mercurialgrabber | d361b54090cffa37e08b270d91a6fa1aec4f78347f38ba930328c84733a233cb

General

Target

JaffaCakes118_df01a8c7077dbe40e68979f486ad29a7
Size

57KB
Sample

250110-jszsbsznej
MD5

df01a8c7077dbe40e68979f486ad29a7
SHA1

0f335a9a6ead9b8961a57bc724c93fb672ec14cb
SHA256

d361b54090cffa37e08b270d91a6fa1aec4f78347f38ba930328c84733a233cb
SHA512

ddca81cffd4abb81b405490f94e61a2c8a5f332796ad66e2f3b1add9d53138a55dc65a3c346e9eafa35fdd49f8035a75019988c6594f3d837cd6c006455d3601
SSDEEP

768:yrLfRHhf9uZ+LMmTjWKZKfgm3EhI99clYC3VVyAfe42TevR7u:yBhfJLMmTaF7Ei99cLVVx0T8B

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/898889485121646654/Xxon9mS9UonT3xyMDqO6eCIMgJjH0-mL9tBhX80ege_hMkOEMEtFNtSz1AyiX_Adui_Y

Targets

- Target
  
  JaffaCakes118_df01a8c7077dbe40e68979f486ad29a7
- Size
  
  57KB
- MD5
  
  df01a8c7077dbe40e68979f486ad29a7
- SHA1
  
  0f335a9a6ead9b8961a57bc724c93fb672ec14cb
- SHA256
  
  d361b54090cffa37e08b270d91a6fa1aec4f78347f38ba930328c84733a233cb
- SHA512
  
  ddca81cffd4abb81b405490f94e61a2c8a5f332796ad66e2f3b1add9d53138a55dc65a3c346e9eafa35fdd49f8035a75019988c6594f3d837cd6c006455d3601
- SSDEEP
  
  768:yrLfRHhf9uZ+LMmTjWKZKfgm3EhI99clYC3VVyAfe42TevR7u:yBhfJLMmTaF7Ei99cLVVx0T8B
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2