mercurialgrabber | 8687c478dfa4c98ff859800174c5d53f8fb7d57669e520d7b94c7898bbddd2e9

General

Target

discord old account genrator.exe
Size

814KB
Sample

240717-c4sptsscml
MD5

a7885d5a280d874597fa46ce44150902
SHA1

f9e5676fffb7ed9712edea377001f8afe873fcbd
SHA256

8687c478dfa4c98ff859800174c5d53f8fb7d57669e520d7b94c7898bbddd2e9
SHA512

3032a182c8579d370d7b05b264d7b583096278ae20ac9c9c81fbc87e3309a931f56d9601464ffac5ee85d20e4c117e76540c5ba076580cfd6cd2d238a6fc776d
SSDEEP

12288:JMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9kimj:JnsJ39LyjbJkQFMhmC+6GD96

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/917748860682657832/sSsKt4ikHoi9zkepKqNjrrQK503_MnWsxInF6XnFlC2W3mmbZI320rx6s-R3dnG3i8W3

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  discord old account genrator.exe
- Size
  
  814KB
- MD5
  
  a7885d5a280d874597fa46ce44150902
- SHA1
  
  f9e5676fffb7ed9712edea377001f8afe873fcbd
- SHA256
  
  8687c478dfa4c98ff859800174c5d53f8fb7d57669e520d7b94c7898bbddd2e9
- SHA512
  
  3032a182c8579d370d7b05b264d7b583096278ae20ac9c9c81fbc87e3309a931f56d9601464ffac5ee85d20e4c117e76540c5ba076580cfd6cd2d238a6fc776d
- SSDEEP
  
  12288:JMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9kimj:JnsJ39LyjbJkQFMhmC+6GD96
Score

10^/10

mercurialgrabber xred backdoor discovery evasion persistence spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1