mercurialgrabber | 59f6bcfd71d0f09a1c44989694f9b66f224b95eac5fd2f35272d2aafcc92ef11 | Triage

Sharing

General

Target

8f24cb17da2bd9c0ee5c30b88a08d0bc_JaffaCakes118
Size

41KB
Sample

241104-e1cwbatdjd
MD5

8f24cb17da2bd9c0ee5c30b88a08d0bc
SHA1

16998b38687809e872142334ebca11b5f720ded1
SHA256

59f6bcfd71d0f09a1c44989694f9b66f224b95eac5fd2f35272d2aafcc92ef11
SHA512

66b6fc2245d172bb1d8a2df38e9101f3a6f786a73766b7d16450e1df02da9dfeb26243918814cd7faabe5ee70329e9f7e060022e6dce946bd8195797c4e9b26e
SSDEEP

768:oscG4A9NpBztwCuZqekWTj5KZKfgm3Ehj8:vcuBzekWT1F7El8

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/892439702202904606/AkG1dFoKBsXxM-qiwX0_1pqQPE23IlyKGPSIA9cWJXzvL1BhF9ffClKX5bHZ9L5WOq90

Targets

- Target
  
  8f24cb17da2bd9c0ee5c30b88a08d0bc_JaffaCakes118
- Size
  
  41KB
- MD5
  
  8f24cb17da2bd9c0ee5c30b88a08d0bc
- SHA1
  
  16998b38687809e872142334ebca11b5f720ded1
- SHA256
  
  59f6bcfd71d0f09a1c44989694f9b66f224b95eac5fd2f35272d2aafcc92ef11
- SHA512
  
  66b6fc2245d172bb1d8a2df38e9101f3a6f786a73766b7d16450e1df02da9dfeb26243918814cd7faabe5ee70329e9f7e060022e6dce946bd8195797c4e9b26e
- SSDEEP
  
  768:oscG4A9NpBztwCuZqekWTj5KZKfgm3Ehj8:vcuBzekWT1F7El8
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer