Overview

overview

10

Static

static

10

Mercurial....03.rar

windows10-ltsc_2021-x64

10

Mercurial....03.rar

windows11-21h2-x64

1

Resubmissions

05/04/2025, 05:06

250405-frn3nazzdw 10

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    05/04/2025, 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mercurial.Grabber.v1.03.rar

  • Size

    94KB

  • MD5

    0ec5027161e49223bfbfe40321592511

  • SHA1

    1ba9f950d283058f0b41b0ece5f3becff811fd9c

  • SHA256

    371edb664c31555dac5e695b0f7286115dd94b380c188948bde2f167f030a7d3

  • SHA512

    809b69857661727a2f26cb4c0921e29e012ebbc998b3fe7cc1b6b24d973b51b15cdcb512f38cf37ae220ff346ced85056fedac786db36707c59fea952953133e

  • SSDEEP

    1536:fKsbf1SvOpAtcQZrlImqPqEvSGkbJ4pBJXK/YnNnJbbeygbZuJi:ysjIvJcQZDaqjbuPJXK/cJbbyIi

Score
10/10
mercurialgrabberdefense_evasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://ptb.discord.com/api/webhooks/895223301373300776/4LFPS81olSXc9Stl05N1nV_de5bp6BZLZwfYl5WydodJ9w8AtEOpBRJrAJDKDvxbtGHz

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 8 IoCs
    defense_evasion
  • Looks for VMWare Tools registry key 2 TTPs 8 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 16 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5544
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4932
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:5584
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:5156
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3768
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      "C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\Mercurial Grabber.v1.03\Mercurial.exe
      Filesize

      146KB

      MD5

      0bf1054dd4f0ad45f4d5426996dc65bf

      SHA1

      64b5fa861128640392dd69a8d224bb467ef68545

      SHA256

      56550fecb5b916eac9280f2e20b0a6ea06041e18f88fb39531df029080bdbc7b

      SHA512

      d6145e94762ff963ec83f716166c63f8d0e692f3f02ae94732b142c5b177826608906933b1490b0558a381702c7c4eb9877b27583f9cd3e5d294a2df0e66e62e

      Download Submit

    • memory/5584-54-0x00007FFDF4D83000-0x00007FFDF4D85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5584-55-0x0000000000390000-0x00000000003BA000-memory.dmp

      Filesize

      168KB

      Download