mercurialgrabber | 010ffe6edeb4185ae04edeb175e4b444e1487f83e34c740c1701d48024dfec76 | Triage

Resubmissions

30-04-2024 03:16

240430-dsrttsah74 10

30-04-2024 03:15

240430-dr9y1sbe7x 10

30-04-2024 03:07

240430-dmhzqsag52 10

Sharing

General

Target

cr2dit-c4rd GEN.exe
Size

41KB
Sample

240430-dsrttsah74
MD5

15934eee4dbef1cf6c12bb491b72463f
SHA1

c724d3623a838647a3ee7a2be0f8df99114fa41d
SHA256

010ffe6edeb4185ae04edeb175e4b444e1487f83e34c740c1701d48024dfec76
SHA512

6435922f72ec254e65ec3d5aa425d73f3c3f4a912adcdba7d5634651a930df9400f1c806c0a08dc261fd27898586c6c4cb1d662419ee97d1cc5c6e0b3ef31c1b
SSDEEP

768:bscWsQ0bYc+TSw1uZTesWTjRKZKfgm3Ehw3:AcP2TyesWT9F7E23

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1234693959406845993/tVvvFEz0YwsdI1M-DdEdiDwgcwcdEQVWb92B8DRbOAnqE2ESEyZqYAlxS_PTQgBiMdxN

Targets

- Target
  
  cr2dit-c4rd GEN.exe
- Size
  
  41KB
- MD5
  
  15934eee4dbef1cf6c12bb491b72463f
- SHA1
  
  c724d3623a838647a3ee7a2be0f8df99114fa41d
- SHA256
  
  010ffe6edeb4185ae04edeb175e4b444e1487f83e34c740c1701d48024dfec76
- SHA512
  
  6435922f72ec254e65ec3d5aa425d73f3c3f4a912adcdba7d5634651a930df9400f1c806c0a08dc261fd27898586c6c4cb1d662419ee97d1cc5c6e0b3ef31c1b
- SSDEEP
  
  768:bscWsQ0bYc+TSw1uZTesWTjRKZKfgm3Ehw3:AcP2TyesWT9F7E23
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer