General

  • Target

    stub.exe

  • Size

    42KB

  • Sample

    230522-3c619adh3s

  • MD5

    815c1245bc05bdad3189cc6a65396207

  • SHA1

    778663a46b269dc305f2e577f433ffc3b45909bd

  • SHA256

    e1790e7dd80127ecb73f0a540f2ad8b4479bb97a0ecb7be807a67bc06fda94f2

  • SHA512

    bedd64ebe0162fd55b74044ed4325997cf453ec0f502099337773dd0d2a4347f13ded825b7b812ba7441b6d092d2ff1a51517b2bb07882279b929c548b42e1ed

  • SSDEEP

    384:sciKoRD0L2GI1Q/VNWJ2ge5So9eTYuWs/XZxIh/doJEFq5nmqoTAsCIKQsLd/Sfp:1LT+oge5b0guZ5LnoTjZKZKfgm3Eheb

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1016435887099351190/NopdbVD5frXDLoZP3uBJeO3ESYrxVuhaIRyPJa5-BQ2gbFKRBe__Z233lKve_2jaiaDB

Targets

    • Target

      stub.exe

    • Size

      42KB

    • MD5

      815c1245bc05bdad3189cc6a65396207

    • SHA1

      778663a46b269dc305f2e577f433ffc3b45909bd

    • SHA256

      e1790e7dd80127ecb73f0a540f2ad8b4479bb97a0ecb7be807a67bc06fda94f2

    • SHA512

      bedd64ebe0162fd55b74044ed4325997cf453ec0f502099337773dd0d2a4347f13ded825b7b812ba7441b6d092d2ff1a51517b2bb07882279b929c548b42e1ed

    • SSDEEP

      384:sciKoRD0L2GI1Q/VNWJ2ge5So9eTYuWs/XZxIh/doJEFq5nmqoTAsCIKQsLd/Sfp:1LT+oge5b0guZ5LnoTjZKZKfgm3Eheb

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v6

Tasks