mercurialgrabber | 5ff7ac25f43858d6962b49f8dce580db4983cdfcc4d635fbd6085c1c90432b44

General

Target

c9a892b05f775ddf569b745c6bd95a25_JaffaCakes118
Size

42KB
Sample

240829-z62rvasbjh
MD5

c9a892b05f775ddf569b745c6bd95a25
SHA1

ff709170c90d41ac2413d8a9fa7fbaa1b6e21a06
SHA256

5ff7ac25f43858d6962b49f8dce580db4983cdfcc4d635fbd6085c1c90432b44
SHA512

513cf5cd3cbea0d5f05774202f755b91432bcdfe093bf6814cdba87fc44c82df40747692483e1f455c37664a4d6f96556bc6f6af64cbcc21489fb70b56344b2d
SSDEEP

768:ALz3dxCGO1rtQ7YBluZaLYdTjRKZKfgm3Eh3R:Atxm1r1BVLYdTlF7ExR

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/894002578583597106/mzVkoxw2rfX5M9ZzRYptqhY9Dap8FNvXzNPbMvgAot4FJ0ykAN91BaWshRYDwajmPLcR

Targets

- Target
  
  c9a892b05f775ddf569b745c6bd95a25_JaffaCakes118
- Size
  
  42KB
- MD5
  
  c9a892b05f775ddf569b745c6bd95a25
- SHA1
  
  ff709170c90d41ac2413d8a9fa7fbaa1b6e21a06
- SHA256
  
  5ff7ac25f43858d6962b49f8dce580db4983cdfcc4d635fbd6085c1c90432b44
- SHA512
  
  513cf5cd3cbea0d5f05774202f755b91432bcdfe093bf6814cdba87fc44c82df40747692483e1f455c37664a4d6f96556bc6f6af64cbcc21489fb70b56344b2d
- SSDEEP
  
  768:ALz3dxCGO1rtQ7YBluZaLYdTjRKZKfgm3Eh3R:Atxm1r1BVLYdTlF7ExR
Score

10^/10

mercurialgrabber evasion spyware stealer credential_access
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2