mercurialgrabber | 98bb2f2e1e052cdc02ec4681bce66c95b72efb200d0c761e0e90e421d5887586

General

Target

03-08-2024_hYQnEY98kzONexB.rar
Size

380KB
Sample

240803-eznanatapl
MD5

1f07cc38bc38349203b8cdc78572abe0
SHA1

a91a541c697818bf3201a526919a20b72516fd24
SHA256

98bb2f2e1e052cdc02ec4681bce66c95b72efb200d0c761e0e90e421d5887586
SHA512

81e140821385223e8474c514c2f20aeb6f1ae2c8396d380472654c1caf65365b73bd5759b883d4d8ca4f77f932b72f466098777bcf7c66b93f70cc88204d6dc1
SSDEEP

6144:yOXp7CS/4nU/wbrSqU7ewpvik/9Sr2wbDnc68gl1BlXtSgykbex8OPeC:yO87nUIfSJdpqk/oTRtSRkaBz

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/887304484844339250/sTQt9knbeiUf2bJPMZ4uxOEZ2mFmxtbw1S3JZvhKpMU-hSQtSzNllJidmjM8oJmI2wpt

Targets

- Target
  
  03-08-2024_hYQnEY98kzONexB.rar
- Size
  
  380KB
- MD5
  
  1f07cc38bc38349203b8cdc78572abe0
- SHA1
  
  a91a541c697818bf3201a526919a20b72516fd24
- SHA256
  
  98bb2f2e1e052cdc02ec4681bce66c95b72efb200d0c761e0e90e421d5887586
- SHA512
  
  81e140821385223e8474c514c2f20aeb6f1ae2c8396d380472654c1caf65365b73bd5759b883d4d8ca4f77f932b72f466098777bcf7c66b93f70cc88204d6dc1
- SSDEEP
  
  6144:yOXp7CS/4nU/wbrSqU7ewpvik/9Sr2wbDnc68gl1BlXtSgykbex8OPeC:yO87nUIfSJdpqk/oTRtSRkaBz
Score

3^/10
behavioral1
- Target
  
  ValoTestAndProof_Shift_trigger/!TUTORIAL! - READ!.txt
- Size
  
  124B
- MD5
  
  1115056ad2840ef1196b9ffc8811eecc
- SHA1
  
  53e61fe4a3c9a48e2d19f46aa2d4dd6126b52546
- SHA256
  
  f29356f2135fdfb877dba3df4a89687ab44297fb14edeede3706dfa0abcda274
- SHA512
  
  d14feb453d827054797692362541508cc45b4f81598f3f23e612bb670b69441a9e3e6a64c601984e8c8c2dd830cf0f3e8023d59d597c328a7bd5a68e2cab2d1d
Score

3^/10
behavioral2
- Target
  
  ValoTestAndProof_Shift_trigger/RUN THIS.bat
- Size
  
  31B
- MD5
  
  e14e187f77a9609b03954baaec78914c
- SHA1
  
  e5f08e9a0c97d71ee0c4bfa2c4129611615e61ec
- SHA256
  
  49fe2a8d6e450608ab45236f3f787519a9c536f20b6cefe14463a264e22aa683
- SHA512
  
  765f27071ff2d4c688c758ac2196a5336b938e0ebac400582c50fcb3394b0d6e85cc0e8a5b912eda23429159a84ae94cb8a807a0f4c601e27cbfc3222d847422
Score

10^/10

mercurialgrabber credential_access discovery evasion stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral3
- Target
  
  ValoTestAndProof_Shift_trigger/config.ini
- Size
  
  70B
- MD5
  
  df8819a09789bb3030f99b30f1195222
- SHA1
  
  30bb6c8f3fb4aef1b1ec2d97655950e6e922bfa2
- SHA256
  
  ead204a989e2e6ec8d463bfb7e1e60b1cefac289641a405ad9b7a84686b0212b
- SHA512
  
  de40ed9cbfa4fa82eb8302fe4f47293c82ba5f14369a68ab07f3520bbce8e24e2be3a11b9e6a9ca40847d4fe7a8fd06e536f00b5ad86ba670a85d9197351442b
Score

3^/10
behavioral4
- Target
  
  ValoTestAndProof_Shift_trigger/files.exe
- Size
  
  403KB
- MD5
  
  027b8ba0a18fda179fff69627d272306
- SHA1
  
  63ceccd2e616ebe0bca0ec38ba2bd936adfc6d4d
- SHA256
  
  b069d5e6a936d6657115f9dd4a7d5ccdda2a900f15602b5dcb92518bc311578e
- SHA512
  
  4a2ef5b175fe187f565481b88b23f4c3cae17b785a2affca4fca6266491003c79160f0e6f9ad57ff95653ddf26ee4730218a53c3b043c9c399166cbf8b7b6826
- SSDEEP
  
  6144:985P82cN1cwpIfbkizrPNVbicAYnkhqkxe4Jo6vL4AXHydDSkhVqYsOJF/1+:98V8JpGQiPPacBnkhawoQni+YNJFw
Score

3^/10

discovery
behavioral5
- Target
  
  ValoTestAndProof_Shift_trigger/mapper.exe
- Size
  
  41KB
- MD5
  
  975e8aed42ef6368efd5a66204d4818a
- SHA1
  
  5d48ef440ba147a27dfa5236fcbf426a34a21e2a
- SHA256
  
  24e33a4716587fc8f330f77da68493f52b46311cf0e87681dd35e4ce6b912e51
- SHA512
  
  07ea3d9d56f897021858490da38ce84747e788c8c5a8b49e8d9c021e8b57a97a9d54efe851b06afc08bfc4687c374ad7d5d02baa94188ae3d0f13fd8727caee6
- SSDEEP
  
  768:TscG4ApfT6aGpDXswguZkeVWTjUHKZKfgm3Ehqt:IcKfnGEeVWTUF7EEt
Score

10^/10

mercurialgrabber credential_access evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral6