Extracted

• • Target

    Skript.gg

  • Size

    226KB

  • MD5

    ca7d5d7de11cf29e438bdcb23858e9c1

  • SHA1

    648c94253ab48ee91220ff9703c6f609b5a00eac

  • SHA256

    bd2759318864a15bb6b3f2fe941acd6042ddb728d8a1f7a7ef2136696dbf37f9

  • SHA512

    b3041bfe3f2c708a5f4dba468eadb90a3984cc7cd9d3aa77673c94dbe929f67d8aaa1248f26fca0734b9b1fce24bbe45b3f693a29b31b5d93407ef51413fd3f5

  • SSDEEP

    6144:ghN5ipOL/saqkPV9FH2LtcIDSsmwQ9mvZJT3CqbMrhryf65NRPaCieMjAkvCJv1k:cN5ipOL/saqkPV9FH2LtcIDSsmwQ9mvN

  Score

  10^/10

  mercurialgrabberdiscoverypersistenceprivilege_escalationstealer

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • Mercurialgrabber family

    mercurialgrabber

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1