mercurialgrabber | f54dd71bb0feb30a19123b93cc9ce60b3d6e603b9b5967c472b8cc35d9618c12 | Triage

Sharing

General

Target

d5481b1558c02cc5b27eea52074e0d08_JaffaCakes118
Size

58KB
Sample

240908-3e7qkatanc
MD5

d5481b1558c02cc5b27eea52074e0d08
SHA1

a1eff2bf50c1323a8beb7b0e60f39e14a81b224d
SHA256

f54dd71bb0feb30a19123b93cc9ce60b3d6e603b9b5967c472b8cc35d9618c12
SHA512

4aa8cb795cc3d3fce1905ef7e3ea6f497e9c5be9e4fce188aa385b31b003ae1f403cf84bd14385f86149f47551b68ef2668b322bd39197b978fe60df6b3828ec
SSDEEP

1536:kk/MJnS3kgqrYMLDdAg7w9fQ65aXPrB72nkW:/kJnS0gQX5J7w9fjafrBykW

Score

10^/10

mercurialgrabber credential_access discovery spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/888502856733294672/TOj_bSh6Zkm2K7SzTPO616Cabe61-suc7UYdT52jA3Da2mmB2WhCEsY9-w2h5G8rjsRY

Targets

- Target
  
  d5481b1558c02cc5b27eea52074e0d08_JaffaCakes118
- Size
  
  58KB
- MD5
  
  d5481b1558c02cc5b27eea52074e0d08
- SHA1
  
  a1eff2bf50c1323a8beb7b0e60f39e14a81b224d
- SHA256
  
  f54dd71bb0feb30a19123b93cc9ce60b3d6e603b9b5967c472b8cc35d9618c12
- SHA512
  
  4aa8cb795cc3d3fce1905ef7e3ea6f497e9c5be9e4fce188aa385b31b003ae1f403cf84bd14385f86149f47551b68ef2668b322bd39197b978fe60df6b3828ec
- SSDEEP
  
  1536:kk/MJnS3kgqrYMLDdAg7w9fQ65aXPrB72nkW:/kJnS0gQX5J7w9fjafrBykW
Score

10^/10

mercurialgrabber discovery spyware stealer credential_access
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

mercurialgrabberdiscoveryspywarestealer

behavioral2

mercurialgrabbercredential_accessdiscoveryspywarestealer