mercurialgrabber | 1999aad890069c5b28c1860887a43197c4f0ad484b4717ebc4bfcc80a3331bb8 | Triage

Sharing

General

Target

1999aad890069c5b28c1860887a43197c4f0ad484b4717ebc4bfcc80a3331bb8
Size

18KB
Sample

240709-dkm6nstajj
MD5

fc8be081ed0b9b18d6511478b81e82ce
SHA1

452628a033c5223007adfda46ef6d046cb486724
SHA256

1999aad890069c5b28c1860887a43197c4f0ad484b4717ebc4bfcc80a3331bb8
SHA512

4a8ac960da5ae682c8f2ecacc4bb45e2042fa9a886ebc4504b330514851bfd49947a537c912fee5b947558da66b5fcf0901d88c80f4d7da21e888702e956eb44
SSDEEP

384:U8KlecraaRkgJcoWUZXo7ssMjruzAiUkt0wXJwd4EzrnwfGfQobcO:U5lDvRkSZXoQs4riZuoGd4uniQhX

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1257039082274422896/395iJabK3IVPpIWgS1k1UJ3FAnHY2lWIwRcLWCTN1yTDR63aYdeLgcVrc81Dut5tbfV4

Targets

- Target
  
  89962878a82a8cf7b81c966f184a2c0f68c2336f92f9c57a2044cfe40fd540da.exe
- Size
  
  42KB
- MD5
  
  320651227efe3d69b041615c8458c09f
- SHA1
  
  a225e89ce0461946eec30e44a84ac00258c53af5
- SHA256
  
  89962878a82a8cf7b81c966f184a2c0f68c2336f92f9c57a2044cfe40fd540da
- SHA512
  
  1c37c02f89bf6fea59afd53f39464c936cfce6702164fb1be25bdf3c0889e23510907b6ab2f30f1d599d141deabfc09f06a9c4e9b8b04819f1a65b06b47a2507
- SSDEEP
  
  768:2PSYBZ6aUz5pDtspuZVLnATjGKZKfgm3EhLD:w1Uz5PscLnATyF7EJD
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer