mercurialgrabber | 884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb

General

Target

BDevsHwidSpoofer.rar
Size

87.8MB
MD5

16d8c15ac98b515fb77fd83e64b39554
SHA1

e64f1e4e57ba98292e433e0e67d48bf50e20a4c0
SHA256

884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb
SHA512

9c0b630f02eb36678c6b9266c6c18e51dc12938b1139e0f08551baf9db7818f82e709b2c9c25a2bc1de7201ee27b5074fdd4b7333eb33aebea25dd8d723cc4b2
SSDEEP

1572864:Wz9YaNI37Zdc/yFMlhngLFFKWmqAlIlfz9YaNI37Zdc/yFMM:e9YP3FSbgLF8lYr9YP3FSM

Score

10^/10

mercurialgrabber stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1342592218795479070/gAprajht67Sa8ORePbAXrGT6sIbifHi5L7oiHuXxWUdAHMtuuCdTAvGCQzuS79w1C7lM

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	ScoFucker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	ScoFucker.exe

Executes dropped EXE 5 IoCs

pid	Process
3376	Key.exe
560	ScoFucker.exe
3288	Updater.exe
1260	ScoFucker.exe
1096	Updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
7	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
560	ScoFucker.exe
560	ScoFucker.exe
1260	ScoFucker.exe
1260	ScoFucker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
560	ScoFucker.exe
560	ScoFucker.exe
560	ScoFucker.exe
560	ScoFucker.exe
1260	ScoFucker.exe
1260	ScoFucker.exe
1260	ScoFucker.exe
1260	ScoFucker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
396	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	396	7zFM.exe
Token: 35	396	7zFM.exe
Token: SeSecurityPrivilege	396	7zFM.exe
Token: SeDebugPrivilege	3376	Key.exe
Token: SeDebugPrivilege	560	ScoFucker.exe
Token: SeDebugPrivilege	1260	ScoFucker.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
396	7zFM.exe
396	7zFM.exe
396	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	ScoFucker.exe
1260	ScoFucker.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 560 wrote to memory of 3288	560	ScoFucker.exe	94
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100
PID 1260 wrote to memory of 1096	1260	ScoFucker.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BDevsHwidSpoofer.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2640

C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Key.exe
"C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Key.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\ScoFucker.exe
"C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\ScoFucker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Updater.exe
  "C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Updater.exe"
  2⤵
  - Executes dropped EXE
  PID:3288

C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\ScoFucker.exe
"C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\ScoFucker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Updater.exe
  "C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Updater.exe"
  2⤵
  - Executes dropped EXE
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Key.exe

Filesize
41KB

MD5
e9eb8c9e977dffcaa7fd50792ec087c3

SHA1
3a916bff3fa8488d4678ad48c397f8e248db8d0d

SHA256
eb1ec5ac218ee4620daae85d52eb2f28d09147930667fc870e6640d5223eecde

SHA512
d231da2f1c0e5fcecfd313389642d23ece8f339c8a09c2b1737bbca914feb4942265a7d197715634793c4b9686205a4208665cfd9ae06011579c0c968335230c

Download Submit
C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\ScoFucker.exe

Filesize
28.9MB

MD5
5a924a768e25268747e26c60d44e2722

SHA1
37109a60a000c57c7c321afb44585064cbccb0b6

SHA256
6f9c20d90db779845264dee3eb25a2f5cef15be1a95bf85e82e469c4b6cd6f54

SHA512
5670efb26e28165b23922e4914eade005819621dbfd9c16a3c16eaccaaa528e18901c334c6ab5bc14ad97ca4eff7d7435e6c50b602647ef1f8aef9b303913e03

Download Submit
C:\Users\Admin\Desktop\New folder\BDevsHwidSpoofer\Updater.exe

Filesize
32.1MB

MD5
d44d855c8e89b6cdb48b318ab9706e95

SHA1
5282b70475ddba9ac51a2c3f734e1c90b729c434

SHA256
0206963bd92cd09d570d1891963eec416665ed117357c0ec6a060d279973dd63

SHA512
3a6a956b4957ab5b13cf72a544a1abd8a8336e4956e59c9e4ba4e4e7f8cacdbbceba9d3aeaf85b95d4c7e760c90e3a435fc0a6d65d9bb392ff64ffe9c7f40943

Download Submit
memory/560-21-0x00007FFBBB910000-0x00007FFBBB912000-memory.dmp

Filesize
8KB

Download
memory/560-22-0x00007FFBBB920000-0x00007FFBBB922000-memory.dmp

Filesize
8KB

Download
memory/560-23-0x0000000140000000-0x0000000143370000-memory.dmp

Filesize
51.4MB

Download
memory/1260-34-0x0000000140000000-0x0000000143370000-memory.dmp

Filesize
51.4MB

Download
memory/3288-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3288-27-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3288-29-0x0000000140000000-0x0000000144FE0000-memory.dmp

Filesize
79.9MB

Download
memory/3376-18-0x00007FFB9B580000-0x00007FFB9C042000-memory.dmp

Filesize
10.8MB

Download
memory/3376-16-0x00007FFB9B580000-0x00007FFB9C042000-memory.dmp

Filesize
10.8MB

Download
memory/3376-15-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/3376-14-0x00007FFB9B583000-0x00007FFB9B585000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing