MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mercurial


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542
SHA3-384 hash: 0f412351f2a05ecd3c4251696858c7c70446368c201913e8ce8abed1c48712daf448097376e5ce5ee4fd2de761e7b206
SHA1 hash: 085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7
MD5 hash: ddf3fd684f553b4686987ec5cf532c20
humanhash: nineteen-island-missouri-minnesota
File name:Lunar_Builder.exe
Download: download sample
Signature Mercurial
Create hunting rule
File size:8'390'720 bytes
First seen:2021-08-29 16:14:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:OcwTiBknYhfr5QILXP8ZV3PpLsExwsJC4Ct99QTKu6yTL+b0X820iwvefJ:dwWCnYRr5QIXU/3PpLsacVH3TyXz08J
Threatray 844 similar samples on MalwareBazaar
TLSH T1EE863381B08040E6F9335DB6A12B0D1020767CB8AE658E7E63ED761B4AB338D1677F57
dhash icon 1e65656565a58558 (2 x RedLineStealer, 2 x RiseProStealer, 1 x Mercurial)
Reporter James_inthe_box
Tags:exe Mercurial

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lunar_Builder.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 16:18:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f09f30a-2d5c-4a23-8bbe-a88ad74468fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Mercurial
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183281/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Sending a UDP request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5473ea2c-29ee-4c0b-8bf0-a52d29ed16e1
Result
Threat name:
MercurialGrabber
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/841090
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected MercurialGrabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473521 Sample: Lunar_Builder.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 96 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected MercurialGrabber 2->37 39 Machine Learning detection for sample 2->39 41 2 other signatures 2->41 7 Lunar_Builder.exe 7 2->7         started        process3 file4 21 C:\Users\Public\Music\test.exe, PE32 7->21 dropped 23 C:\Users\Public\Music\Lunar_Builder.exe, PE32 7->23 dropped 10 test.exe 14 5 7->10         started        14 Lunar_Builder.exe 6 7->14         started        process5 dnsIp6 29 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 10->29 31 ip4.seeip.org 23.128.64.141, 443, 49706 JOESDATACENTERUS United States 10->31 33 discord.com 162.159.128.233, 443, 49708 CLOUDFLARENETUS United States 10->33 43 Multi AV Scanner detection for dropped file 10->43 45 May check the online IP address of the machine 10->45 47 Machine Learning detection for dropped file 10->47 49 Tries to harvest and steal browser information (history, passwords, etc) 10->49 17 WerFault.exe 20 9 10->17         started        19 conhost.exe 10->19         started        25 C:\Users\user\AppData\...behaviorgraphunaUIDotNetRT.dll, PE32 14->25 dropped 27 C:\Users\user\...\SiticoneDotNetRT.dll, PE32 14->27 dropped 51 Tries to detect virtualization through RDTSC time measurements 14->51 53 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->53 file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542/
Threat name:
ByteCode-MSIL.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 19:56:00 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxsd46rbtuyblcowl564dcmxywzuny2opwjampy62hyqey6tivba._file
Verdict:
malicious
Similar samples:
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d
Mercurial
105897c4dd3369b8c8ae8956ef2e8d945c33e7172022d81e0791546d9c17b21f
Mercurial
1733e38a94926a2b46825946f9602eabebecad6f2659af685b2474c15724c961
Mercurial
3b28cef3fbfcc3a04ec60110dc57b789425a4bab6b7be57e20b7bbd08783e043
Mercurial
9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34
Mercurial
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
Mercurial
b0b851f99f1cc076735446c7604066a790017d08654f864851622781847ea92e
Mercurial
c4b40854b0d96e0967c64ee0f80d41222d57029ec9e3e4b72f4232291879caad
Mercurial
+ 834 additional samples on MalwareBazaar
Result
Malware family:
mercurialgrabber
Create hunting rule
Score:
  10/10
Tags:
family:mercurialgrabber evasion stealer
Link:
https://tria.ge/reports/210829-pf62lsc7lj/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Detected Mercurial Grabber
Mercurial Grabber Stealer
Unpacked files
SH256 hash:
d95d7cdb4a549a7f9a06c9059027bd90e926a15b21f118a59536ee9b5febb768
MD5 hash:
a956773892ea3bb538c4656475c35126
SHA1 hash:
e2cc84075cd18b96623fd29d529873f379e398c2
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
eb3897f301ae50717ef88553416800425f79d48b5a1abfdccd5d63dde3f1bca1
MD5 hash:
b6691fa95db88f556f27b087c072e8fb
SHA1 hash:
c4d70895888268e03f6e6d328a01a7d34989f261
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
5ab5aae30a73f39d027c2afda59e90410cef6cc2eddb172086b0ef47b3d1d897
MD5 hash:
fc41cd42f63851f55bda16ad21eaa941
SHA1 hash:
76a634e2a69cbd41c71a8b5e442af1ece0c07177
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
f47186f92a5e156e7b3be0e777045a63fd39ee626d3bd56171d049106cb78ce2
MD5 hash:
90b0d77a49738f3093354b2a10ad5c8e
SHA1 hash:
23eaa5b99b203d428da8e33439f28906b6ed4006
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
5bfe4cedd9bddf8893ad40fdbbc14d021e8d7d259fb282bf17d49a6747085e3f
MD5 hash:
37f6ae93831aead6dbfa5540bdf29e8e
SHA1 hash:
17e5edc298ed885c238e758032f5975ae61480ba
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
2e7190212472f350342f94bc458a87e35e5590a834d7b6cc7f02dda3c46d0de6
MD5 hash:
a80c868c8e17928eaddbbfeb72e7f0fb
SHA1 hash:
e8d7c856605e2bd65d6fb31a3eb1e84ac8277f26
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
20261370a85842c7a4443b65a189eefaa14aec4a3d767deb8ac0a8d4c66eb4ec
MD5 hash:
cc6f27ae645bc92a437e7e95911b5d46
SHA1 hash:
3283451b37b40dab5deafb648a0338f2ad795a90
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
SH256 hash:
a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542
MD5 hash:
ddf3fd684f553b4686987ec5cf532c20
SHA1 hash:
085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7
Link:
https://www.unpac.me/results/48f822ca-0fab-4202-9952-1ff91c73b45f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/183281/

Comments