mercurialgrabber | 9ce1963269efaa3e64273e20c04c215dfe781044813336fa1bdd5fe126345458 | Triage

Sharing

General

Target

e4e2e0cccdc2ca304ad23def23972dbd_JaffaCakes118
Size

190KB
Sample

240407-n9vxxscd2w
MD5

e4e2e0cccdc2ca304ad23def23972dbd
SHA1

7947026fd18ddfb46ee30d6765c1bc81d6846b2c
SHA256

9ce1963269efaa3e64273e20c04c215dfe781044813336fa1bdd5fe126345458
SHA512

61a53b39abd64ccf3fcb875786bf5005ff334a5bf17c940c80f8998c804bf3bd544df127c053a27faa602cbf11be39e85ab3babbfef3c0ab37733e79676ca8a0
SSDEEP

3072:epcG95wMLXTNF7EwYWO33VrhwkHYDKkzQ9RY6N0QuvkXdRx3uXpGj0qwQGizQQz:epcG95wM7I3v0Kkc9RXdDUXU4qwyzQuk

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/877488114191466546/FUrNh0PeCyjW3Yr_BJdodg7lzmuSvDjTsy_PMxpPmuinCJuw1BpCnGLb-rAPNYxQ9EIb

Targets

- Target
  
  e4e2e0cccdc2ca304ad23def23972dbd_JaffaCakes118
- Size
  
  190KB
- MD5
  
  e4e2e0cccdc2ca304ad23def23972dbd
- SHA1
  
  7947026fd18ddfb46ee30d6765c1bc81d6846b2c
- SHA256
  
  9ce1963269efaa3e64273e20c04c215dfe781044813336fa1bdd5fe126345458
- SHA512
  
  61a53b39abd64ccf3fcb875786bf5005ff334a5bf17c940c80f8998c804bf3bd544df127c053a27faa602cbf11be39e85ab3babbfef3c0ab37733e79676ca8a0
- SSDEEP
  
  3072:epcG95wMLXTNF7EwYWO33VrhwkHYDKkzQ9RY6N0QuvkXdRx3uXpGj0qwQGizQQz:epcG95wM7I3v0Kkc9RXdDUXU4qwyzQuk
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer