mercurialgrabber | 3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.Grabber.v1.03.rar
Size

2.9MB
MD5

635903bad1ada856d701f34d3070ccd9
SHA1

3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0
SHA256

3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
SHA512

fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015
SSDEEP

49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH

Score

10^/10

mercurialgrabber agilenet discovery stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1345264043610603582/1GMTIjfW57evopQXB1e9KFl1wbD_XDwq93R2eZ0N0xIRynPuF0KyoUCBuj1c122RycgA

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber

Executes dropped EXE 2 IoCs

pid	Process
1484	Mercurial.exe
1924	freak.exe

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1484-12-0x0000000005AB0000-0x0000000005ACC000-memory.dmp	agile_net
behavioral2/memory/1484-13-0x0000000005AE0000-0x0000000005B00000-memory.dmp	agile_net
behavioral2/memory/1484-15-0x0000000005D50000-0x0000000005D60000-memory.dmp	agile_net
behavioral2/memory/1484-14-0x0000000005D30000-0x0000000005D50000-memory.dmp	agile_net
behavioral2/memory/1484-16-0x0000000005D60000-0x0000000005D74000-memory.dmp	agile_net
behavioral2/memory/1484-18-0x0000000005DF0000-0x0000000005E0E000-memory.dmp	agile_net
behavioral2/memory/1484-17-0x0000000005D70000-0x0000000005DDE000-memory.dmp	agile_net
behavioral2/memory/1484-19-0x0000000005E30000-0x0000000005E66000-memory.dmp	agile_net
behavioral2/memory/1484-20-0x0000000005E70000-0x0000000005E7E000-memory.dmp	agile_net
behavioral2/memory/1484-21-0x0000000005E90000-0x0000000005E9E000-memory.dmp	agile_net
behavioral2/memory/1484-22-0x0000000006700000-0x000000000684A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
67	discord.com
66	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ip4.seeip.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mercurial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4228	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4528	7zFM.exe
4528	7zFM.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe
1484	Mercurial.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4528	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4528	7zFM.exe
Token: 35	4528	7zFM.exe
Token: SeSecurityPrivilege	4528	7zFM.exe
Token: SeSecurityPrivilege	4528	7zFM.exe
Token: SeDebugPrivilege	1484	Mercurial.exe
Token: SeDebugPrivilege	1924	freak.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4528	7zFM.exe
4528	7zFM.exe
4528	7zFM.exe
1484	Mercurial.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4228	4528	7zFM.exe	93
PID 4528 wrote to memory of 4228	4528	7zFM.exe	93
PID 1484 wrote to memory of 3936	1484	Mercurial.exe	114
PID 1484 wrote to memory of 3936	1484	Mercurial.exe	114
PID 1484 wrote to memory of 3936	1484	Mercurial.exe	114
PID 3936 wrote to memory of 3764	3936	csc.exe	116
PID 3936 wrote to memory of 3764	3936	csc.exe	116
PID 3936 wrote to memory of 3764	3936	csc.exe	116

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0B1D0C98\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4228

C:\Users\Admin\Desktop\Mercurial.exe
"C:\Users\Admin\Desktop\Mercurial.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES761C.tmp" "c:\Users\Admin\Desktop\CSC5EF76A388CB34A0A91CACCDD9686270.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764

C:\Users\Admin\Desktop\freak.exe
"C:\Users\Admin\Desktop\freak.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0B1D0C98\readme.txt

Filesize
64B

MD5
77976ab4f7b14569dd64f212ce6ee64e

SHA1
f442ef7a74ac6922628bc8ba03ea08e62f83253e

SHA256
044b863e9895e669d45d97d44a4f80f2b9ac5f941635ef3c1e9f39ad12747ecf

SHA512
52d4b884b2462449576fe9dac654de500985b53d0262472d88a1bc659b3a5ffe0ed5f0581c50ef006c3b3d7dbf816a80d21e6b6f4c03b595bb108a4360a60723

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES761C.tmp

Filesize
1KB

MD5
44d2043663a5448c30ad8036ed1cf326

SHA1
4d9bdfd7d7d170e89da0e4e943eddf8c1335eeb9

SHA256
e26c1b7f9232f0d62181042b7e47657461c03f9bcecf3132e64e93cc15a63faf

SHA512
5845413ba8c4ddaf20ecd3278c30c8cb7219b686eb87d5cc70e13fabf8863b009d4de99640c49a5367129dc8db76a3c7717bd3b936b8bd040aa16437287308c6

Download Submit
C:\Users\Admin\Desktop\Mercurial.exe

Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\Desktop\freak.exe

Filesize
41KB

MD5
106472dc8d66d24e3551732d683a8a7e

SHA1
51f58ab684e4ba76ffa6e129d64a429c96fe1e7b

SHA256
94ca433bd33ef1d179afa2ffa7cd5e3de228365c80c58462540672a76cb37f95

SHA512
0c71a44346da59eb6f5158bec64feed54a885724f64544e071a0ae1dc174ecd861771a3179e40bf1bc6fc8bd676e00d6fc9776455ae34b26a7fbdf33c0090b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.0.cs

Filesize
11KB

MD5
2a344451e758a6022b5c412605677417

SHA1
26b28a920733a27562cf53adf10cf1d64b2ee067

SHA256
e873843e4749e6c3c62ef357509970a5003d9dd5488955af500f56fb02bcb1db

SHA512
9c96c28c06b6d725086d9a86ee5584099da67a619b5964cd5d91199568d9926000ca37ad03890ba574e1851a3ebffe311ff6301ff3444ce92e3a46bf73d93aa5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.1.cs

Filesize
5KB

MD5
8aab1997664a604aca551b20202bfd14

SHA1
279cf8f218069cbf4351518ad6df9a783ca34bc5

SHA256
029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

SHA512
cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.2.cs

Filesize
7KB

MD5
6fdae9afc1f8e77e882f1ba6b5859a4e

SHA1
33eb96f75ffe9a1c4f94388e7465b997320265a5

SHA256
a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

SHA512
97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.3.cs

Filesize
8KB

MD5
6ba707982ee7e5f0ae55ce3fa5ccad17

SHA1
d094c98491058ed49861ce82701abe1f38385f18

SHA256
19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

SHA512
d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.4.cs

Filesize
2KB

MD5
fae5458a5b3cee952e25d44d6eb9db85

SHA1
060d40137e9cce9f40adbb3b3763d1f020601e42

SHA256
240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

SHA512
25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.5.cs

Filesize
4KB

MD5
42f157ad8e79e06a142791d6e98e0365

SHA1
a05e8946e04907af3f631a7de1537d7c1bb34443

SHA256
e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

SHA512
e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.6.cs

Filesize
6KB

MD5
8ec0f0e49ffe092345673ab4d9f45641

SHA1
401bd9e2894e9098504f7cc8f8d52f86c3ebe495

SHA256
93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

SHA512
60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.7.cs

Filesize
16KB

MD5
05206d577ce19c1ef8d9341b93cd5520

SHA1
1ee5c862592045912eb45f9d94376f47b5410d3d

SHA256
e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

SHA512
4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.8.cs

Filesize
561B

MD5
7ae06a071e39d392c21f8395ef5a9261

SHA1
007e618097c9a099c9f5c3129e5bbf1fc7deb930

SHA256
00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

SHA512
5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.9.cs

Filesize
10KB

MD5
380d15f61b0e775054eefdce7279510d

SHA1
47285dc55dafd082edd1851eea8edc2f7a1d0157

SHA256
bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

SHA512
d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.cmdline

Filesize
832B

MD5
5b6d1c74ad057b559bf7e5f270edd2b0

SHA1
d9fd82849757fbdb61f3f82240f4a37eda2fcc02

SHA256
659c7c9b6b855a587ca6aa163a84dbaad7dc6e89ac5c44491dabc6824a6186c2

SHA512
5bc3cae2cb2436f505b1335e90b095e1774de99e8ef90d1ad6a9b1c9adbbb27567c6364fda720c8327b3b336cd830b771062076b094a2d858e157f6ec2ab28ea

Download Submit
\??\c:\Users\Admin\Desktop\CSC5EF76A388CB34A0A91CACCDD9686270.TMP

Filesize
1KB

MD5
10a166e07997ed1b22df394c6fb3fb29

SHA1
c040a2ec73ce85086df404aef3f9fb8f10815bae

SHA256
463d7a9801bde3b810ae271e5605a28156001108ed1e584437ea22bbc75b84f4

SHA512
29a102b1ff998fd39d5df8fb5cc55a7df8eceeb460cf8a63b9ff2508c6db2db9f04c41f15414195da5bf7f68d0067aa35b80f08ef5047f9925f0a49a6b36e6c6

Download Submit
memory/1484-15-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/1484-18-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/1484-24-0x0000000006010000-0x0000000006040000-memory.dmp

Filesize
192KB

Download
memory/1484-25-0x00000000094B0000-0x00000000094B8000-memory.dmp

Filesize
32KB

Download
memory/1484-22-0x0000000006700000-0x000000000684A000-memory.dmp

Filesize
1.3MB

Download
memory/1484-21-0x0000000005E90000-0x0000000005E9E000-memory.dmp

Filesize
56KB

Download
memory/1484-20-0x0000000005E70000-0x0000000005E7E000-memory.dmp

Filesize
56KB

Download
memory/1484-19-0x0000000005E30000-0x0000000005E66000-memory.dmp

Filesize
216KB

Download
memory/1484-17-0x0000000005D70000-0x0000000005DDE000-memory.dmp

Filesize
440KB

Download
memory/1484-23-0x0000000006850000-0x0000000006966000-memory.dmp

Filesize
1.1MB

Download
memory/1484-16-0x0000000005D60000-0x0000000005D74000-memory.dmp

Filesize
80KB

Download
memory/1484-14-0x0000000005D30000-0x0000000005D50000-memory.dmp

Filesize
128KB

Download
memory/1484-13-0x0000000005AE0000-0x0000000005B00000-memory.dmp

Filesize
128KB

Download
memory/1484-12-0x0000000005AB0000-0x0000000005ACC000-memory.dmp

Filesize
112KB

Download
memory/1484-11-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/1484-10-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/1484-9-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-8-0x0000000000EA0000-0x00000000011DA000-memory.dmp

Filesize
3.2MB

Download
memory/1924-59-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download