General
-
Target
Hellgate.exe
-
Size
1.0MB
-
Sample
221013-yele4sbca6
-
MD5
e1cdb32a46b1bf6b3c4dffdaf1058100
-
SHA1
0405bafb45a384e6e9855f1ca37b3be965e59406
-
SHA256
96b725f4b6600d65455c4b7c67e417a8c819f06079634f9f8828093509a16054
-
SHA512
b986e2c5bda8704bd4534098e0becde31588a5d8ae9f9e052869409ad8943bebe9909b9b2d2f4a5f77a546dd23997ee80905c89c0186f7020618ea2b52769906
-
SSDEEP
6144:GSncRllCFdsiI8WZWuPf021sgkvnHn/gkvnHnldAnHnQbGYzN7+fdTd:L4mtItn021wvJvo8zF+
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/987640098617172000/PbaLpTwyRpxg4qbEnOz-zr-tqlDiGl8IEoGkhHD7lhsWbbidSSOOQHu7ONx6CmdAgK7-
Targets
-
-
Target
Hellgate.exe
-
Size
1.0MB
-
MD5
e1cdb32a46b1bf6b3c4dffdaf1058100
-
SHA1
0405bafb45a384e6e9855f1ca37b3be965e59406
-
SHA256
96b725f4b6600d65455c4b7c67e417a8c819f06079634f9f8828093509a16054
-
SHA512
b986e2c5bda8704bd4534098e0becde31588a5d8ae9f9e052869409ad8943bebe9909b9b2d2f4a5f77a546dd23997ee80905c89c0186f7020618ea2b52769906
-
SSDEEP
6144:GSncRllCFdsiI8WZWuPf021sgkvnHn/gkvnHnldAnHnQbGYzN7+fdTd:L4mtItn021wvJvo8zF+
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-