mercurialgrabber | 9ee7472a507976b837fa9b21959b942b1a488f28a6746f0540b6936b938c16d9

General

Target

Hydrogen_Executor_V3.exe
Size

190KB
Sample

240512-ywfaeshb94
MD5

1399f90b10f8ba4e8894844b637c3674
SHA1

c4b55243750434a4ffc5e654c9301bed89c53a9b
SHA256

9ee7472a507976b837fa9b21959b942b1a488f28a6746f0540b6936b938c16d9
SHA512

729f4e45ac49780c79569e577c2b6c9e76908dcf6c66b7b35aae5e9055ec3242387510dbae671617e9c56dc5fab68220061a7466e12eeccc4ad41ed9d0b4a068
SSDEEP

1536:cc1ZubZumexWTkF7ELjxNYK/HqJLG+Pr:R1ZubfecTkF7EHrfqPr

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1239296125064974418/PUgXB5FXV6rG9VgXFqZRFI0mCViixOJ8UuqFBuJflxFjy8K_1Bnlcsm6oiqDYfXj8zlI

Targets

- Target
  
  Hydrogen_Executor_V3.exe
- Size
  
  190KB
- MD5
  
  1399f90b10f8ba4e8894844b637c3674
- SHA1
  
  c4b55243750434a4ffc5e654c9301bed89c53a9b
- SHA256
  
  9ee7472a507976b837fa9b21959b942b1a488f28a6746f0540b6936b938c16d9
- SHA512
  
  729f4e45ac49780c79569e577c2b6c9e76908dcf6c66b7b35aae5e9055ec3242387510dbae671617e9c56dc5fab68220061a7466e12eeccc4ad41ed9d0b4a068
- SSDEEP
  
  1536:cc1ZubZumexWTkF7ELjxNYK/HqJLG+Pr:R1ZubfecTkF7EHrfqPr
Score

10^/10

mercurialgrabber discovery evasion persistence spyware stealer trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Looks for VMWare Tools registry key
  evasion
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1