mercurialgrabber | d7f4ceb2e023f51d23cafa4a30da811f3abb864d6c938a36f9326f4c16cac7f3 | Triage

Sharing

General

Target

d7f4ceb2e023f51d23cafa4a30da811f3abb864d6c938a36f9326f4c16cac7f3
Size

108KB
Sample

240713-bj1dhaygkn
MD5

1d57d1eca8ab1bf9fce8c2acdf4ea3e1
SHA1

04c9de89db5b5054d7ce32a908b7f0755222b5f8
SHA256

d7f4ceb2e023f51d23cafa4a30da811f3abb864d6c938a36f9326f4c16cac7f3
SHA512

ca56337c05a835fe663e03acce20e4effbb0f19752781009ba6d22afd0e01c38a7afc49604b8d72188ac4b227f7063cd0a66a6c6578258c9528964fda1672b33
SSDEEP

768:v/WtmlL9ra82jeuZ7LPiTjjvKZKfgm3EhutCC2csDjnFBR/y:W8lL9rcbLPiT/vF7EctCVcsDjFBRq

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1261474088715681844/6ilYIvPPU2c2NVjM7RrEeVsbmo3iDhKyRwlRyw7Bxp1N4YDGJ0J-WRHDuY4sSd0hQSb6

Targets

- Target
  
  d7f4ceb2e023f51d23cafa4a30da811f3abb864d6c938a36f9326f4c16cac7f3
- Size
  
  108KB
- MD5
  
  1d57d1eca8ab1bf9fce8c2acdf4ea3e1
- SHA1
  
  04c9de89db5b5054d7ce32a908b7f0755222b5f8
- SHA256
  
  d7f4ceb2e023f51d23cafa4a30da811f3abb864d6c938a36f9326f4c16cac7f3
- SHA512
  
  ca56337c05a835fe663e03acce20e4effbb0f19752781009ba6d22afd0e01c38a7afc49604b8d72188ac4b227f7063cd0a66a6c6578258c9528964fda1672b33
- SSDEEP
  
  768:v/WtmlL9ra82jeuZ7LPiTjjvKZKfgm3EhutCC2csDjnFBR/y:W8lL9rcbLPiT/vF7EctCVcsDjFBRq
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer