blankgrabber | d8c805fbe9ba0aede2a35e5e9708051ec2b8bfd90071e1774a1ba130fc7420b3

General

Target

Grabbers-Deobfuscator-main.zip
Size

46.9MB
Sample

240603-zcw99sgf61
MD5

491446e826dfa51dd1e56055f9c5d972
SHA1

0085b609574335287dddcd22b20d002d35c51681
SHA256

d8c805fbe9ba0aede2a35e5e9708051ec2b8bfd90071e1774a1ba130fc7420b3
SHA512

7b7b87a4f3b4ecfa0f725e6d5c133ce9a9f41080716b02547bf1f9deb2e4d89ebd29c92ed4114834a5d7e8d569d19f229a059345b9dbff347e05416d05318fc8
SSDEEP

786432:CS5IlXgR4GoYxa7MVe1K6AR25no6e1+HU8uGnDhOLhDR1d010MjNlnnSUWqcXIIs:C9PYDGC6e1+08pt+vg0innSUbcXBAJXJ

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/874479611625472100/cnLO5gQA8vExY3GTjB4PHbeKAOSiS7ee_jCQ-3difjF60BDYekGj1Te2uvP2Jf8hwVuP

Targets

- Target
  
  Grabbers-Deobfuscator-main.zip
- Size
  
  46.9MB
- MD5
  
  491446e826dfa51dd1e56055f9c5d972
- SHA1
  
  0085b609574335287dddcd22b20d002d35c51681
- SHA256
  
  d8c805fbe9ba0aede2a35e5e9708051ec2b8bfd90071e1774a1ba130fc7420b3
- SHA512
  
  7b7b87a4f3b4ecfa0f725e6d5c133ce9a9f41080716b02547bf1f9deb2e4d89ebd29c92ed4114834a5d7e8d569d19f229a059345b9dbff347e05416d05318fc8
- SSDEEP
  
  786432:CS5IlXgR4GoYxa7MVe1K6AR25no6e1+HU8uGnDhOLhDR1d010MjNlnnSUWqcXIIs:C9PYDGC6e1+08pt+vg0innSUbcXBAJXJ
Score

10^/10

mercurialgrabber discovery evasion persistence spyware stealer upx
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1