mercurialgrabber | 50d4d5c8a6b9fcd233e5aca2c59059d5b7633c80e58ba861d8152a153a148cfe | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Minecraft ...ck.exe

windows11-21h2-x64

Minecraft ...ck.exe

macos-10.15-amd64

4

Sharing

General

Target

Minecraft Realistic Shades Pack.exe
Size

44KB
Sample

240426-tkbewaga5v
MD5

362b364d57781b6af61ddf4972435997
SHA1

2f5a00603ea850c8a88d92ee034418c4e7314883
SHA256

50d4d5c8a6b9fcd233e5aca2c59059d5b7633c80e58ba861d8152a153a148cfe
SHA512

76fcaacbfc9277d22d9e9f9dff6b85ea0f62909ac7bd4dcb954afb2add2cc486a7f29bd101248eef8dfeb4d01beaba8192a77b71ce438d56475a2935d32571aa
SSDEEP

768:9mDdN/fLgOukGuZ/LABTjtKZKfgm3Eh0WoE:9mfzbrXLABTpF7EyWo

Score

10^/10

mercurialgrabber evasion macos stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

Minecraft Realistic Shades Pack.exe

Resource

win11-20240419-en

mercurialgrabber evasion stealer

windows11-21h2-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Minecraft Realistic Shades Pack.exe

Resource

macos-20240410-en

macos-10.15-amd64

1 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1233395385381163029/bXoPS24yb2gh1irnWpsJMeqnojon0l-lF59jmnwJ9_5Z523t93WbIlgepEqZGMU63aZu

Targets

- Target
  
  Minecraft Realistic Shades Pack.exe
- Size
  
  44KB
- MD5
  
  362b364d57781b6af61ddf4972435997
- SHA1
  
  2f5a00603ea850c8a88d92ee034418c4e7314883
- SHA256
  
  50d4d5c8a6b9fcd233e5aca2c59059d5b7633c80e58ba861d8152a153a148cfe
- SHA512
  
  76fcaacbfc9277d22d9e9f9dff6b85ea0f62909ac7bd4dcb954afb2add2cc486a7f29bd101248eef8dfeb4d01beaba8192a77b71ce438d56475a2935d32571aa
- SSDEEP
  
  768:9mDdN/fLgOukGuZ/LABTjtKZKfgm3Eh0WoE:9mfzbrXLABTpF7EyWo
Score

10^/10

mercurialgrabber evasion stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Resource Forking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionstealer

behavioral2

© 2018-2025

Terms | Privacy