mercurialgrabber | d916e1bc06d731141e84b68db9d0aad809f2892d44d20e4da7e387f7f66e1e42 | Triage

Sharing

General

Target

d916e1bc06d731141e84b68db9d0aad809f2892d44d20e4da7e387f7f66e1e42.zip
Size

18KB
Sample

250327-ndntqs1tev
MD5

1e99e5aedb6359f4b06de0811e30bf83
SHA1

61fa746e6239f29c7545bb81836130df77641133
SHA256

d916e1bc06d731141e84b68db9d0aad809f2892d44d20e4da7e387f7f66e1e42
SHA512

e1a01dfff0dc82d1394f02038101f7b9dabc90711824f4530eb857e970dc65f377d5a46fa101252f936ca102c7fef0c0a0eff86e506ca1972b42758e649d6c58
SSDEEP

384:tNNT8lS0wRrDJZkcxZ2ITBoTN3zhEpp0H+xnLzrEkyj7inq:tP0WP12EoTNGkMnnrEkyj+q

Score

10^/10

mercurialgrabber defense_evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/914503912407572490/zP__Bj6k04AYSGEv8Ts6aRhmcnmO3aGixc9o_Rz-yWBqRw64q7UVf2AruIqbQaAmCoJx

Targets

- Target
  
  b2c7aa4ca944e68737d9a4ba5d07902504fef7728df7e8aac79afc93e427992a.exe
- Size
  
  42KB
- MD5
  
  12b8fe04efec767f02c09e3627af2cea
- SHA1
  
  b5dfcb31b33900a925061cec5f947d6e890c28a9
- SHA256
  
  b2c7aa4ca944e68737d9a4ba5d07902504fef7728df7e8aac79afc93e427992a
- SHA512
  
  5e63d77652f9371043adf4093fe8aeed9e12982625a51911eae951ee3de6f68fe1cb117c59af9a6ad50a6552e00c0a044a5236e93f4f7b98ddc8f5c1598fb6b2
- SSDEEP
  
  768:9pI0LvqOzylOEvuZMHLYZTjDKZKfgm3EhcF:jjfz9E7LYZTHF7EyF
Score

10^/10

mercurialgrabber defense_evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Mercurialgrabber family
  mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

mercurialgrabber

behavioral1

mercurialgrabberdefense_evasionspywarestealer

behavioral2

mercurialgrabberdefense_evasionspywarestealer