mercurialgrabber | fc8eefc8e8e4283e729d021452d969e368c93abd4ac74196fc118f6817ee9246 | Triage

Submit
Reports

Overview

overview

Static

static

freefire.exe

windows7-x64

freefire.exe

windows10-2004-x64

Sharing

General

Target

freefire.exe
Size

41KB
Sample

250119-2s6jzszmhp
MD5

f68b437e71726ea2eb09b74191080ca8
SHA1

84f71751ae0e278350d1a232a533f6931b91c1bf
SHA256

fc8eefc8e8e4283e729d021452d969e368c93abd4ac74196fc118f6817ee9246
SHA512

42fb9b9fc0e14da7e54c27e9fdddfbd50af08313a48dc256a97c9b13587fd8b8b45b0c699f552454fc727a5be1012d1c6fbdad14595cb716d5531fc4f528560d
SSDEEP

768:RscaIyI97QT+xBcwSuZ1e4WTjUKZKfgm3EhzM:uc1zQTCe4WTAF7EFM

Score

10^/10

mercurialgrabber discovery evasion spyware stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

freefire.exe

Resource

win7-20240903-en

mercurialgrabber discovery evasion spyware stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

freefire.exe

Resource

win10v2004-20241007-en

mercurialgrabber evasion spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1330668414972198984/X1GuzAptUr12moshlt6mEJL0oBFzegr6RFPwbkHMcnOjkQGQUCJWBaetGlaj3pZY-5w9

Targets

- Target
  
  freefire.exe
- Size
  
  41KB
- MD5
  
  f68b437e71726ea2eb09b74191080ca8
- SHA1
  
  84f71751ae0e278350d1a232a533f6931b91c1bf
- SHA256
  
  fc8eefc8e8e4283e729d021452d969e368c93abd4ac74196fc118f6817ee9246
- SHA512
  
  42fb9b9fc0e14da7e54c27e9fdddfbd50af08313a48dc256a97c9b13587fd8b8b45b0c699f552454fc727a5be1012d1c6fbdad14595cb716d5531fc4f528560d
- SSDEEP
  
  768:RscaIyI97QT+xBcwSuZ1e4WTjUKZKfgm3EhzM:uc1zQTCe4WTAF7EFM
Score

10^/10

mercurialgrabber discovery evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberdiscoveryevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer

© 2018-2025

Terms | Privacy