mercurialgrabber | 16aba810baa071d426b0765f066968b266fde7054deba36a2df5bb97d5b4f819 | Triage

Sharing

General

Target

ebf3317c9cb09a04a6c5059d6f0fb697_JaffaCakes118
Size

42KB
Sample

240410-zht24aba76
MD5

ebf3317c9cb09a04a6c5059d6f0fb697
SHA1

b53e1d8f1ee66ff0df116252187ea1ac290ee4c7
SHA256

16aba810baa071d426b0765f066968b266fde7054deba36a2df5bb97d5b4f819
SHA512

b55e580736b4d6397c4fa537722ecd7665c25befc72168e4fad724f7c8cdc3b63ce2997c3cca6740fd6b0fbe72e42e90c59faefafc91c8c9776428977c562caa
SSDEEP

768:cFgrjbl817gOdAkc1Z+ZWQuZ6LgMTjnKZKfgm3Eh8H:ohda1MZxLgMTDF7ESH

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/877789402624065586/b8QIEleoz1BDG2p0peTG3EF5VjH21SZLbIAFb_VW1tWj-zxVxW6GueyDHaPSnSxHFAsQ

Targets

- Target
  
  ebf3317c9cb09a04a6c5059d6f0fb697_JaffaCakes118
- Size
  
  42KB
- MD5
  
  ebf3317c9cb09a04a6c5059d6f0fb697
- SHA1
  
  b53e1d8f1ee66ff0df116252187ea1ac290ee4c7
- SHA256
  
  16aba810baa071d426b0765f066968b266fde7054deba36a2df5bb97d5b4f819
- SHA512
  
  b55e580736b4d6397c4fa537722ecd7665c25befc72168e4fad724f7c8cdc3b63ce2997c3cca6740fd6b0fbe72e42e90c59faefafc91c8c9776428977c562caa
- SSDEEP
  
  768:cFgrjbl817gOdAkc1Z+ZWQuZ6LgMTjnKZKfgm3Eh8H:ohda1MZxLgMTDF7ESH
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer