mercurialgrabber | 1bdf2d64894f6ae05948436ee261bc8492611aae9feca26751934c79e5aabf81 | Triage

Sharing

General

Target

1bdf2d64894f6ae05948436ee261bc8492611aae9feca26751934c79e5aabf81.exe
Size

784KB
Sample

241124-hrlcwaypby
MD5

e07c386723cf4f814e6a8a6774813649
SHA1

760e741c4177f63a2b050e8afb6a9fb3ac23f4e2
SHA256

1bdf2d64894f6ae05948436ee261bc8492611aae9feca26751934c79e5aabf81
SHA512

cf236c67d69d664676b3d2190f2719ee81e0f7404156a9a3e405fe35cac4288d29ce4398247f32e6425a103baf8e67f87553b4cca7706d9a2f28c3feaa585c4a
SSDEEP

24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVvCnrkbDmdsQ:1+clb1BRntmeSK9fNaBA+ZVqrNd3

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/897281916594696252/GXBeXRQpAlm4tCQFFzK8Lo3HvApM27S7weWPV234nZ_z6r7XNlxx7P-AdodS9jkzznk0

Targets

- Target
  
  1bdf2d64894f6ae05948436ee261bc8492611aae9feca26751934c79e5aabf81.exe
- Size
  
  784KB
- MD5
  
  e07c386723cf4f814e6a8a6774813649
- SHA1
  
  760e741c4177f63a2b050e8afb6a9fb3ac23f4e2
- SHA256
  
  1bdf2d64894f6ae05948436ee261bc8492611aae9feca26751934c79e5aabf81
- SHA512
  
  cf236c67d69d664676b3d2190f2719ee81e0f7404156a9a3e405fe35cac4288d29ce4398247f32e6425a103baf8e67f87553b4cca7706d9a2f28c3feaa585c4a
- SSDEEP
  
  24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVvCnrkbDmdsQ:1+clb1BRntmeSK9fNaBA+ZVqrNd3
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer