mercurialgrabber | c4fe95d711086d4775dd36811da8884cb18bbaaae57c7d28d1f9ef6f5f1a155d | Triage

Sharing

General

Target

RoExec.EXE
Size

271KB
Sample

240401-nkrtzadf69
MD5

01ec5c8ccdd0654447f48da1f06d007b
SHA1

8b192697a16e7efb50a2ea1887a2740a9813ec9b
SHA256

c4fe95d711086d4775dd36811da8884cb18bbaaae57c7d28d1f9ef6f5f1a155d
SHA512

87972a7522d73acd70d213a60315cf2e0431918a7b8e2a9843444144742a9d4e34e0c9dee5bcce967561c97b254062b2ca0dd47011ae3b45a17ef76232e1e560
SSDEEP

6144:JahOhp0yN90QEeJWO7f6vkpef83WTbrh:Jity90IWUf6vkQf7R

Score

10^/10

mercurialgrabber evasion persistence spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1224318427007553536/ArJOiDd6uVNGowyvHw3m8UyjhfWEHyhEsW-c8zyiBA_iyXPsCUyOIFcK0e1dm9GeKSMP

Targets

- Target
  
  RoExec.EXE
- Size
  
  271KB
- MD5
  
  01ec5c8ccdd0654447f48da1f06d007b
- SHA1
  
  8b192697a16e7efb50a2ea1887a2740a9813ec9b
- SHA256
  
  c4fe95d711086d4775dd36811da8884cb18bbaaae57c7d28d1f9ef6f5f1a155d
- SHA512
  
  87972a7522d73acd70d213a60315cf2e0431918a7b8e2a9843444144742a9d4e34e0c9dee5bcce967561c97b254062b2ca0dd47011ae3b45a17ef76232e1e560
- SSDEEP
  
  6144:JahOhp0yN90QEeJWO7f6vkpef83WTbrh:Jity90IWUf6vkQf7R
Score

10^/10

mercurialgrabber evasion persistence spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

mercurialgrabberevasionpersistencespywarestealer