Overview

overview

10

Static

static

3

c3f9a1a275...19.exe

windows7-x64

10

c3f9a1a275...19.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3f9a1a2757ff748245db0e4aee4ed19

  • Size

    360KB

  • Sample

    240312-wcxn9afb3x

  • MD5

    c3f9a1a2757ff748245db0e4aee4ed19

  • SHA1

    01c7145a0b789dace82adfbfee783cd3f0ae645a

  • SHA256

    9d1a412919e1c983db8e00e6a0b2cba150c8108145c8b6b59c10c3b079286654

  • SHA512

    d76eedd073daa69730cad69652c02882f771f4fb7a0577cc79888cf01eedf2c62e3c9eb52460ed59523b4cc4eadd4c365f6f7064cb18bce52117b861e528943e

  • SSDEEP

    6144:ajT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAW32X+t4RbZfDEeeXse:aRZ+IoG/n9IQxW3OBsee2X+t4RbZfDE7

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/870949548497993778/EyIY4a4IYEOrMeydKhAqLDtbhV1D5bM1LR021BKc55edu3cYxu2ZIJrmvFrkR9sV-G-K

Targets

    • Target

      c3f9a1a2757ff748245db0e4aee4ed19

    • Size

      360KB

    • MD5

      c3f9a1a2757ff748245db0e4aee4ed19

    • SHA1

      01c7145a0b789dace82adfbfee783cd3f0ae645a

    • SHA256

      9d1a412919e1c983db8e00e6a0b2cba150c8108145c8b6b59c10c3b079286654

    • SHA512

      d76eedd073daa69730cad69652c02882f771f4fb7a0577cc79888cf01eedf2c62e3c9eb52460ed59523b4cc4eadd4c365f6f7064cb18bce52117b861e528943e

    • SSDEEP

      6144:ajT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAW32X+t4RbZfDEeeXse:aRZ+IoG/n9IQxW3OBsee2X+t4RbZfDE7

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks