mercurialgrabber | 35240b3624b0304d9a7408555ada094a60c648f19ab1eeb5914cf0c3223c12f2

General

Target

G3tTr0ll3ed.zip
Size

3.9MB
Sample

240703-ymxs4svglr
MD5

aa60b96612aa932717a3ca1137675d25
SHA1

fc4f3cce301a8550f6bc77e096f1272d0fd464c5
SHA256

35240b3624b0304d9a7408555ada094a60c648f19ab1eeb5914cf0c3223c12f2
SHA512

0726789c8bc727cbaf4e47c76ddcfc6251524e17def681ffab375d629d0d61dba625f00676be9c3536c218349480bf1102be261d538dbe9ba593df16ed5c09fc
SSDEEP

98304:oqj9BCBYcT7FBlp6knQz99OJmORUviyWMuH7GRncI8PeQwrK7co:op7T7pQz9kQOu/buHyRCxwrKIo

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

Targets

- Target
  
  G3tTr0l1ed.exe
- Size
  
  42KB
- MD5
  
  7845d9b1597af943b084f869ef52fac3
- SHA1
  
  055259b6ca9d91734a0ebbfc574f3686386815a7
- SHA256
  
  89a60ad154c81cc9a364fece0eed420720cfdd5bf1f8127c768b7af6f66d94bf
- SHA512
  
  9ca514034f5eee1570b9a3fde3a81802d366a7e6b691249b4c156fc7f1f9b6612c140265b746284c98d92c4eaf69944ce90901ecb855b527505d93cdce82c272
- SSDEEP
  
  768:FcNCbujieQ5EMf4LB//4MvuZ7LerTj8KZKfgm3Eh3Z:26E04L9DULerToF7E5Z
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2
- Target
  
  g3ttroll1ed.exe
- Size
  
  4.5MB
- MD5
  
  33241a3aadf06404014353cfe3a47bac
- SHA1
  
  a0bcbb2e7fde364d8f997b95303cd0c3b2e6b9fb
- SHA256
  
  05e06e0f9ea0b245aff5f7aadeb69cce15e162effd29b4eec21bac3418ed414b
- SHA512
  
  38e72ba8a3876b6d02606183ef671a566a1ce17f4d4923a4ca8a785b60b7240a0c7e29622dea05d3df176ef316a2712a59eba11d37234b4c34aab64dc98c773d
- SSDEEP
  
  98304:/Qf3s64R9ybzUcwti78OqJ7TPBF3ZlHHgkWJ0P39qXSaDv:OzUcwti7TQlF3ZxxWJSUnDv
Score

9^/10

spyware stealer upx
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4