mercurialgrabber | 434bee4e012adaf0088de6dbbd407b36e2dcdd5d6487d1b529492c8ffa2f82bc | Triage

Sharing

General

Target

working key.zip
Size

18KB
Sample

240329-k1eb2aed86
MD5

db27edd4a5250217b6ced48c54f73a14
SHA1

d37756079e7748098896f398d8f9266c5ffebeff
SHA256

434bee4e012adaf0088de6dbbd407b36e2dcdd5d6487d1b529492c8ffa2f82bc
SHA512

be724fc408d7c86ab96b8659ebab7d81fd45c18f811bc692aa02f813ef8a11e8609eb4198ecf8bb9da4a7f3acec99c3f6db351393d688a352f2db2ee9fd7cecb
SSDEEP

384:i+gLeUvwpwWFuG7kYLYBRMf6GAJKQ8NfL+nMf8tCi5FE8gm:JUQtuG7kYcsUMQC6Q8t9p

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1223007453780775012/RmQhlmaS6I4pA1jXRQPJVPP5zpVjnzimQ1bM_90lRDIoExo4TSHsD7rxDV2WS0GJ9Ema

Targets

- Target
  
  working key/working key/working key.exe
- Size
  
  42KB
- MD5
  
  ff14bb3b31fee2eab5895bf147692528
- SHA1
  
  2ee91155e0d48944c7bfc2345b0989d321d3b51e
- SHA256
  
  ad2dc3e2cf9bbcff6fca8645731850e33d9f5dd19a2e864aa611c7e5cf50639b
- SHA512
  
  ba5daf2fb2de19bbc2b0f038d32e720297e7b3ccd3ddea30b023ea77bec97705e949c0590d8568865e27001e7be27c9d2cd8bdc42aa4e1029bac36fd4a6f2d14
- SSDEEP
  
  768:iuA5Ehi4//4MbuZAuL5vTjtKZKfgm3EhgZ:wE0aDsL5vTJF7EeZ
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer