mercurialgrabber | b2a3855a8c57a0da18fceb3f8f4a2bd0b0cd99eb4f5e03a04958c2b686a0ee56 | Triage

Sharing

General

Target

b2a3855a8c57a0da18fceb3f8f4a2bd0b0cd99eb4f5e03a04958c2b686a0ee56
Size

42KB
Sample

240926-sfl55swfqf
MD5

346d45ee0e81032982ef03a878a17f7a
SHA1

a307675816ed233a60688c430352009d1eaa9eec
SHA256

b2a3855a8c57a0da18fceb3f8f4a2bd0b0cd99eb4f5e03a04958c2b686a0ee56
SHA512

a09a6ef45cf85230333f6c4fa65ce316c2f3f6ac62330759c67172a12cac19b85f013627a1d90bd0f3d0d5224e163040791272a46acc6dbe8ab043bd7de8fcfd
SSDEEP

768:WscG4AGemmawGz3wNVuZ9e1WTjFKZKfgm3Ehyj:1cwBkLe1WTZF7Eoj

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/993564906408378378/1_VAxLm-UHuADVGRmwA2BzLPWZxl3iGgGfSabUOb2G1WXoF0MzGszMInJkvWHDHRR9Gf

Targets

- Target
  
  b2a3855a8c57a0da18fceb3f8f4a2bd0b0cd99eb4f5e03a04958c2b686a0ee56
- Size
  
  42KB
- MD5
  
  346d45ee0e81032982ef03a878a17f7a
- SHA1
  
  a307675816ed233a60688c430352009d1eaa9eec
- SHA256
  
  b2a3855a8c57a0da18fceb3f8f4a2bd0b0cd99eb4f5e03a04958c2b686a0ee56
- SHA512
  
  a09a6ef45cf85230333f6c4fa65ce316c2f3f6ac62330759c67172a12cac19b85f013627a1d90bd0f3d0d5224e163040791272a46acc6dbe8ab043bd7de8fcfd
- SSDEEP
  
  768:WscG4AGemmawGz3wNVuZ9e1WTjFKZKfgm3Ehyj:1cwBkLe1WTZF7Eoj
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer