mercurialgrabber | 8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028

General

Target

4e6984054c17293752f8d11ccac45e70.exe
Size

159KB
Sample

221003-3dwlxacae5
MD5

4e6984054c17293752f8d11ccac45e70
SHA1

96b45cc928488f23eb485ebd72f1276996c7f785
SHA256

8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
SHA512

978e885d724fd91553483a077979f940a9349e45fce08b4a39c5cac25a5a75e0dd27b166b4724be19a435beef780ad8f866787035944285222385623af1ce9a5
SSDEEP

3072:C6x5F6chV9MBOefbGEKr2fewpgsRMCo1pn2A3PM+:CK6u9p3EKbwhRMCkp

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1020039781461270569/vy0h8kS-gC86OffrPKkierhCOJQYdMCGfu4Dr7HRyL4VcCHEP6llcvNaOkPDg-SgwAnl

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

Ni50Y3AuZXUubmdyb2suaW8Strik:MTM5OTI=

Mutex

dcc8f8f212bdcee4931d8d1d2c481753

Attributes

reg_key
dcc8f8f212bdcee4931d8d1d2c481753
splitter
|'|'|

Targets

- Target
  
  4e6984054c17293752f8d11ccac45e70.exe
- Size
  
  159KB
- MD5
  
  4e6984054c17293752f8d11ccac45e70
- SHA1
  
  96b45cc928488f23eb485ebd72f1276996c7f785
- SHA256
  
  8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
- SHA512
  
  978e885d724fd91553483a077979f940a9349e45fce08b4a39c5cac25a5a75e0dd27b166b4724be19a435beef780ad8f866787035944285222385623af1ce9a5
- SSDEEP
  
  3072:C6x5F6chV9MBOefbGEKr2fewpgsRMCo1pn2A3PM+:CK6u9p3EKbwhRMCkp
Score

10^/10

mercurialgrabber njrat hacked evasion spyware stealer trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2