppData\...\%nmoufstr%.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\%nmoufstr%.url, MS 16->57 dropped 101 Antivirus detection for dropped file 16->101 103 Multi AV Scanner detection for dropped file 16->103 105 May check the online IP address of the machine 16->105 121 3 other signatures 16->121 42 2 other processes 16->42 71 discord.com 162.159.138.232, 443, 49698, 49699 CLOUDFLARENETUS United States 21->71 73 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 21->73 77 2 other IPs or domains 21->77 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->107 109 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 21->109 111 Machine Learning detection for dropped file 21->111 113 Queries memory information (via WMI often done to detect virtual machines) 21->113 29 conhost.exe 21->29         started        31 WerFault.exe 21->31         started        115 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->115 33 msvcp140.exe 23->33         started        35 ComputerDefaults.exe 25->35         started        44 3 other processes 25->44 117 Uses ping.exe to sleep 27->117 119 Uses ping.exe to check the status of other devices and networks 27->119 37 PING.EXE 27->37         started        40 conhost.exe 27->40         started        46 2 other processes 27->46 file9 signatures10 process11 dnsIp12 48 conhost.exe 33->48         started        50 %nmoufstr%.exe 35->50         started        85 1.1.1.1 CLOUDFLARENETUS Australia 37->85 process13 dnsIp14 79 checkip.dyndns.org 50->79 81 checkip.dyndns.com 50->81 83 2 other IPs or domains 50->83 53 WerFault.exe 50->53         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b/
Threat name:
ByteCode-MSIL.Trojan.LimeRAT
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 03:39:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7rscqw4yv7334vie6v4x6jpelionock5mozj55dyhe7m5gxkz5q._file
Verdict:
malicious
Similar samples:
30fad0451c6da794860fe641d29a1ec7e4337a7e0315c72c57dfb5cca8e06bf6
MercurialGrabber
7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
MercurialGrabber
91a6129ad3cbba13eb16ef45de4d5c124da36e27dfcdbf27daf98b1d602ea47a
MercurialGrabber
afca37e4b44aced677169e1e1b898cb49a2d689f8322e6e824f97ca9a5d49443
MercurialGrabber
c63c78a081a78186d21c5df2a302b9f49fe35f85339692a1d8972a10dbabe042
MercurialGrabber
ccc9894ae7557a69148494ded97c5e496b6729022eaa1c62e1bd1ad71cf07d84
MercurialGrabber
d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
MercurialGrabber
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
MercurialGrabber
f6f92927f5a3032e9d044479470f3e8d12cc6987aad70c0bce06541b557ee9dd
MercurialGrabber
+ 3'030 additional samples on MalwareBazaar
Result
Malware family:
mercurialgrabber
Create hunting rule
Score:
  10/10
Tags:
family:matiex family:mercurialgrabber collection keylogger spyware stealer
Link:
https://tria.ge/reports/221030-vgtbysbhck/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Matiex
Matiex Main payload
Mercurial Grabber Stealer
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/835255995735343134/XNe_EsIHeOwVdqPUaV7pv4uxkib5RHnv_Tn6JCr4hEBupeIfyQN2tRINJsXKij_tI_Ec
Unpacked files
SH256 hash:
cb2079641bb1bac84ed28836bb03817e09017553e412e26d166673459ad4c688
MD5 hash:
324c2e555431e860fac2b2bfc04adb1d
SHA1 hash:
c1f4215f0452f1d96c92ee324bc2cef999294874
Link:
https://www.unpac.me/results/fa145574-a81e-48a1-86fa-258616659118/
SH256 hash:
99c506c6a6fbbf9d7ed9e20ed02dfb91be159f0f33498153ca2894731fe41949
MD5 hash:
458168047894c09ae76b0add79c7122d
SHA1 hash:
4e291744275e8e9006c15d03489e0b252592a817
Link:
https://www.unpac.me/results/fa145574-a81e-48a1-86fa-258616659118/
SH256 hash:
5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b
MD5 hash:
1ea3b43e8a8ce761479e26f94ccf9bd5
SHA1 hash:
5936e36c3dd39216803c72e0841da6f6df256291
Link:
https://www.unpac.me/results/fa145574-a81e-48a1-86fa-258616659118/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fe32142dcc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326150/

Comments