mercurialgrabber | b92d39374c86c0135588db4235c81b05a9cee3b88259dad7ac10f28b123d1bc4

General

Target

ef89bb0912038ab4108340333a105bca_JaffaCakes118
Size

78KB
Sample

240414-z72s8sgf71
MD5

ef89bb0912038ab4108340333a105bca
SHA1

d5eb7d497cc4ea9f0dba15fee376a28d101304d8
SHA256

b92d39374c86c0135588db4235c81b05a9cee3b88259dad7ac10f28b123d1bc4
SHA512

792171dc89b86eabfc9a95715b6bd6d76a788028278389a53b69b5f940c62c9023701ee1726d5e53348aad498b2d11c94234308fe295cfb496163dca3df5a4f5
SSDEEP

1536:cx/HnJJtHXOQt36oxjm7WpdqlU61so/n+psr+iDi1/G7wnzht:cRnDtHX1t36o9m7WS+Ry5c1/Vf

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/872698419091738624/m321s3sLcbS6FbbL7KT4iYrxQ8p5lrY815kdaD2WF9MdsAppImTok3mh5EPsVBKnEiWz

Targets

- Target
  
  ef89bb0912038ab4108340333a105bca_JaffaCakes118
- Size
  
  78KB
- MD5
  
  ef89bb0912038ab4108340333a105bca
- SHA1
  
  d5eb7d497cc4ea9f0dba15fee376a28d101304d8
- SHA256
  
  b92d39374c86c0135588db4235c81b05a9cee3b88259dad7ac10f28b123d1bc4
- SHA512
  
  792171dc89b86eabfc9a95715b6bd6d76a788028278389a53b69b5f940c62c9023701ee1726d5e53348aad498b2d11c94234308fe295cfb496163dca3df5a4f5
- SSDEEP
  
  1536:cx/HnJJtHXOQt36oxjm7WpdqlU61so/n+psr+iDi1/G7wnzht:cRnDtHX1t36o9m7WS+Ry5c1/Vf
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2