mercurialgrabber | 2b4973b609c72e3b6cb5a2aec425b3a70d937b42d9e3a443a4ce956384f29154

General

Target

akrien315727800.rar
Size

4.9MB
Sample

240704-ktgtksshqq
MD5

3c8b08e4ff2d56c08639764b951b553e
SHA1

41b2315ba593d39165c85ca6b96cbbfa625dc3c1
SHA256

2b4973b609c72e3b6cb5a2aec425b3a70d937b42d9e3a443a4ce956384f29154
SHA512

367ea82445d58dc69fc905208ddde7ba1bcb8a86f869bcdaa1a34154f545dc9f94e94ea466dbe36f17322cd3a01c96d26a7f7f07d712ce3a816a3785fbc96e58
SSDEEP

98304:McjZl79Nrp1Za8y0N5IbPIoym+UZZ+Vi+MyqwdmI8tNb7bZFHr+8suS:lo0IsocUZZOi+Mav8TdF+ruS

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/903016099652714568/4LAokuhDJs5h0vO5CXmMK0YYuFKTGnU4CjbaT5KQ7MbcniuaxcFR9w9xhFWgtXEZyg2U

Targets

- Target
  
  TrayStatus.exe
- Size
  
  3.4MB
- MD5
  
  659ddd8e403cde0e6403d605829d0f3b
- SHA1
  
  c76efe026ba7761563b889d7ff5dc47f37ce8e89
- SHA256
  
  bf5d0e8f30d74f2b00fcd1c5ee90c800b81c9b371e162b884278518925daab84
- SHA512
  
  44eb56bd5bd77dc886d3cc8eda1e2c2b503d605766b2e72444141f3c48b691bbd2ee807b54242c9530f9b9cc17f2a413b69256b5f8302b9946efa0c77be72906
- SSDEEP
  
  24576:zSmQNUVspfgt3kkdz4xnZIRRhF4B/2xGUBd9XEln7PyxOHjKGEPQEGXdnExQ8h76:/8oxYB/2xDXynSOHjkoFXqy8yN+fF14
Score

1^/10
behavioral1 behavioral2
- Target
  
  akrien_315727800.exe
- Size
  
  3.5MB
- MD5
  
  887d3ac7ee69d7c63082f8871ab10959
- SHA1
  
  0235f732d4f08dae6354f648d1413acbdcda6b32
- SHA256
  
  4901acc3d2f993fb841c4e15e80dcc04f3ac1543f0758bc042fa57559a75e834
- SHA512
  
  881ec672a1991e659c327737667f83b9b127903b1bec19b47f83212fa364f68db49cc3ede06163f906951c96aa7869b786abece410abe669420b463a4c93ef24
- SSDEEP
  
  98304:LMSHC08rdkn//eESI+Y/nTkSgCwnz/yp/r:LzHC08qxSpQTk0Azy/r
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral3 behavioral4