mercurialgrabber | 9869ded93a52372e8e5ad3e9378ee6248dd57d9cbd5ec38ac709b5e38b9f7d16 | Triage

Sharing

General

Target

f3c868afe1a58261340bf251d20211d8_JaffaCakes118
Size

55KB
Sample

240416-syjsqsdf33
MD5

f3c868afe1a58261340bf251d20211d8
SHA1

a8e1be0cb00b8e825d0232e3e7c2cbda8e0484f9
SHA256

9869ded93a52372e8e5ad3e9378ee6248dd57d9cbd5ec38ac709b5e38b9f7d16
SHA512

a06669e4da2870c341e8701d790e80be177b2fc4062a9d2a81863dae3135e73e550a83acc00d1ae889f5795b146d5a4223181e756d9e560f72ee0ec9c19534dc
SSDEEP

768:5B3CApzob/YTwTjYFdGf0WBREhdz0PzzAX:fLNa/Y8TUUnEUPzE

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/875430018560442368/MavU76NAbE8srbsu3sdD1pvTY4Bu5Owj9FB7cxvFbCZpaeNLeoQyo_OCWVfgBexfZb8W

Targets

- Target
  
  f3c868afe1a58261340bf251d20211d8_JaffaCakes118
- Size
  
  55KB
- MD5
  
  f3c868afe1a58261340bf251d20211d8
- SHA1
  
  a8e1be0cb00b8e825d0232e3e7c2cbda8e0484f9
- SHA256
  
  9869ded93a52372e8e5ad3e9378ee6248dd57d9cbd5ec38ac709b5e38b9f7d16
- SHA512
  
  a06669e4da2870c341e8701d790e80be177b2fc4062a9d2a81863dae3135e73e550a83acc00d1ae889f5795b146d5a4223181e756d9e560f72ee0ec9c19534dc
- SSDEEP
  
  768:5B3CApzob/YTwTjYFdGf0WBREhdz0PzzAX:fLNa/Y8TUUnEUPzE
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer