mercurialgrabber | 890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645 | Triage

Submit
Reports

Overview

overview

Static

static

1

Mercurial.exe

windows10-1703-x64

Resubmissions

18-04-2023 19:35

230418-ya1z1afd91 10

18-04-2023 19:31

230418-x8wmhafd7w 7

Sharing

General

Target

Mercurial.bin
Size

3.2MB
Sample

230418-ya1z1afd91
MD5

a9477b3e21018b96fc5d2264d4016e65
SHA1

493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256

890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA512

66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
SSDEEP

98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

Score

10^/10

mercurialgrabber agilenet evasion spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Mercurial.exe

Resource

win10-20230220-en

mercurialgrabber agilenet evasion spyware stealer

windows10-1703-x64

16 signatures

300 seconds

Malware Config

Targets

- Target
  
  Mercurial.bin
- Size
  
  3.2MB
- MD5
  
  a9477b3e21018b96fc5d2264d4016e65
- SHA1
  
  493fa8da8bf89ea773aeb282215f78219a5401b7
- SHA256
  
  890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
- SHA512
  
  66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
- SSDEEP
  
  98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07
Score

10^/10

mercurialgrabber agilenet evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

mercurialgrabberagilenetevasionspywarestealer

© 2018-2024

Terms | Privacy