mercurialgrabber | 36697dcacb24afaca501edc09d9ca2ce161abb9abf0b0c527b374125f2151580 | Triage

Sharing

General

Target

36697dcacb24afaca501edc09d9ca2ce161abb9abf0b0c527b374125f2151580
Size

18KB
Sample

240709-dkpz9svhle
MD5

ac1dd3e4aaac72b0262e0cb3e81fc130
SHA1

e8948cbafd0dd1e22347227d34703886c08ab51b
SHA256

36697dcacb24afaca501edc09d9ca2ce161abb9abf0b0c527b374125f2151580
SHA512

6cc2a6ac518386cba02679ae0b15995ae9801cabf7fc3e22d3712baa13217558066ae7084ecc8cf69fa99cb0abc602fae335b6923ec56f21dd2f119d6c5c78cb
SSDEEP

384:pCqZXqOwg0qoIbJtoASadLQRdDJgI8BilsZn4VJQ:pBdmqRoAzdaBJgzZ40

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/977976769548255272/WjivQonZRXcZP2_JHbnYGt-N9ZAhJY4ZvmzB8VRuMXHWezW7Oe1HFRaEtPt_IzCPISA6

Targets

- Target
  
  17de798cb189cb705b5fb50f420827ba90f18e34831dd8b84be013d5d339b01a.exe
- Size
  
  41KB
- MD5
  
  1689dffc1e73cdeb1d9a4e671412816e
- SHA1
  
  2b60c62d850db0c6f636eb40415883c9ce268fef
- SHA256
  
  17de798cb189cb705b5fb50f420827ba90f18e34831dd8b84be013d5d339b01a
- SHA512
  
  11877d9eeeea999092126d248da117a8709786d7ee17653363e25d65289379b7031e3656bf07734f515ca89e194f13c8dc1aa8dce8e83e5d4514a5e632ac056b
- SSDEEP
  
  768:IscGoA2e8bH5M/Bgw9uZzeHWTjfJCKZKfgm3Eh2K:Pc9e86oeHWTdCF7EMK
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer