mercurialgrabber | eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f | Triage

Sharing

General

Target

Spoofer.exe
Size

42KB
Sample

241119-yem9pswldk
MD5

a1baabfc69147abcad27edeb039b2c48
SHA1

4b7ecee83d1f878e80c42d48b8e3526199017621
SHA256

eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f
SHA512

1a424b500dd64af5cb4527fdc6136be3687db6d88222859744e2495edd6670efdb826761515bd2fd67263eee2c8033026ed888ce8e9f7097e515c7b35ec99a3d
SSDEEP

768:eaRlnERMjPsRNGAuZNLJpTjEKZKfgm3EhFe:eRMTsjGnLJpToF7Ene

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308437525995458580/tUCFfkyMze1B-I4wpnAKAPeE5f0RIWtyWwzWg3ZmQtPlguWlMw52Bcp3BrDC8rz1AXzP

Targets

- Target
  
  Spoofer.exe
- Size
  
  42KB
- MD5
  
  a1baabfc69147abcad27edeb039b2c48
- SHA1
  
  4b7ecee83d1f878e80c42d48b8e3526199017621
- SHA256
  
  eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f
- SHA512
  
  1a424b500dd64af5cb4527fdc6136be3687db6d88222859744e2495edd6670efdb826761515bd2fd67263eee2c8033026ed888ce8e9f7097e515c7b35ec99a3d
- SSDEEP
  
  768:eaRlnERMjPsRNGAuZNLJpTjEKZKfgm3EhFe:eRMTsjGnLJpToF7Ene
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer