General

  • Target

    shanghai-china.png

  • Size

    116KB

  • Sample

    230428-sykd9seh85

  • MD5

    62532f4cdc95ea103c7553e32df4a81c

  • SHA1

    0908819aaae8056c0f3a006cf194e6f0c7e7533e

  • SHA256

    8add3189ea884a191b23bc041fe3f37d98c5ceac43645a170bf0ae7d7aa34fcb

  • SHA512

    c7a4d5418dfec68c46335a045b3d6fc76be9b93281d59b31c89365951f45f72094bb258c0b2ec7a108ed4aead25cf4757020b01ff4dcbcad6a6b9a70b7a0a55f

  • SSDEEP

    3072:t8HSA1veMxROyHch6CbhDMbRazMDUzd/Qm:sSA12MR/Hch6ClDK1UBj

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1099387908529590436/csI680QjQ0rYN47OrautZioSZMjNoV4gtJ-oJSEQllIml9uxWdhEdyeB7kzNFxzuWBnd

Targets

    • Target

      shanghai-china.png

    • Size

      116KB

    • MD5

      62532f4cdc95ea103c7553e32df4a81c

    • SHA1

      0908819aaae8056c0f3a006cf194e6f0c7e7533e

    • SHA256

      8add3189ea884a191b23bc041fe3f37d98c5ceac43645a170bf0ae7d7aa34fcb

    • SHA512

      c7a4d5418dfec68c46335a045b3d6fc76be9b93281d59b31c89365951f45f72094bb258c0b2ec7a108ed4aead25cf4757020b01ff4dcbcad6a6b9a70b7a0a55f

    • SSDEEP

      3072:t8HSA1veMxROyHch6CbhDMbRazMDUzd/Qm:sSA12MR/Hch6ClDK1UBj

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v6

Tasks