General

  • Target

    d91ac64c9b20de3cf9991584c4cb7f7d

  • Size

    177KB

  • Sample

    231222-sr5rmabdg7

  • MD5

    d91ac64c9b20de3cf9991584c4cb7f7d

  • SHA1

    648f495345b755600e17f7183aef5c6b0d2a0811

  • SHA256

    c88c3b07ef5db6e9541a9a7679c7558c75aad03b63d8562395183c5a1e7aa437

  • SHA512

    42884feb4fde14f89f29aa6a5b5398d941b86ea9fabfb86f62c22f8dfe7cb00935424965eb43ea60e2cfa4783797cdae345094a84dceb030fc3ce684336f0d4f

  • SSDEEP

    3072:kTQ1L+PTuF7EFg9a58pSAByegSKDxLUG+XCvtattKTlCSB+eQ7ZkDrH:k01SbOaxgG+XCVaPSBbQuX

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/881080030774566912/6dd3RKBs7nrkruH-THAJIMVuvfmyhpULFrJpmbupLFeSZO77SX2-2JSSyVcRc8u1ADT1

Targets

    • Target

      d91ac64c9b20de3cf9991584c4cb7f7d

    • Size

      177KB

    • MD5

      d91ac64c9b20de3cf9991584c4cb7f7d

    • SHA1

      648f495345b755600e17f7183aef5c6b0d2a0811

    • SHA256

      c88c3b07ef5db6e9541a9a7679c7558c75aad03b63d8562395183c5a1e7aa437

    • SHA512

      42884feb4fde14f89f29aa6a5b5398d941b86ea9fabfb86f62c22f8dfe7cb00935424965eb43ea60e2cfa4783797cdae345094a84dceb030fc3ce684336f0d4f

    • SSDEEP

      3072:kTQ1L+PTuF7EFg9a58pSAByegSKDxLUG+XCvtattKTlCSB+eQ7ZkDrH:k01SbOaxgG+XCVaPSBbQuX

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks