mercurialgrabber | 3290db58f3db7f35e89c8a10f721e10ba3bdae232318497fe37fb1e7c5acbe15 | Triage

Sharing

General

Target

fe55cf894784ec325b0c0449bcb6b525_JaffaCakes118
Size

107KB
Sample

240421-d6dt5aac51
MD5

fe55cf894784ec325b0c0449bcb6b525
SHA1

fa03b7b21fbe418dc8841512d276f65acc48c401
SHA256

3290db58f3db7f35e89c8a10f721e10ba3bdae232318497fe37fb1e7c5acbe15
SHA512

0a7d7f432b45af4fa9ccc17e868893d603dc01ca8d03088b664b5e3fe665a3086fa4cd6ae324d926a2ccc2bc52c08b8cb67802122f0a11e8e8758f91c13aaecc
SSDEEP

768:ascG4AjJsQjowMuZNe3WTjpKZKfgm3Ehje9NvHevA:5caJsQjHe3WT1F7Ede91He4

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/859817326106378260/FdIPTGyux9k4qvX2QueLFE1kWgoqtDDmMFKXs_LTJqu_iSFtwpmW30iDomDx1ePoFlmq

Targets

- Target
  
  fe55cf894784ec325b0c0449bcb6b525_JaffaCakes118
- Size
  
  107KB
- MD5
  
  fe55cf894784ec325b0c0449bcb6b525
- SHA1
  
  fa03b7b21fbe418dc8841512d276f65acc48c401
- SHA256
  
  3290db58f3db7f35e89c8a10f721e10ba3bdae232318497fe37fb1e7c5acbe15
- SHA512
  
  0a7d7f432b45af4fa9ccc17e868893d603dc01ca8d03088b664b5e3fe665a3086fa4cd6ae324d926a2ccc2bc52c08b8cb67802122f0a11e8e8758f91c13aaecc
- SSDEEP
  
  768:ascG4AjJsQjowMuZNe3WTjpKZKfgm3Ehje9NvHevA:5caJsQjHe3WT1F7Ede91He4
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer