mercurialgrabber | 135fdc6be56667ccda9e1171eaee2adb19d13e2ec18768b9ecc029c29ed17ad9 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

GrimLoader.exe

windows11-21h2-x64

Sharing

General

Target

GrimLoader.exe
Size

42KB
Sample

250317-s6vj7sxj13
MD5

735eb25f877a4980b0b76c2f065d4a70
SHA1

4a8b6aed9b6a1f849d5ad34a2c362afbfbc74005
SHA256

135fdc6be56667ccda9e1171eaee2adb19d13e2ec18768b9ecc029c29ed17ad9
SHA512

0c50c594be3552ab274d1750a097f0439678190d4cb5eb890e86bde1a8c018a71ff13ea86daaf9aa84dff600b552ce015040e4aa6b9543b0fbc213b6c8c04c90
SSDEEP

768:MmtZ5E9E//4MluZNLL9Tj+EKZKfgm3Ehkz:ZEIDkLL9TKEF7E2z

Score

10^/10

mercurialgrabber defense_evasion spyware stealer

Static task

static1

mercurialgrabber

2 signatures

Behavioral task

behavioral1

Sample

GrimLoader.exe

Resource

win11-20250314-en

mercurialgrabber defense_evasion spyware stealer

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1351217330234851339/6y7ZFPB3atPFLb0xPM7cN5NPowrs6q29FzdK-4qDAFOjpV_eXwVJoAJmvEsfgiZwHomE

Targets

- Target
  
  GrimLoader.exe
- Size
  
  42KB
- MD5
  
  735eb25f877a4980b0b76c2f065d4a70
- SHA1
  
  4a8b6aed9b6a1f849d5ad34a2c362afbfbc74005
- SHA256
  
  135fdc6be56667ccda9e1171eaee2adb19d13e2ec18768b9ecc029c29ed17ad9
- SHA512
  
  0c50c594be3552ab274d1750a097f0439678190d4cb5eb890e86bde1a8c018a71ff13ea86daaf9aa84dff600b552ce015040e4aa6b9543b0fbc213b6c8c04c90
- SSDEEP
  
  768:MmtZ5E9E//4MluZNLL9Tj+EKZKfgm3Ehkz:ZEIDkLL9TKEF7E2z
Score

10^/10

mercurialgrabber defense_evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberdefense_evasionspywarestealer

© 2018-2025

Terms | Privacy