General

  • Target

    ReportBot Roblox.exe

  • Size

    42KB

  • Sample

    221117-mxz6faac4z

  • MD5

    7a1482f16e2f32d736550a3e7f7f2720

  • SHA1

    3620d95228bfed6c37b6b4536dd824fdcc58329f

  • SHA256

    ccf3c8658eb69296ec0c4dbc39dbe9e5524e166af2d3b9c6ca461ac33e2c9a14

  • SHA512

    3c6cf73fa7e417815db0199ceaaffc6b3721fe45e804942fb0b793748592ccfebb4c14b8dc51da03e9ef137edaba84c68ba1acd923115a165b4511a86dc3f2bd

  • SSDEEP

    768:P5JqKKqqI28Tj6rZDPuZML+ITjxKZKfgm3Eh+f:PeNqH28TjQTL+ITdF7Egf

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/919604917419794443/jcIKQ9iKUasBQrVvt23hZjvfuFLUdmL2Yqjn3ZoVKGSEvZkqbzvWxl7lWSke-q-m-nJE

Targets

    • Target

      ReportBot Roblox.exe

    • Size

      42KB

    • MD5

      7a1482f16e2f32d736550a3e7f7f2720

    • SHA1

      3620d95228bfed6c37b6b4536dd824fdcc58329f

    • SHA256

      ccf3c8658eb69296ec0c4dbc39dbe9e5524e166af2d3b9c6ca461ac33e2c9a14

    • SHA512

      3c6cf73fa7e417815db0199ceaaffc6b3721fe45e804942fb0b793748592ccfebb4c14b8dc51da03e9ef137edaba84c68ba1acd923115a165b4511a86dc3f2bd

    • SSDEEP

      768:P5JqKKqqI28Tj6rZDPuZML+ITjxKZKfgm3Eh+f:PeNqH28TjQTL+ITdF7Egf

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks