mercurialgrabber | 6125f85c79a7de2a11ff6983f4a6d5099671adf5e934d8671d7bc513967dcc18 | Triage

Sharing

General

Target

46e6c436a041deab1d6bcdc4c424cc63_JaffaCakes118
Size

42KB
Sample

240714-wkjscs1drj
MD5

46e6c436a041deab1d6bcdc4c424cc63
SHA1

83bcb9874c19f6e49be2adc727a397c4b32de5e5
SHA256

6125f85c79a7de2a11ff6983f4a6d5099671adf5e934d8671d7bc513967dcc18
SHA512

de824ccf9467e0b28ad7553c4f115649438f4131ab5b3fa8acb9b09ec8a43c58317e80ed7f8ba0daee5c8989f48c2bdfd42987c75f41ae4f2d5e4297d95690df
SSDEEP

768:OnUlGNWkT1bCtYTHACuZHLLUpTjgQKZKfgm3EhRh:OnUEPBCtYTgjLLUpTMQF7Enh

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/893135694946508820/OHqgDevMX-a0Tnj9d-qoH0nsLrmD4ZymtC5GfUMN6XnkAEER1pMPeHvk5Q3hlNP3nyWR

Targets

- Target
  
  46e6c436a041deab1d6bcdc4c424cc63_JaffaCakes118
- Size
  
  42KB
- MD5
  
  46e6c436a041deab1d6bcdc4c424cc63
- SHA1
  
  83bcb9874c19f6e49be2adc727a397c4b32de5e5
- SHA256
  
  6125f85c79a7de2a11ff6983f4a6d5099671adf5e934d8671d7bc513967dcc18
- SHA512
  
  de824ccf9467e0b28ad7553c4f115649438f4131ab5b3fa8acb9b09ec8a43c58317e80ed7f8ba0daee5c8989f48c2bdfd42987c75f41ae4f2d5e4297d95690df
- SSDEEP
  
  768:OnUlGNWkT1bCtYTHACuZHLLUpTjgQKZKfgm3EhRh:OnUEPBCtYTgjLLUpTMQF7Enh
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer