MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MercurialGrabber


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
SHA3-384 hash: b6769cdddeaebf6422e7134b1508062b6330f3624681ebb044ba3b5b28af0fcf4b5091af14f9daa582845ccb00077440
SHA1 hash: 94f4a586e2999e1692540a213bf96130db1b03f3
MD5 hash: e0818f4c5333866bc3c186ea7f9a2bae
humanhash: bulldog-sad-kitten-august
File name:Spoofer.exe
Download: download sample
Signature MercurialGrabber
Create hunting rule
File size:2'482'688 bytes
First seen:2022-04-02 21:29:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 49152:f3l9tY6nc2dQJQxqiqNxNyeZ6IdeW5EP3V9DHdwKRDc6OH1h8s:fVLnfQ6qiqNx3Q9DCcc6OH1h8s
Threatray 1'867 similar samples on MalwareBazaar
TLSH T118B5234B320C67E6C977D77B0DE5C2901A72ACB91771FBEBA9B007B81D94B90061139B
Reporter adm1n_usa32
Tags:exe MercurialGrabber

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Spoofer.exe
Verdict:
Malicious activity
Analysis date:
2022-04-02 21:28:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bc0fd5d-4f39-41b0-aff7-4dd74a0f758f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Tool.Binder-9794371-0
Create hunting rule

Win.Packed.Bulz-9868353-0
Create hunting rule

Win.Packed.Ursu-9872078-0
Create hunting rule

Win.Packed.Msilzilla-9934280-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12414/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm coinminer fingerprint greyware packed shell32.dll swisyn
Link:
https://www.filescan.io/uploads/6248c0639253b276b7d0d331/reports/ce467e04-7c22-490a-8810-097e40886ff9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Blitzed Grabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d35f6aed-df70-4a7f-a3bd-19123e70a454
Result
Threat name:
BitCoin Miner MercurialGrabber SilentXMR
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969467
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected MercurialGrabber
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 601954 Sample: Spoofer.exe Startdate: 02/04/2022 Architecture: WINDOWS Score: 100 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for dropped file 2->129 131 13 other signatures 2->131 11 Spoofer.exe 3 2->11         started        14 services32.exe 2->14         started        process3 file4 101 C:\Users\user\AppData\...\WARZONE SPOOFER.EXE, PE32 11->101 dropped 103 C:\Users\user\...\MF9WCQV2FSBZXDXGUM.EXE, PE32 11->103 dropped 17 MF9WCQV2FSBZXDXGUM.EXE 2 11->17         started        21 WARZONE SPOOFER.EXE 14 5 11->21         started        159 Antivirus detection for dropped file 14->159 161 Multi AV Scanner detection for dropped file 14->161 163 Writes to foreign memory regions 14->163 165 2 other signatures 14->165 24 conhost.exe 14->24         started        signatures5 process6 dnsIp7 93 C:\Users\user\AppData\Local\Temp\goss.exe, PE32+ 17->93 dropped 95 C:\Users\user\AppData\...\RuntimeUpdater.exe, PE32+ 17->95 dropped 133 Antivirus detection for dropped file 17->133 135 Multi AV Scanner detection for dropped file 17->135 137 Adds a directory exclusion to Windows Defender 17->137 26 cmd.exe 1 17->26         started        28 cmd.exe 1 17->28         started        31 cmd.exe 1 17->31         started        105 discord.com 162.159.128.233, 443, 49764, 49765 CLOUDFLARENETUS United States 21->105 107 ip-api.com 208.95.112.1, 49763, 80 TUT-ASUS United States 21->107 109 ip4.seeip.org 23.128.64.141, 443, 49762 JOESDATACENTERUS United States 21->109 139 Tries to harvest and steal browser information (history, passwords, etc) 21->139 33 conhost.exe 21->33         started        35 WerFault.exe 21->35         started        37 cmd.exe 24->37         started        file8 signatures9 process10 signatures11 39 services32.exe 26->39         started        42 RuntimeUpdater.exe 26->42         started        54 2 other processes 26->54 157 Adds a directory exclusion to Windows Defender 28->157 44 conhost.exe 28->44         started        46 powershell.exe 25 28->46         started        48 powershell.exe 28->48         started        50 goss.exe 31->50         started        52 conhost.exe 31->52         started        56 3 other processes 37->56 process12 signatures13 141 Writes to foreign memory regions 39->141 143 Allocates memory in foreign processes 39->143 145 Creates a thread in another existing process (thread injection) 39->145 58 conhost.exe 39->58         started        147 Antivirus detection for dropped file 42->147 149 Multi AV Scanner detection for dropped file 42->149 62 conhost.exe 4 42->62         started        151 Adds a directory exclusion to Windows Defender 44->151 process14 file15 97 C:\Windows\System32\...\sihost32.exe, PE32+ 58->97 dropped 153 Drops executables to the windows directory (C:\Windows) and starts them 58->153 155 Adds a directory exclusion to Windows Defender 58->155 64 sihost32.exe 58->64         started        67 cmd.exe 58->67         started        99 C:\Windows\System32\services32.exe, PE32+ 62->99 dropped 69 cmd.exe 1 62->69         started        71 cmd.exe 62->71         started        73 cmd.exe 62->73         started        signatures16 process17 signatures18 111 Antivirus detection for dropped file 64->111 113 Multi AV Scanner detection for dropped file 64->113 115 Writes to foreign memory regions 64->115 123 2 other signatures 64->123 75 conhost.exe 64->75         started        77 conhost.exe 67->77         started        79 powershell.exe 67->79         started        81 powershell.exe 67->81         started        117 Uses schtasks.exe or at.exe to add and modify task schedules 69->117 119 Adds a directory exclusion to Windows Defender 69->119 83 powershell.exe 22 69->83         started        85 conhost.exe 69->85         started        87 powershell.exe 69->87         started        121 Drops executables to the windows directory (C:\Windows) and starts them 71->121 89 conhost.exe 73->89         started        91 schtasks.exe 73->91         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6/
Threat name:
ByteCode-MSIL.Trojan.Disstl
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 07:52:20 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
38 of 42 (90.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e49a7e27c826b6afb92d25bd287493693af46e42838270cf96ee2f27c2c0521
MercurialGrabber
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
MercurialGrabber
4d1561d0305e150e1a74ef02c3c20b550cbd7e68ad3dc8e237f40b3b71e9c29e
MercurialGrabber
5eac63fc61a6c010a8be021bf6d86d377f03c10fcd447c1342d0aba35ae6b68a
MercurialGrabber
6825716f7a72eedb249630bf9b0331a80cb09db8522f0fccbdcdbbe333c1c2c7
MercurialGrabber
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
MercurialGrabber
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
MercurialGrabber
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
MercurialGrabber
a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf
MercurialGrabber
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
MercurialGrabber
+ 1'857 additional samples on MalwareBazaar
Result
Malware family:
mercurialgrabber
Create hunting rule
Score:
  10/10
Tags:
family:mercurialgrabber evasion spyware stealer
Link:
https://tria.ge/reports/220402-1cfsysegdp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Mercurial Grabber Stealer
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/933451728135806987/lpNfUTCd8F4E9yowaSokgNYU7zC1X5qCXDJLu3zbqTZou-P8TjX_zGK02uTNJf-8ydRd
Unpacked files
SH256 hash:
1e60b0c770cc15b1c5369caa0d0b748fc5433cd46d3eb2fc182bf6e03814cb39
MD5 hash:
b4f82275ce69ef038775102da0872851
SHA1 hash:
22f4ae66dd3651574907e4acf2d6e56a71450738
Link:
https://www.unpac.me/results/707ab273-ad55-4b5c-a4de-69f3b2f7e8e2/
SH256 hash:
d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
MD5 hash:
e0818f4c5333866bc3c186ea7f9a2bae
SHA1 hash:
94f4a586e2999e1692540a213bf96130db1b03f3
Link:
https://www.unpac.me/results/707ab273-ad55-4b5c-a4de-69f3b2f7e8e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_Mercurial
Create hunting rule
Author:ditekSHen
Description:Detects Mercurial infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_Luna_Stealer_Apr_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Luna stealer (also Mercurial Grabber)
Reference:https://github.com/NightfallGT/Mercurial-Grabber

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260222/

Comments