mercurialgrabber | 884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb | Triage

Sharing

General

Target

BDevsHwidSpoofer.rar
Size

87.8MB
Sample

250221-3baxesvk14
MD5

16d8c15ac98b515fb77fd83e64b39554
SHA1

e64f1e4e57ba98292e433e0e67d48bf50e20a4c0
SHA256

884fb17d58024c96f35e10fe5b81c521032bb6176e91d1ed2b4cfba8f62341bb
SHA512

9c0b630f02eb36678c6b9266c6c18e51dc12938b1139e0f08551baf9db7818f82e709b2c9c25a2bc1de7201ee27b5074fdd4b7333eb33aebea25dd8d723cc4b2
SSDEEP

1572864:Wz9YaNI37Zdc/yFMlhngLFFKWmqAlIlfz9YaNI37Zdc/yFMM:e9YP3FSbgLF8lYr9YP3FSM

Score

10^/10

mercurialgrabber stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1342592218795479070/gAprajht67Sa8ORePbAXrGT6sIbifHi5L7oiHuXxWUdAHMtuuCdTAvGCQzuS79w1C7lM

Targets

- Target
  
  BDevsHwidSpoofer/Key.exe
- Size
  
  41KB
- MD5
  
  e9eb8c9e977dffcaa7fd50792ec087c3
- SHA1
  
  3a916bff3fa8488d4678ad48c397f8e248db8d0d
- SHA256
  
  eb1ec5ac218ee4620daae85d52eb2f28d09147930667fc870e6640d5223eecde
- SHA512
  
  d231da2f1c0e5fcecfd313389642d23ece8f339c8a09c2b1737bbca914feb4942265a7d197715634793c4b9686205a4208665cfd9ae06011579c0c968335230c
- SSDEEP
  
  768:hscaIyIEL/gB1wqyuZjecWTjgKZKfgm3Eh8B:ec1irgBvecWT0F7E6B
Score

10^/10

mercurialgrabber stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  BDevsHwidSpoofer/ScoFucker.exe
- Size
  
  28.9MB
- MD5
  
  5a924a768e25268747e26c60d44e2722
- SHA1
  
  37109a60a000c57c7c321afb44585064cbccb0b6
- SHA256
  
  6f9c20d90db779845264dee3eb25a2f5cef15be1a95bf85e82e469c4b6cd6f54
- SHA512
  
  5670efb26e28165b23922e4914eade005819621dbfd9c16a3c16eaccaaa528e18901c334c6ab5bc14ad97ca4eff7d7435e6c50b602647ef1f8aef9b303913e03
- SSDEEP
  
  786432:H/ls88jgftK8fCqoeeyMHaivfIv55pg/o+:H/lsRcfX6qg3HaivG5vgA
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  BDevsHwidSpoofer/Updater.exe
- Size
  
  32.1MB
- MD5
  
  d44d855c8e89b6cdb48b318ab9706e95
- SHA1
  
  5282b70475ddba9ac51a2c3f734e1c90b729c434
- SHA256
  
  0206963bd92cd09d570d1891963eec416665ed117357c0ec6a060d279973dd63
- SHA512
  
  3a6a956b4957ab5b13cf72a544a1abd8a8336e4956e59c9e4ba4e4e7f8cacdbbceba9d3aeaf85b95d4c7e760c90e3a435fc0a6d65d9bb392ff64ffe9c7f40943
- SSDEEP
  
  786432:8QgHEFNLewZZTftqapqtO90SBbUwgyRvOjqhKjaJyHOQ3SRk:8QgkFNLdtq4EyRvOGgeyHOQC+
Score

1^/10
behavioral5 behavioral6
- Target
  
  BDevsHwidSpoofer/data/Updater.exe
- Size
  
  32.1MB
- MD5
  
  d44d855c8e89b6cdb48b318ab9706e95
- SHA1
  
  5282b70475ddba9ac51a2c3f734e1c90b729c434
- SHA256
  
  0206963bd92cd09d570d1891963eec416665ed117357c0ec6a060d279973dd63
- SHA512
  
  3a6a956b4957ab5b13cf72a544a1abd8a8336e4956e59c9e4ba4e4e7f8cacdbbceba9d3aeaf85b95d4c7e760c90e3a435fc0a6d65d9bb392ff64ffe9c7f40943
- SSDEEP
  
  786432:8QgHEFNLewZZTftqapqtO90SBbUwgyRvOjqhKjaJyHOQ3SRk:8QgkFNLdtq4EyRvOGgeyHOQC+
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberstealer

behavioral2

mercurialgrabberstealer

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8