mercurialgrabber | 09f0de084878957eed32dd67002c17a4d2a888e82bdb02de039605fee83e8f8f | Triage

Submit
Reports

Overview

overview

Static

static

b1faa78d47...18.exe

windows7-x64

b1faa78d47...18.exe

windows10-2004-x64

Sharing

General

Target

b1faa78d4779adbd4c7e4a9a428a1247_JaffaCakes118
Size

42KB
Sample

240404-hz8hdahf48
MD5

b1faa78d4779adbd4c7e4a9a428a1247
SHA1

9433c5982146e434604ae350cc9ecd7b4829d9a6
SHA256

09f0de084878957eed32dd67002c17a4d2a888e82bdb02de039605fee83e8f8f
SHA512

ea5dfea9689f08c90e4de03caf206acc80d379877e92f5e0bbbd84ad5d2af91002b9b1d8d011293167898be7f90af1ed3e9102dcfe2a27ddfe3fdc5f0d06d872
SSDEEP

768:+b62OgOpRTs+ZexuZXLs1TjYKZKfgm3Eh/K:QKpRTNZ5Ls1TkF7EJK

Score

10^/10

mercurialgrabber evasion spyware stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

b1faa78d4779adbd4c7e4a9a428a1247_JaffaCakes118.exe

Resource

win7-20240221-en

mercurialgrabber evasion spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

b1faa78d4779adbd4c7e4a9a428a1247_JaffaCakes118.exe

Resource

win10v2004-20231215-en

mercurialgrabber evasion spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/860972377819054132/xTrMhIPKDKBt7a1Z6CyGyp0AIKaeE4u5caYubO1zoqd2IyeZtC0WvY-t7Vmhhy36y2o-

Targets

- Target
  
  b1faa78d4779adbd4c7e4a9a428a1247_JaffaCakes118
- Size
  
  42KB
- MD5
  
  b1faa78d4779adbd4c7e4a9a428a1247
- SHA1
  
  9433c5982146e434604ae350cc9ecd7b4829d9a6
- SHA256
  
  09f0de084878957eed32dd67002c17a4d2a888e82bdb02de039605fee83e8f8f
- SHA512
  
  ea5dfea9689f08c90e4de03caf206acc80d379877e92f5e0bbbd84ad5d2af91002b9b1d8d011293167898be7f90af1ed3e9102dcfe2a27ddfe3fdc5f0d06d872
- SSDEEP
  
  768:+b62OgOpRTs+ZexuZXLs1TjYKZKfgm3Eh/K:QKpRTNZ5Ls1TkF7EJK
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer

© 2018-2024

Terms | Privacy