Resubmissions

11-05-2023 19:06

230511-xsa1vsab39 10

11-05-2023 19:03

230511-xqjj8acd8w 6

11-05-2023 18:58

230511-xmmgpsab27 8

General

  • Target

    https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0

  • Sample

    230511-xsa1vsab39

Malware Config

Targets

    • Target

      https://github.com/NightfallGT/Mercurial-Grabber/releases/tag/v1.0

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v6

Tasks