General
-
Target
WEBQBbyJ
-
Size
2KB
-
Sample
240802-pnd8qawgrm
-
MD5
96e7b818e9d42c61b20670d85427878b
-
SHA1
cdee94f733014b0c9a503a2b90d2ef41ffa83926
-
SHA256
84f3e6aed1fdfb4e343deecdc5a06396c376b75a7766d00c2892270b9d2eba35
-
SHA512
aa0daf365baaf4864d53039ae78eda932f9f90e5cad4659e94b1aea7dbad2865a7fe65cdaa9065e8ce545a70f6920275bc7fcdf07d7f24ccdad502aabebd9dba
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1268907786306322535/8vxUjZTvXYwCEl6UAC5vC5hTn_9ziV3cLHZrWK2FoIzHaIBUDkq8IvytioecE79oyZff
Targets
-
-
Target
WEBQBbyJ
-
Size
2KB
-
MD5
96e7b818e9d42c61b20670d85427878b
-
SHA1
cdee94f733014b0c9a503a2b90d2ef41ffa83926
-
SHA256
84f3e6aed1fdfb4e343deecdc5a06396c376b75a7766d00c2892270b9d2eba35
-
SHA512
aa0daf365baaf4864d53039ae78eda932f9f90e5cad4659e94b1aea7dbad2865a7fe65cdaa9065e8ce545a70f6920275bc7fcdf07d7f24ccdad502aabebd9dba
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
9System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2