General

  • Target

    Spoofer.exe

  • Size

    42KB

  • Sample

    241119-rvbghsxgqq

  • MD5

    a1baabfc69147abcad27edeb039b2c48

  • SHA1

    4b7ecee83d1f878e80c42d48b8e3526199017621

  • SHA256

    eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f

  • SHA512

    1a424b500dd64af5cb4527fdc6136be3687db6d88222859744e2495edd6670efdb826761515bd2fd67263eee2c8033026ed888ce8e9f7097e515c7b35ec99a3d

  • SSDEEP

    768:eaRlnERMjPsRNGAuZNLJpTjEKZKfgm3EhFe:eRMTsjGnLJpToF7Ene

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308437525995458580/tUCFfkyMze1B-I4wpnAKAPeE5f0RIWtyWwzWg3ZmQtPlguWlMw52Bcp3BrDC8rz1AXzP

Targets

    • Target

      Spoofer.exe

    • Size

      42KB

    • MD5

      a1baabfc69147abcad27edeb039b2c48

    • SHA1

      4b7ecee83d1f878e80c42d48b8e3526199017621

    • SHA256

      eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f

    • SHA512

      1a424b500dd64af5cb4527fdc6136be3687db6d88222859744e2495edd6670efdb826761515bd2fd67263eee2c8033026ed888ce8e9f7097e515c7b35ec99a3d

    • SSDEEP

      768:eaRlnERMjPsRNGAuZNLJpTjEKZKfgm3EhFe:eRMTsjGnLJpToF7Ene

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks