Overview

overview

10

Static

static

10

ae5cb1e8cd...ec.exe

windows7-x64

10

ae5cb1e8cd...ec.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae5cb1e8cdf7c298ddcaec79334a954a8a34d98a58e3aa857c2f75373dcd08ec

  • Size

    42KB

  • Sample

    220907-lmh9hagghn

  • MD5

    ee21678d6c4ad7f1e8aa2a266fe76b20

  • SHA1

    677a6d5cf3ee018644c29e30a97b3ef966eef25a

  • SHA256

    ae5cb1e8cdf7c298ddcaec79334a954a8a34d98a58e3aa857c2f75373dcd08ec

  • SHA512

    d2e3f4263b1374fd7bb8bb2f20d532489e92670f4e37c172e3a3ea28c9ca59f06c8f21f1f56f4df8bbcd5e6579f6466daa9e2e16b7cbb5e56338f6fc42969866

  • SSDEEP

    384:5/6DSRia2Pz5Y4eN8zM517J3dDlKz++cTTmrs/XZxIh/MoJEFq5nml6TAssKQsLZ:U40M5/dj+uWuZyLM6TjsKZKfgm3EheO

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/945467124829290577/4e5DteE7s9woCN9_FDq-BplWM-jeiUaYgLC19cy64cR_2n9S1YmRZ42V-UXpC510XTBH

Targets

    • Target

      ae5cb1e8cdf7c298ddcaec79334a954a8a34d98a58e3aa857c2f75373dcd08ec

    • Size

      42KB

    • MD5

      ee21678d6c4ad7f1e8aa2a266fe76b20

    • SHA1

      677a6d5cf3ee018644c29e30a97b3ef966eef25a

    • SHA256

      ae5cb1e8cdf7c298ddcaec79334a954a8a34d98a58e3aa857c2f75373dcd08ec

    • SHA512

      d2e3f4263b1374fd7bb8bb2f20d532489e92670f4e37c172e3a3ea28c9ca59f06c8f21f1f56f4df8bbcd5e6579f6466daa9e2e16b7cbb5e56338f6fc42969866

    • SSDEEP

      384:5/6DSRia2Pz5Y4eN8zM517J3dDlKz++cTTmrs/XZxIh/MoJEFq5nml6TAssKQsLZ:U40M5/dj+uWuZyLM6TjsKZKfgm3EheO

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks