General

  • Target

    7f45f62fe7d69849499b6b47380bb4ce96425dff4f4848acfb2b64f48c634c15

  • Size

    42KB

  • Sample

    231114-xjjlmsdc36

  • MD5

    221e7f2c6e9d297d71df4e2b192e9b1c

  • SHA1

    4cca672ec1b56ea37bc404bbae28f1cd419e88ec

  • SHA256

    7f45f62fe7d69849499b6b47380bb4ce96425dff4f4848acfb2b64f48c634c15

  • SHA512

    1317b91ffe642fd8d496b3a85c60b8b48f39c0e88d8983e3f6a20e56cc080e9256c54c56337b4573ea49255ed19e93b85c7fc8b053114656064b2005d56cd768

  • SSDEEP

    768:V0eEROTjONG1uZYLEg0TjfKZKfgm3Eh14:iOTjoGTLEg0TrF7Ej4

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/905337671944118314/RjdLG0UxA1DjDMSnw0nxSckjdxWHA_va88xegNROO1MiJ9TRTwujMs9YFAJ_iGB7mw7W

Targets

    • Target

      7f45f62fe7d69849499b6b47380bb4ce96425dff4f4848acfb2b64f48c634c15

    • Size

      42KB

    • MD5

      221e7f2c6e9d297d71df4e2b192e9b1c

    • SHA1

      4cca672ec1b56ea37bc404bbae28f1cd419e88ec

    • SHA256

      7f45f62fe7d69849499b6b47380bb4ce96425dff4f4848acfb2b64f48c634c15

    • SHA512

      1317b91ffe642fd8d496b3a85c60b8b48f39c0e88d8983e3f6a20e56cc080e9256c54c56337b4573ea49255ed19e93b85c7fc8b053114656064b2005d56cd768

    • SSDEEP

      768:V0eEROTjONG1uZYLEg0TjfKZKfgm3Eh14:iOTjoGTLEg0TrF7Ej4

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks