General

  • Target

    Mercurial.Grabber.v1.03.rar

  • Size

    2.9MB

  • Sample

    221018-kvj1bsfdfp

  • MD5

    635903bad1ada856d701f34d3070ccd9

  • SHA1

    3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0

  • SHA256

    3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

  • SHA512

    fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015

  • SSDEEP

    49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1031850765066711100/XNhtTvBzNsSPyWCHgTW7oNHV38mquFVjqa1ZgfiTJZL1gPBsBMb49J88sfZgq09rCM1y

Targets

    • Target

      Mercurial.exe

    • Size

      3.2MB

    • MD5

      a9477b3e21018b96fc5d2264d4016e65

    • SHA1

      493fa8da8bf89ea773aeb282215f78219a5401b7

    • SHA256

      890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

    • SHA512

      66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

    • SSDEEP

      98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks