Overview

overview

10

Static

static

3

ddf3fd684f...20.exe

windows7-x64

10

ddf3fd684f...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ddf3fd684f553b4686987ec5cf532c20

  • Size

    8.0MB

  • Sample

    240325-n4zc6ahh6z

  • MD5

    ddf3fd684f553b4686987ec5cf532c20

  • SHA1

    085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7

  • SHA256

    a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542

  • SHA512

    b5988a061e33f7a742bb42f55dce0145e1defbe7628819a2337349827408480625cb04eacade19ba2495ee366472cc33555ae227b7286b0c58ff909e322f47bc

  • SSDEEP

    196608:OcwTiBknYhfr5QILXP8ZV3PpLsExwsJC4Ct99QTKu6yTL+b0X820iwvefJ:dwWCnYRr5QIXU/3PpLsacVH3TyXz08J

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/853156671664685077/8KUuRAI41xE7p329lIVcKihvvEa-30CxP9F9UkMsip1CErSnArWO8ypnl26upafpelAy

Targets

    • Target

      ddf3fd684f553b4686987ec5cf532c20

    • Size

      8.0MB

    • MD5

      ddf3fd684f553b4686987ec5cf532c20

    • SHA1

      085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7

    • SHA256

      a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542

    • SHA512

      b5988a061e33f7a742bb42f55dce0145e1defbe7628819a2337349827408480625cb04eacade19ba2495ee366472cc33555ae227b7286b0c58ff909e322f47bc

    • SSDEEP

      196608:OcwTiBknYhfr5QILXP8ZV3PpLsExwsJC4Ct99QTKu6yTL+b0X820iwvefJ:dwWCnYRr5QIXU/3PpLsacVH3TyXz08J

    Score
    10/10
    mercurialgrabberevasionspywarestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks