mercurialgrabber | 0a0364341a4a63763b18b07ba41f2db7d341270fc185ec104e20935aaf66bef1 | Triage

Sharing

General

Target

FreeAccsWithRobux.exe
Size

42KB
Sample

240312-ynn8cshh4x
MD5

56adb3d844d2e1436afcc6a70d3ffc9e
SHA1

05979ce27c95352374d2c8d2ef4a48adcfe3c2b1
SHA256

0a0364341a4a63763b18b07ba41f2db7d341270fc185ec104e20935aaf66bef1
SHA512

78da9c6669974f6b4160af9274758fe2fa9cb49b76abc29c1c0e6048806ce09e9196e4da1dd3c75d993f992261245e8f287444bacc413fb88a61ff1a9eac0729
SSDEEP

768:PLzHY8YKcKIEomMkuZ5LZdTjSKZKfgm3EhIv:PHLYKcbcmLZdTWF7E6v

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/967818087334305842/HQwsR1nOaR_M-kbZ2mfX1otgcceaVRWUUdKr2xUtEeIf-WxnePA7h-WU2DPpoE8ep8lk

Targets

- Target
  
  FreeAccsWithRobux.exe
- Size
  
  42KB
- MD5
  
  56adb3d844d2e1436afcc6a70d3ffc9e
- SHA1
  
  05979ce27c95352374d2c8d2ef4a48adcfe3c2b1
- SHA256
  
  0a0364341a4a63763b18b07ba41f2db7d341270fc185ec104e20935aaf66bef1
- SHA512
  
  78da9c6669974f6b4160af9274758fe2fa9cb49b76abc29c1c0e6048806ce09e9196e4da1dd3c75d993f992261245e8f287444bacc413fb88a61ff1a9eac0729
- SSDEEP
  
  768:PLzHY8YKcKIEomMkuZ5LZdTjSKZKfgm3EhIv:PHLYKcbcmLZdTWF7E6v
Score

10^/10

mercurialgrabber evasion stealer spyware
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionstealer

behavioral2

mercurialgrabberevasionspywarestealer

behavioral3

mercurialgrabberevasionspywarestealer

behavioral4

mercurialgrabberevasionspywarestealer