General

  • Target

    2e78085fde3849a96c97bab2adbbe87ab9927d805fc574b25140c03f794c9cf9

  • Size

    41KB

  • Sample

    220622-kc3dysbffn

  • MD5

    4fc6862e828a88f28e1e5ee455ca46c5

  • SHA1

    fb4521832a5889270feb0163e12539b24892e578

  • SHA256

    2e78085fde3849a96c97bab2adbbe87ab9927d805fc574b25140c03f794c9cf9

  • SHA512

    2cb778794d5626fc5eb44811a0d748dc107f61735615a4d516f3c28169970b65e78e84fcddd8c98a8b0d0810cf4a7f5c1e0c5ddfb99ab9b68955bfdded8f367b

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/901865119745728564/mGESaEVQkBEIL2SrugLKmO5lOXV2ZUGK5TWxpL2S-fd_s7RU_cxdPKSmp6walqGvJT8e

Targets

    • Target

      2e78085fde3849a96c97bab2adbbe87ab9927d805fc574b25140c03f794c9cf9

    • Size

      41KB

    • MD5

      4fc6862e828a88f28e1e5ee455ca46c5

    • SHA1

      fb4521832a5889270feb0163e12539b24892e578

    • SHA256

      2e78085fde3849a96c97bab2adbbe87ab9927d805fc574b25140c03f794c9cf9

    • SHA512

      2cb778794d5626fc5eb44811a0d748dc107f61735615a4d516f3c28169970b65e78e84fcddd8c98a8b0d0810cf4a7f5c1e0c5ddfb99ab9b68955bfdded8f367b

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • suricata: ET MALWARE NightfallGT Mercurial Grabber

      suricata: ET MALWARE NightfallGT Mercurial Grabber

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v6

Tasks