General

  • Target

    5438e72e63d6bb6a914e4e49bb0e4bb2

  • Size

    11.4MB

  • Sample

    231226-e4m6fsdger

  • MD5

    5438e72e63d6bb6a914e4e49bb0e4bb2

  • SHA1

    99ef6b7cc6ce92ff837d1e190b1094c2c5c664c8

  • SHA256

    b83f3ac3d0b39a90ee9f67b1d4aa8ea76b5e10bb8e2f9c8fbe8c17bb4d2dfa67

  • SHA512

    5d0cbadbdf541a3af269b9dc11b411097f82a85f88fef3352bebc73eb9c563b36397ef40f5d6de4a7f51497df24228dbc31b83a89f164f68bfca5d96a7ecd94e

  • SSDEEP

    196608:edG0lup9tFt+7v3o/dZ2KvlpEU/M3T68Rm7HgveightnV4ViUa3KZ5Fg5n91:edG0KtFt+jgdbvlZ/o68M7BN3KVOn91

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/868818854405636156/rxGGmC3dPawrL03y9KYqVA_vzWDbUbtu1C68qlE5FAWIOcQg9Y_eRgshuyJbadUmLsW1

Targets

    • Target

      5438e72e63d6bb6a914e4e49bb0e4bb2

    • Size

      11.4MB

    • MD5

      5438e72e63d6bb6a914e4e49bb0e4bb2

    • SHA1

      99ef6b7cc6ce92ff837d1e190b1094c2c5c664c8

    • SHA256

      b83f3ac3d0b39a90ee9f67b1d4aa8ea76b5e10bb8e2f9c8fbe8c17bb4d2dfa67

    • SHA512

      5d0cbadbdf541a3af269b9dc11b411097f82a85f88fef3352bebc73eb9c563b36397ef40f5d6de4a7f51497df24228dbc31b83a89f164f68bfca5d96a7ecd94e

    • SSDEEP

      196608:edG0lup9tFt+7v3o/dZ2KvlpEU/M3T68Rm7HgveightnV4ViUa3KZ5Fg5n91:edG0KtFt+jgdbvlZ/o68M7BN3KVOn91

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks