mercurialgrabber | 9be991e72ded580a61a4e57c32ddf7fa62959878414078edda71c1f2178672bf

General

Target

f5a8b8cfa0fdf5222c2d163c9b98e366_JaffaCakes118
Size

3.0MB
Sample

240417-nh6kcadb92
MD5

f5a8b8cfa0fdf5222c2d163c9b98e366
SHA1

292625e126bc1a74819220b803b48e3a08b7855b
SHA256

9be991e72ded580a61a4e57c32ddf7fa62959878414078edda71c1f2178672bf
SHA512

5e3ac3bed022c9d9d648713aa3732796b36b2e5b2e089857132bff20531a239495b6f8bd9162231fcb912ac1e2dd02e3abb7ecd4b613057cd184d3aa12a6099f
SSDEEP

49152:KesB9kvW2qx3FuhzaSCjPQov8OnqIt7jVRgUezC0lXWm5ZKZDfDAu:j/v45bj117RKU25Wm5M

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/877756692006318132/wv2tatnT6WHFx8av_Ka4KcRdwz19-L6h0TWkYupv-a0XGX1YUV09zIaN-ZZhgN-KbHhk

Targets

- Target
  
  f5a8b8cfa0fdf5222c2d163c9b98e366_JaffaCakes118
- Size
  
  3.0MB
- MD5
  
  f5a8b8cfa0fdf5222c2d163c9b98e366
- SHA1
  
  292625e126bc1a74819220b803b48e3a08b7855b
- SHA256
  
  9be991e72ded580a61a4e57c32ddf7fa62959878414078edda71c1f2178672bf
- SHA512
  
  5e3ac3bed022c9d9d648713aa3732796b36b2e5b2e089857132bff20531a239495b6f8bd9162231fcb912ac1e2dd02e3abb7ecd4b613057cd184d3aa12a6099f
- SSDEEP
  
  49152:KesB9kvW2qx3FuhzaSCjPQov8OnqIt7jVRgUezC0lXWm5ZKZDfDAu:j/v45bj117RKU25Wm5M
Score

10^/10

mercurialgrabber evasion spyware stealer themida trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2