mercurialgrabber | 884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

BDevsHwidSpoofer.rar

windows10-ltsc 2021-x64

Resubmissions

21/02/2025, 23:13

250221-27eptatjam 10

Sharing

General

Target

BDevsHwidSpoofer.rar
Size

87.8MB
Sample

250221-27eptatjam
MD5

16d8c15ac98b515fb77fd83e64b39554
SHA1

e64f1e4e57ba98292e433e0e67d48bf50e20a4c0
SHA256

884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb
SHA512

9c0b630f02eb36678c6b9266c6c18e51dc12938b1139e0f08551baf9db7818f82e709b2c9c25a2bc1de7201ee27b5074fdd4b7333eb33aebea25dd8d723cc4b2
SSDEEP

1572864:Wz9YaNI37Zdc/yFMlhngLFFKWmqAlIlfz9YaNI37Zdc/yFMM:e9YP3FSbgLF8lYr9YP3FSM

Score

10^/10

mercurialgrabber stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

BDevsHwidSpoofer.rar

Resource

win10ltsc2021-20250217-en

mercurialgrabber stealer

windows10-ltsc 2021-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1342592218795479070/gAprajht67Sa8ORePbAXrGT6sIbifHi5L7oiHuXxWUdAHMtuuCdTAvGCQzuS79w1C7lM

Targets

- Target
  
  BDevsHwidSpoofer.rar
- Size
  
  87.8MB
- MD5
  
  16d8c15ac98b515fb77fd83e64b39554
- SHA1
  
  e64f1e4e57ba98292e433e0e67d48bf50e20a4c0
- SHA256
  
  884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb
- SHA512
  
  9c0b630f02eb36678c6b9266c6c18e51dc12938b1139e0f08551baf9db7818f82e709b2c9c25a2bc1de7201ee27b5074fdd4b7333eb33aebea25dd8d723cc4b2
- SSDEEP
  
  1572864:Wz9YaNI37Zdc/yFMlhngLFFKWmqAlIlfz9YaNI37Zdc/yFMM:e9YP3FSbgLF8lYr9YP3FSM
Score

10^/10

mercurialgrabber stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberstealer

© 2018-2025

Terms | Privacy