mercurialgrabber | c80787a356fa9f3b10141fc00097a954c9b950ab1211054ea6eeefa15e55b90c | Triage

Sharing

General

Target

136ce1f5f2299e4f8e3fb5e30dc0f149.bin
Size

18KB
Sample

240709-bdcp9axhnn
MD5

53a8e08889c7449d7b0f4268ce0c6fd1
SHA1

455c0f533904580358103773c0275a6bb787e268
SHA256

c80787a356fa9f3b10141fc00097a954c9b950ab1211054ea6eeefa15e55b90c
SHA512

d11bc0148b229f06ab96a706762573d36bd34be66e2f2c27ac78c0c60e9f6eb13ec4c7f545ab86ba98f777cc141ccd1f77f27c355a3eb7f8836e797712a046d6
SSDEEP

384:b6GG8qygI4NpI6mmBx8Qt75/mdWghU3s1eu/M8Q6mdPoc9w4l:tG8uIemmByc7tme8of8QJPx

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

Targets

- Target
  
  68f01e0d0f2bf1705c62ad8b94d4454d2646aced975b56e593c59a58e4b0ccca.exe
- Size
  
  41KB
- MD5
  
  136ce1f5f2299e4f8e3fb5e30dc0f149
- SHA1
  
  29460774476d4667f63a6abb5bcb29f603471589
- SHA256
  
  68f01e0d0f2bf1705c62ad8b94d4454d2646aced975b56e593c59a58e4b0ccca
- SHA512
  
  af5d31d017c155bb0043603de76a8a822a25d8a573d9bc87c549fd823c0ab33d42ede18dafb142cc6a3121441767075cd6d61c08cffa458fa91fd493b3cee4d9
- SSDEEP
  
  768:2scaIiIqfT6ajQdpDXsw7uZ7ejWTjvBKZKfgm3Ehzm:Vc1ofnI6ejWTbBF7EBm
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer