mercurialgrabber | 66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6

General

Target

ItroublveTSC.exe
Size

514KB
Sample

240831-avxw3svhrq
MD5

d8264e0921403244b0c29079bb732368
SHA1

d61b7c088ac4e118a6ac41fc4491961daa607773
SHA256

66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
SHA512

da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
SSDEEP

6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/899842638260338719/2a5S9S1gHhBIZB1ISPfnaBVgbTdkzaMWdmP_oGgFx14jtlvloXQRGQaYOY1Djoem1pL8

Extracted

Family

nanocore

Version

1.2.2.0

C2

176.168.5.0:2605

Mutex

d01924fe-4e8d-4b6f-850c-443e5741751a

Attributes

activate_away_mode
true
backup_connection_host
176.168.5.0
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-31T04:06:57.831335236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2605
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d01924fe-4e8d-4b6f-850c-443e5741751a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
176.168.5.0
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  ItroublveTSC.exe
- Size
  
  514KB
- MD5
  
  d8264e0921403244b0c29079bb732368
- SHA1
  
  d61b7c088ac4e118a6ac41fc4491961daa607773
- SHA256
  
  66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
- SHA512
  
  da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
- SSDEEP
  
  6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg
Score

10^/10

mercurialgrabber nanocore credential_access discovery evasion keylogger persistence spyware stealer trojan
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1