mercurialgrabber | e0717d72527dff9703a960164ce687857dabda14ad23fff08070a022cefbe5d3

General

Target

JaffaCakes118_57acc051bce36cfa9a1edb5b31afe446
Size

630KB
Sample

250101-q7q73axkay
MD5

57acc051bce36cfa9a1edb5b31afe446
SHA1

2a0c67762fc6daf713186f6e81103f9d46d1b335
SHA256

e0717d72527dff9703a960164ce687857dabda14ad23fff08070a022cefbe5d3
SHA512

1db6a0688bdd88c27c04cbfd6e3448bae95435e2700072516d56660ce007b7c34699d107fa83c970a9f2209b524b349b8fcf6877e8944adadcfe0ba1218ba32a
SSDEEP

12288:tfxwHtm1BlmsMzkoyLOQ7PV942TmbVN5h8OJFBFGxm9kChP/cakIetDl:pqtWlmaoyyQDVKcmbVN5mOT3G

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/897216012603256842/Zf1W7RTuEyIvXw2r12OgP8sa8I5_odqhiTlFF6XnWhig090X7dOOZ6hDa2OY4AoeRrjc

Targets

- Target
  
  JaffaCakes118_57acc051bce36cfa9a1edb5b31afe446
- Size
  
  630KB
- MD5
  
  57acc051bce36cfa9a1edb5b31afe446
- SHA1
  
  2a0c67762fc6daf713186f6e81103f9d46d1b335
- SHA256
  
  e0717d72527dff9703a960164ce687857dabda14ad23fff08070a022cefbe5d3
- SHA512
  
  1db6a0688bdd88c27c04cbfd6e3448bae95435e2700072516d56660ce007b7c34699d107fa83c970a9f2209b524b349b8fcf6877e8944adadcfe0ba1218ba32a
- SSDEEP
  
  12288:tfxwHtm1BlmsMzkoyLOQ7PV942TmbVN5h8OJFBFGxm9kChP/cakIetDl:pqtWlmaoyyQDVKcmbVN5mOT3G
Score

10^/10

mercurialgrabber discovery evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2