mercurialgrabber | 33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb

Resubmissions

12-05-2024 18:09

240512-wrsnvahe71 10

12-05-2024 17:56

240512-wh2v6acb26 10

12-05-2024 17:50

240512-we2qzsbh82 10

Sharing

Copy URL

Twitter E-mail

General

Target

RGF-main.zip
Size

54KB
Sample

240512-wrsnvahe71
MD5

7bcc565dfb0ce789f9a984870a64414c
SHA1

7918e05800b7d02be5aa3670259709fde7f5c268
SHA256

33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb
SHA512

0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0
SSDEEP

768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6

Targets

- Target
  
  RGF-main.zip
- Size
  
  54KB
- MD5
  
  7bcc565dfb0ce789f9a984870a64414c
- SHA1
  
  7918e05800b7d02be5aa3670259709fde7f5c268
- SHA256
  
  33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb
- SHA512
  
  0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0
- SSDEEP
  
  768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr
Score

10^/10

mercurialgrabber evasion stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1
- Target
  
  RGF-main/Input.zip
- Size
  
  36KB
- MD5
  
  45102f2509fb9913e768c47a8a7700e5
- SHA1
  
  f853f5b887bba4aab056400fc4cfa09aa77dae26
- SHA256
  
  f1db00cc9a4d36920d6d360187e36f96e649ed9e8543e3941773b3c5df4bf9a6
- SHA512
  
  e2571fa2085b34ab28b5a75908222c3c00b6a398349bde0aaf52d5f5fc66f03a9e010ca7be72bced5eff00a050a5fc02e78abeb748df0ecd8e48f798fd72a66a
- SSDEEP
  
  768:0CER7pNX8nL9XhVCbS3O7hCPWLp7BKgRfIa700K/2x6qKEEa6:5ER7jMnxXhwbS3iKWLp7BTeilEa6
Score

1^/10
behavioral2
- Target
  
  RoBrute-master/LICENSE
- Size
  
  34KB
- MD5
  
  1ebbd3e34237af26da5dc08a4e440464
- SHA1
  
  31a3d460bb3c7d98845187c716a30db81c44b615
- SHA256
  
  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
- SHA512
  
  d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686
- SSDEEP
  
  768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum
Score

1^/10
behavioral3
- Target
  
  RoBrute-master/README.md
- Size
  
  109B
- MD5
  
  dc61560cdd468151c7fef791de909f86
- SHA1
  
  3da83b6867610344eaad4dccc9d3517556bbda65
- SHA256
  
  7d643c26f93104ed744e9661b98ff575f3efdd2081bf5bba3d0412bb4200acb4
- SHA512
  
  e2ce9365ad750bad9bd32631bcb42d84e1e1399c0066e0d1977e61543cf672df9be84671193a5d09839a15d736f2ddb91772f9a1e7726aa1f4bf6bb2d0c324e7
Score

3^/10
behavioral4
- Target
  
  RoBrute-master/RoBrute.py
- Size
  
  6KB
- MD5
  
  459ffbe4a551223287035714b6e274c2
- SHA1
  
  98151335d6fcf0630f03092fee504aa05563d2db
- SHA256
  
  418ab9d7b1c9ee04596bf868b74ba50f7105b3a150f6989d74d445f9810aaef9
- SHA512
  
  385d9317c7b823eef361ae294635697c07b1bf93d4d8d17da703911688f9b2b478532ff800c670507bf6269e7addbba7eb8f057357754e3565999d36af804cee
- SSDEEP
  
  192:aIzopckmTzso484ijEF3VvGK4F21p54wfFaep6D:aIkukwIijEF3VVs6htaepA
Score

3^/10
behavioral5
- Target
  
  RoBrute-master/mainLib.py
- Size
  
  481B
- MD5
  
  d605f4316cf7dd5b2f4d68e5534903a5
- SHA1
  
  1d9f87b0316cacdbc97c265a2005ceb9f04dd0e2
- SHA256
  
  930cac6585d68eef349b1db9e376c3c9cef6a764a51c6e19a55b3d23cbe4acbd
- SHA512
  
  384a3e39dad72d77fa8da085714b08ea8bddaa49c70df389febf9290c9ce09114646c417d31d6888437d237817b2eea67d183c7c65e5e985faa66a02b05a746b
Score

3^/10
behavioral6
- Target
  
  RoBrute-master/mainLib.pyc
- Size
  
  806B
- MD5
  
  a69353c0a05226a823732ff09def0462
- SHA1
  
  29d202a58960848f8a74c52cc5e0f28c239cbe1d
- SHA256
  
  14db2c7373b04e3767f4210e473906661b5251afceb5f9e445ab276f13b51a01
- SHA512
  
  b40d9ec41b4ef60d7d84400d4bcbcf11d0f469bd0365e84ff4a6b92f0dc71e12fd1f7ee4af5dd7d47dc2bd4548ecb1e75631a20829717f7ab5c46e80ed8cdfaa
Score

3^/10
behavioral7
- Target
  
  RoBrute-master/pass.lst
- Size
  
  83B
- MD5
  
  efb3936c5ce7f19cf68b03e5dab18dcb
- SHA1
  
  0982314f06d31e1fcecf94175d1f90e85a67a7df
- SHA256
  
  688d412436709a41b77ee0500cee157f4cc6b023c436a005e1f73e5fd5b4dfc1
- SHA512
  
  773c18edfe78c9fa5b8bfd9aea8dadf036e5f012905d5dc99e46aea181b843ee8fdd0e2ffc2fee54b50026cc50aead52b37c0d827d7334ebb3d1d5482e28843f
Score

3^/10
behavioral8
- Target
  
  RoBrute-master/proxy.yaml
- Size
  
  103B
- MD5
  
  232b7ad6ace65f83f66c840d8bed9ab1
- SHA1
  
  f94b2b8970f26ea9678fcfaa73abf606e6848052
- SHA256
  
  f1e9af216da7c7dec44e58e4af4a814f6be742ca4c8f18f0fbe06e1fbd33cc36
- SHA512
  
  68240f638da51862c556a2edfa79cbfabb071d724651341a804e14462845ad134c3a4c4bd82117dc6c00ee6525fb9bc2b25b7d2ed57a905643de63d1df0c94b9
Score

3^/10
behavioral9
- Target
  
  RoBrute-master/requirements.txt
- Size
  
  92B
- MD5
  
  b7fd4d83be560cecca09b49b32fb3448
- SHA1
  
  80b297c02ca2496e919797e7687b0245a4354a24
- SHA256
  
  5a5133343eb916a24603a35d4d4bff4aecec4012e0c6297ce5469930a081ad57
- SHA512
  
  867d4baa56724b46d30e7c7f328f4817cbbd70a9afdbbc9b48c94356978ea2cba2d0526a6aa4ab54874e56605735c811e1abb972d17bc5d5efaaa3b0d1abc715
Score

1^/10
behavioral10
- Target
  
  RoBrute-master/socks.py
- Size
  
  31KB
- MD5
  
  48785c4abab003e3567e381d81a4e3fe
- SHA1
  
  b78b23d63ac8d301e24e9a0f2c709f4d02abba87
- SHA256
  
  bc89e89dcd6a255af82c73cbd6cbbaaddba2aa83380188bbb8282aef40b0a11a
- SHA512
  
  52d7002548b3dc31ba4c355270577b92980c4a569dcad45c6af518da7355fcec0ace7c9ce5fabcf68dc04b2211d0d31a5cac1e7dc92a5017a1c3f1ed74cbb09a
- SSDEEP
  
  768:MTMqwGwX3Q/28zGh9czigrcQcJWN2hqoJRBLXo:M1rwXl8zGhCzig4QIWN0JRBjo
Score

3^/10
behavioral11
- Target
  
  RoBrute-master/socks.pyc
- Size
  
  26KB
- MD5
  
  c59597fcf54f22c79d319b129c33a62a
- SHA1
  
  316daa8cc82926af92ae9400c83c172681f427be
- SHA256
  
  245adcd5c71c12585d86e4cee0370781d99bd3ea8029e9869744028ed26bb7d5
- SHA512
  
  bf1b978029e2500ef16c4f201ef456324752f2dfc5e213153a861c990010518520e7e2d4b501deab30056302201537291ceff77312f5adae2d3845c8bce2a9c9
- SSDEEP
  
  768:x+TMqK0DoOgVH8zD5x50Y8a6RA516g0QsCh:k1DIVczDbXr6Ku4h
Score

3^/10
behavioral12
- Target
  
  RGF-main/RBF.exe
- Size
  
  41KB
- MD5
  
  09d12c328c88bfdfef9dcc0927dca671
- SHA1
  
  4f61a36bc05dbd9229b56db5ead4ea3d37e4308a
- SHA256
  
  64e772d1da472d9da1dde4d9b070c1d9acf98d9819ec04058a0161f020022e49
- SHA512
  
  4774119f1eb6f3f712fc29f7c7cceb31a67c62c01a6b7f09ccf17a85a4d78b3fed4f3a9532c353490f9058aae5db58d305a92a65a8e8039e7c123f48e73d1d51
- SSDEEP
  
  768:escGoAxWdPN+wauZLePWTjZKZKfgm3Ehpe:tcVdPN9ePWTVF7Ebe
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral13
- Target
  
  RGF-main/README.md
- Size
  
  1KB
- MD5
  
  ba7441cf8e6b64295991386b6a64a691
- SHA1
  
  a63205b8c8d61671fe18795cf221d69ebfebbccc
- SHA256
  
  0872676eb9a53148886bef0e90b21565c064dea7e8e629cdb5c22adb7ae0d465
- SHA512
  
  2b88805e2090fffddbafe8b5949e0d95b320e800748f935e2764771019e3972904d235602e3ce33bdc40a454d7b7147e532c5ee500516486372a737af718cdfe
Score

3^/10
behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14