General

  • Target

    ae3a20db60729e69b81814151b161e71219f1d8c14beb64a07f47fb2dde8f668

  • Size

    42KB

  • Sample

    220925-q1tplsgbal

  • MD5

    fb1456b3b636f053cbc957205e622607

  • SHA1

    bac4d4141fa0f0b420d5d75cf4bbd7c35a03548e

  • SHA256

    ae3a20db60729e69b81814151b161e71219f1d8c14beb64a07f47fb2dde8f668

  • SHA512

    886a8f22ed9ce0ce73e81186fd4087c05a45f8314add4a64948d2695e8f51fdc3a6724ef83e52262dc8aa042b7583250b5366cf0d2e5721984cad1e25db57f28

  • SSDEEP

    768:y/D0qZiQrpLvZ8DylO8zuZ4LdhTj6KZKfgm3Ehh6:y/Xj6D98zLdhTGF7Ej6

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/966426984483811329/h9kH3-zMx2IaYBP_aScVi8qsau6YfiO2LEMCiSy3BNCjWA1LqO6XZAd3itHvip1UBLpm

Targets

    • Target

      ae3a20db60729e69b81814151b161e71219f1d8c14beb64a07f47fb2dde8f668

    • Size

      42KB

    • MD5

      fb1456b3b636f053cbc957205e622607

    • SHA1

      bac4d4141fa0f0b420d5d75cf4bbd7c35a03548e

    • SHA256

      ae3a20db60729e69b81814151b161e71219f1d8c14beb64a07f47fb2dde8f668

    • SHA512

      886a8f22ed9ce0ce73e81186fd4087c05a45f8314add4a64948d2695e8f51fdc3a6724ef83e52262dc8aa042b7583250b5366cf0d2e5721984cad1e25db57f28

    • SSDEEP

      768:y/D0qZiQrpLvZ8DylO8zuZ4LdhTj6KZKfgm3Ehh6:y/Xj6D98zLdhTGF7Ej6

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks