mercurialgrabber | abd08cf446aeec68a2d6ebba24dc491552e846e58fdf8237f8a1b8a61b64926f | Triage

Sharing

General

Target

JaffaCakes118_09c14770d1ed0ef2736238ba8ce76f07
Size

784KB
Sample

250106-c6m75atkhx
MD5

09c14770d1ed0ef2736238ba8ce76f07
SHA1

02dcd1f3b8390b2fb77f78b4a036aaf89d8687f7
SHA256

abd08cf446aeec68a2d6ebba24dc491552e846e58fdf8237f8a1b8a61b64926f
SHA512

01ce0c52a00f57f0a6247572dc9b42a9fcd38dfff3451f0c58c4edd49f27f5d860be18adf72ae572c9d03e260c46e3217b61431ee2630e9ab17607e3b87fc68c
SSDEEP

24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVvCnrkbDmdsw:1+clb1BRntmeSK9fNaBA+ZVqrNdP

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/897281916594696252/GXBeXRQpAlm4tCQFFzK8Lo3HvApM27S7weWPV234nZ_z6r7XNlxx7P-AdodS9jkzznk0

Targets

- Target
  
  JaffaCakes118_09c14770d1ed0ef2736238ba8ce76f07
- Size
  
  784KB
- MD5
  
  09c14770d1ed0ef2736238ba8ce76f07
- SHA1
  
  02dcd1f3b8390b2fb77f78b4a036aaf89d8687f7
- SHA256
  
  abd08cf446aeec68a2d6ebba24dc491552e846e58fdf8237f8a1b8a61b64926f
- SHA512
  
  01ce0c52a00f57f0a6247572dc9b42a9fcd38dfff3451f0c58c4edd49f27f5d860be18adf72ae572c9d03e260c46e3217b61431ee2630e9ab17607e3b87fc68c
- SSDEEP
  
  24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVvCnrkbDmdsw:1+clb1BRntmeSK9fNaBA+ZVqrNdP
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer