Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/M...

windows11-21h2-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    38s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-04-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/MercurialGrabberOFFICIAL/MercurialGrabber

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/937258876372398091/oQgM-Gsrv95ORa0sgWpCF7TeceXEUjNwGNponYC65bsDPrjw8ue7j5oAfL57YPbFfSyz

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 11 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/MercurialGrabberOFFICIAL/MercurialGrabber
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82735ab58,0x7ff82735ab68,0x7ff82735ab78
      2⤵
        PID:1844
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:2
        2⤵
          PID:2936
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
          2⤵
            PID:972
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
            2⤵
              PID:5076
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:1
              2⤵
                PID:1792
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:1
                2⤵
                  PID:3688
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                  2⤵
                    PID:4724
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                    2⤵
                      PID:1172
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                      2⤵
                        PID:3768
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                        2⤵
                          PID:2288
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                          2⤵
                            PID:2812
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                            2⤵
                            • NTFS ADS
                            PID:3056
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4800 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                            2⤵
                              PID:744
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 --field-trial-handle=1840,i,1518489667421410402,15226044380140508379,131072 /prefetch:8
                              2⤵
                                PID:1876
                              • C:\Users\Admin\Downloads\Mercurial.exe
                                "C:\Users\Admin\Downloads\Mercurial.exe"
                                2⤵
                                • Looks for VirtualBox Guest Additions in registry
                                • Looks for VMWare Tools registry key
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Maps connected drives based on registry
                                • Checks SCSI registry key(s)
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5116
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                              1⤵
                                PID:2628
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
                                1⤵
                                  PID:1108
                                • C:\Users\Admin\Downloads\Mercurial.exe
                                  "C:\Users\Admin\Downloads\Mercurial.exe"
                                  1⤵
                                  • Looks for VirtualBox Guest Additions in registry
                                  • Looks for VMWare Tools registry key
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Maps connected drives based on registry
                                  • Checks SCSI registry key(s)
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4684

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Initial Access

                                Execution

                                Persistence

                                Privilege Escalation

                                Defense Evasion

                                Virtualization/Sandbox Evasion

                                2
                                T1497

                                Credential Access

                                Unsecured Credentials

                                1
                                T1552

                                Credentials In Files

                                1
                                T1552.001

                                Discovery

                                Query Registry

                                7
                                T1012

                                Virtualization/Sandbox Evasion

                                2
                                T1497

                                System Information Discovery

                                5
                                T1082

                                Peripheral Device Discovery

                                2
                                T1120

                                Lateral Movement

                                Collection

                                Data from Local System

                                1
                                T1005

                                Exfiltration

                                Command and Control

                                Web Service

                                1
                                T1102

                                Impact

                                Resource Development

                                Reconnaissance

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                  Filesize

                                  2KB

                                  MD5

                                  34fda314045b1b6e047a8bc4c8e78ff9

                                  SHA1

                                  aa70e274ba874e81c564f86a3d9b0f9de7785ce7

                                  SHA256

                                  b8c300dda6e0ccbacb2155f857a8c7975c51c4670ec02dc95015505da9f8c892

                                  SHA512

                                  9acb78e6ab491a141291b4d0c085d256219b78efa1441d0d1f3a40012850a3a7da81118065a493a412ffdd3c452b97af5bea926c343b3a19a0eb7af68cf454d0

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                  Filesize

                                  1KB

                                  MD5

                                  173a1f69bb9eb7cb367b98c59e3d925c

                                  SHA1

                                  7ae091a74ca8fa51896dc935307bf18b70e9c7b2

                                  SHA256

                                  a477865a39bd79412df0feef91064602908ac2de7f3cdfea553ba10c2e063f63

                                  SHA512

                                  7700767cd6ab68ef1020b4ec5b84ea70ba35d2ebb43eea5f14582a2fdd23564c89928f08434657e1a2274f2a11e176f6256e98be988d1a67c49849fd121ea64f

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                  Filesize

                                  1KB

                                  MD5

                                  6ca5a3cca3fafb46c1341490d20809c6

                                  SHA1

                                  e4721097e53166d231129d9ee9cbf5a2dbb17b62

                                  SHA256

                                  3bf0c66fce3f47a4daadc38a5f41b93b98503fb5128c57648edfac0a2e19e07c

                                  SHA512

                                  d3480a10410975aaadcbff0554c7e54d3666da46cf30a41ec786e14a060440a11cd3fbb1e545ecac484ccb1b6575cc03e0f32a2b1f8e2ff8206779e9024d9ec7

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  1103d0018f3b6643a822260acc6897f4

                                  SHA1

                                  c9e3827a1de52d5538035c742ba17d97e4a2ac51

                                  SHA256

                                  e2123ed7cbf9751ab92af334cd5c0be84168e79bc09e762ee7b11e1b4570c315

                                  SHA512

                                  2fad75055cbc6a483248330e1b8b7dc49824043ca1d5b426e163886a55f0ec79922a8293660a12123eb7e93986479fad81092c388add1d764294218c112cd70c

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  771ebc0a9a0c5c97f4871d1d1db060d3

                                  SHA1

                                  6ed08b5713ce9e776b673a2fef62dbea30f11b18

                                  SHA256

                                  d069c78dc53ba4d19d10c835f34f3042ba36f158769ff662352ca0e2d234f5ed

                                  SHA512

                                  bcf48d09f5bdade2cb8201b938d62cabdc30dc0c1542d8c98e8759185885c0c52ca9d1e86ac11d3ba70a069a07d88c3e03125df17f97b1c60529445fc93e65d0

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  130KB

                                  MD5

                                  c45d31c96fa6fffaf605f4a4b0a1b7d4

                                  SHA1

                                  756e960db1297366d8b92666d58bece7e515f941

                                  SHA256

                                  66940117fbfe8e19ccca6e89edd17bfb7f8c46570587fdee9f05f3076ce0a8a1

                                  SHA512

                                  59ef4a722e16962450aa6ec68e036060a7da357d27e3c6bcce74e73b362e8e4f0d62af0bfaff4d5b7b2b454ea4a69afb9fafc2c8a69bda38ce118eff0782a9f2

                                  Download Submit
                                • C:\Users\Admin\Downloads\Mercurial.exe
                                  Filesize

                                  146KB

                                  MD5

                                  a3e236a84a352d8967b42bd450fad7bb

                                  SHA1

                                  8fb25dbd07c09c97fafaa757c3b94d2107ab6147

                                  SHA256

                                  87cf6849413ce70af21c590716b2db16e038edd802db66e8fdcc9dc536fd3e74

                                  SHA512

                                  497a578a2b14fd089cc4fec2957512501013ee1c48c6bad69dab955e7dbc4b49376a11d9f2356c56dead7e81e9db3cf90bf97756b5232f5ec8fbf76225ca6d8d

                                  Download Submit
                                • C:\Users\Admin\Downloads\Mercurial.exe:Zone.Identifier
                                  Filesize

                                  26B

                                  MD5

                                  fbccf14d504b7b2dbcb5a5bda75bd93b

                                  SHA1

                                  d59fc84cdd5217c6cf74785703655f78da6b582b

                                  SHA256

                                  eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                  SHA512

                                  aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                  Download Submit
                                • \??\pipe\crashpad_988_AIMDOAKPABOQTPAU
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  Download Submit
                                • memory/5116-240-0x00007FF812970000-0x00007FF813432000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/5116-241-0x000000001AF30000-0x000000001AF40000-memory.dmp
                                  Filesize

                                  64KB

                                  Download
                                • memory/5116-245-0x00007FF812970000-0x00007FF813432000-memory.dmp
                                  Filesize

                                  10.8MB

                                  Download
                                • memory/5116-239-0x00000000002E0000-0x000000000030A000-memory.dmp
                                  Filesize

                                  168KB

                                  Download