mercurialgrabber | b6c68a183d0a85c967cf0e20082da608c7febca84fb66b1c085bef83c4d76894 | Triage

Sharing

General

Target

FKjdctVS.exe
Size

42KB
Sample

241219-qaesrstpfj
MD5

e7871defe3ff71566b3600eea0f61eb4
SHA1

44692b1477d43c48987daa0a34314b770505ebbf
SHA256

b6c68a183d0a85c967cf0e20082da608c7febca84fb66b1c085bef83c4d76894
SHA512

6a560fa39c23ea83a2049209f0e53935c321395755cc86b25ea25b29ff1315f1a7ee49da2960f9c1b796748195653a86d28506cb3e551d6530cb09d289f0cb27
SSDEEP

768:4cNCbujiewetQDGm8UuZyLxYTjsJKZKfgm3Ehik:XcSQD8ILxYTsF7EQk

Score

10^/10

mercurialgrabber discovery evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1319288015813873705/C8huyRFXRluYBlR8b0oxd33KZO6CyZgv-Jz8BlN-12x7BXBEBPMZipi5e5oAovfyjlvk

Targets

- Target
  
  FKjdctVS.exe
- Size
  
  42KB
- MD5
  
  e7871defe3ff71566b3600eea0f61eb4
- SHA1
  
  44692b1477d43c48987daa0a34314b770505ebbf
- SHA256
  
  b6c68a183d0a85c967cf0e20082da608c7febca84fb66b1c085bef83c4d76894
- SHA512
  
  6a560fa39c23ea83a2049209f0e53935c321395755cc86b25ea25b29ff1315f1a7ee49da2960f9c1b796748195653a86d28506cb3e551d6530cb09d289f0cb27
- SSDEEP
  
  768:4cNCbujiewetQDGm8UuZyLxYTjsJKZKfgm3Ehik:XcSQD8ILxYTsF7EQk
Score

10^/10

mercurialgrabber discovery evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberdiscoveryevasionspywarestealer