mercurialgrabber | 77da925157321355fa400b6727269a53fe4bc5c9b269b9a1a1c153656dfb6652

General

Target

Screenshot_10.png
Size

273KB
Sample

240901-vsd2eaxdrc
MD5

ecf6ec480feb44034bc99d60f7723eef
SHA1

bc58ff0d4ea455b944b2615078076dfd3113d2d0
SHA256

77da925157321355fa400b6727269a53fe4bc5c9b269b9a1a1c153656dfb6652
SHA512

7bc8ff3da9421cb4422473012295670f2e3d099f23fb7a40028e29317906b7a8b62f3b75d2697b53e7557d8a3c3b2716048db7a5737a2c44cbd6a69f182dd938
SSDEEP

6144:S3KQgHeQmCNUvJZ5J5zdU0+zNLIPZSx6n4COvKYD0u:RQg+QDNSj5zdmwSk454u

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1279845453336412260/A8ZEV41SqZhlDM114ONplW6YO3ItmaeJxvYHi-I4t5Fx0r_sBuCyg8RH2hoVGdxkr27c

Targets

- Target
  
  Screenshot_10.png
- Size
  
  273KB
- MD5
  
  ecf6ec480feb44034bc99d60f7723eef
- SHA1
  
  bc58ff0d4ea455b944b2615078076dfd3113d2d0
- SHA256
  
  77da925157321355fa400b6727269a53fe4bc5c9b269b9a1a1c153656dfb6652
- SHA512
  
  7bc8ff3da9421cb4422473012295670f2e3d099f23fb7a40028e29317906b7a8b62f3b75d2697b53e7557d8a3c3b2716048db7a5737a2c44cbd6a69f182dd938
- SSDEEP
  
  6144:S3KQgHeQmCNUvJZ5J5zdU0+zNLIPZSx6n4COvKYD0u:RQg+QDNSj5zdmwSk454u
Score

10^/10

mercurialgrabber defense_evasion discovery evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1