Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Mercurial-...er.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mercurial-installer.exe

  • Size

    6.3MB

  • Sample

    250220-a6j5csvkx2

  • MD5

    8a93ceab7692801e240fa4d15b7d2d21

  • SHA1

    42f5f0da90294133543b85a966905f26e59fc2fe

  • SHA256

    e5d33a634d0afcca971c73278c7ebe95d7e34343487c52a7beb3480965ef5a3f

  • SHA512

    e35f4854148bec95dd787cf618e0c045d70b74141567f44b34cb26940ff3b08e30a92cf16d51ce78d7f917e0a4b5208e80d1fdb69127148e149c90c10c9c9cfd

  • SSDEEP

    196608:4iFAl6mMDfxMvSRNPZptyvMABDTtGV/1QHp44ecv9OHMC994T:4iFAl8jxMKRRiMABPtGV/1SzksCv

Score
10/10
mercurialgrabberagilenetdefense_evasiondiscoveryexecutionpersistencestealer

Malware Config

Targets

    • Target

      Mercurial-installer.exe

    • Size

      6.3MB

    • MD5

      8a93ceab7692801e240fa4d15b7d2d21

    • SHA1

      42f5f0da90294133543b85a966905f26e59fc2fe

    • SHA256

      e5d33a634d0afcca971c73278c7ebe95d7e34343487c52a7beb3480965ef5a3f

    • SHA512

      e35f4854148bec95dd787cf618e0c045d70b74141567f44b34cb26940ff3b08e30a92cf16d51ce78d7f917e0a4b5208e80d1fdb69127148e149c90c10c9c9cfd

    • SSDEEP

      196608:4iFAl6mMDfxMvSRNPZptyvMABDTtGV/1QHp44ecv9OHMC994T:4iFAl8jxMKRRiMABPtGV/1SzksCv

    Score
    10/10
    mercurialgrabberagilenetdefense_evasiondiscoveryexecutionpersistencestealer

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

      stealermercurialgrabber

    • Mercurialgrabber family

      mercurialgrabber

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks