Extracted

• • Target

    a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542.exe

  • Size

    8.0MB

  • MD5

    ddf3fd684f553b4686987ec5cf532c20

  • SHA1

    085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7

  • SHA256

    a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542

  • SHA512

    b5988a061e33f7a742bb42f55dce0145e1defbe7628819a2337349827408480625cb04eacade19ba2495ee366472cc33555ae227b7286b0c58ff909e322f47bc

  • SSDEEP

    196608:OcwTiBknYhfr5QILXP8ZV3PpLsExwsJC4Ct99QTKu6yTL+b0X820iwvefJ:dwWCnYRr5QIXU/3PpLsacVH3TyXz08J

  Score

  10^/10

  mercurialgrabberdefense_evasiondiscoveryspywarestealer

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • Mercurialgrabber family

    mercurialgrabber

  • Looks for VirtualBox Guest Additions in registry

    defense_evasion

  • Looks for VMWare Tools registry key

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral1behavioral2