mercurialgrabber | 14c880901bd29af48aabce0d923ea3c5a29dee581232eb01b73ab73e4044df5e

General

Target

JaffaCakes118_211bc13475836d338efad27fcfb93854
Size

784KB
Sample

250106-nng4yaxpdj
MD5

211bc13475836d338efad27fcfb93854
SHA1

4014d439c4408ade5aad8b9821fedf8d762e1bbd
SHA256

14c880901bd29af48aabce0d923ea3c5a29dee581232eb01b73ab73e4044df5e
SHA512

b70133311794c551439fac00717799cceda66afa1970dab395ff1bd6e5dd4af776338c14abb459fb81780127f6b0cc477dfdb2bfbfc1f27e2732bafce6703207
SSDEEP

24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVv3Irk/mRK:1+clb1BRntmeSK9fNaBA+ZVfUCb

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/897297549470363709/qD_guPuyDUYvIFaoZvjt6eHBw1yKtKL8VS_ITLOh8nRCLA8dRnaCYOA7UVl0ovkMLw1r

Targets

- Target
  
  JaffaCakes118_211bc13475836d338efad27fcfb93854
- Size
  
  784KB
- MD5
  
  211bc13475836d338efad27fcfb93854
- SHA1
  
  4014d439c4408ade5aad8b9821fedf8d762e1bbd
- SHA256
  
  14c880901bd29af48aabce0d923ea3c5a29dee581232eb01b73ab73e4044df5e
- SHA512
  
  b70133311794c551439fac00717799cceda66afa1970dab395ff1bd6e5dd4af776338c14abb459fb81780127f6b0cc477dfdb2bfbfc1f27e2732bafce6703207
- SSDEEP
  
  24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVv3Irk/mRK:1+clb1BRntmeSK9fNaBA+ZVfUCb
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2