mercurialgrabber | 3f0413b1ea37124538374b6243b7e15a14c1a1ffe8d5d3894af6b2fd46329d56 | Triage

Submit
Reports

Overview

overview

Static

static

Exodus.exe

windows10-1703-x64

Sharing

General

Target

Exodus.rar
Size

17KB
Sample

240805-vf3h8swdpd
MD5

6f99127df1e37bbb81ec33ce8193c348
SHA1

2f0751dcb06494d9486f5eb5de35112b5bf04198
SHA256

3f0413b1ea37124538374b6243b7e15a14c1a1ffe8d5d3894af6b2fd46329d56
SHA512

17477f999c3c399d0a290db2a34e3bf9a6d407b2c44b2ab1e3f1d69bad898e066a10715450ec200ae3d54a71463f12fa88c6ba22831a137677087dc4a0603376
SSDEEP

384:4lhP9fAhpijxjYyodVQkj/LepkxYhpGAFSSzlN0cw+P23Yfn7RCz/wKSq8g:4nP9fAbAjYBapk+/G0SSRzwUkYf7YjwC

Score

10^/10

mercurialgrabber discovery evasion stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

Exodus.exe

Resource

win10-20240404-en

mercurialgrabber discovery evasion stealer

windows10-1703-x64

16 signatures

1800 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1270062393690689627/niIrEsktA3H6aMswKaDjRYhFO5PRSTQxgOiR-qbgiAtQ1pmjckiMwflpFojTjMaPduhi

https://discord.com/api/webhooks/1268907786306322535/8vxUjZTvXYwCEl6UAC5vC5hTn_9ziV3cLHZrWK2FoIzHaIBUDkq8IvytioecE79oyZff

Targets

- Target
  
  Exodus.exe
- Size
  
  42KB
- MD5
  
  865e8e8e7ba1a140fc8c771e328ff9a7
- SHA1
  
  c900d82aad37e5f70f367216dc4cf8c8a039221c
- SHA256
  
  57045a88eb427b584350171792e348d1daedd7970b3e46ac8b3c9e035c2208ca
- SHA512
  
  89902b3aa63d7bbf8431fd92a9bbf2595089c8405d20e3f75157fbe7edefb7b4272fbee7061c0ca29e87fd2a6ff56717932ba1fc90d151410fa4f62bdf83c72f
- SSDEEP
  
  768:XYgu8ZBZ6aZpDts3uZHLVgXTjKKZKfgm3Eh1k:XuQ1ZPsULVgXTeF7Ejk
Score

10^/10

mercurialgrabber discovery evasion stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberdiscoveryevasionstealer

© 2018-2025

Terms | Privacy