mercurialgrabber | 33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb

Resubmissions

12-05-2024 18:09

240512-wrsnvahe71 10

12-05-2024 17:56

240512-wh2v6acb26 10

12-05-2024 17:50

240512-we2qzsbh82 10

Sharing

Copy URL

Twitter E-mail

General

Target

RGF-main.zip
Size

54KB
Sample

240512-wh2v6acb26
MD5

7bcc565dfb0ce789f9a984870a64414c
SHA1

7918e05800b7d02be5aa3670259709fde7f5c268
SHA256

33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb
SHA512

0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0
SSDEEP

768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr

Score

10^/10

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/975244014364270683/FZnH_sfT1E7Axl_7pfCffp86xK6BWVM_UXXb74CN2p4kpHxH_6kuQsuzlglxNPVfnIm6

Targets

- Target
  
  RGF-main.zip
- Size
  
  54KB
- MD5
  
  7bcc565dfb0ce789f9a984870a64414c
- SHA1
  
  7918e05800b7d02be5aa3670259709fde7f5c268
- SHA256
  
  33461d788a33b88bed3d489826f9fb766cae421f322b81c5eb861718a1dea7bb
- SHA512
  
  0490c139cd781e827fa35e55d21d887990febb2ab158baac005755ae1825904cf8f2971a10e75e135fa350c40ac841815ddeb2fd5c9da2d7b350e9c509f027b0
- SSDEEP
  
  768:C2wkbG+ulfxDBcy7hCPWLp7BKgRfIa700K/2x6qKDcqVQ1WEx7HyWKpIpTtKP1ZC:CN1LPBcmKWLp7BTei/qVgRHfKJLYd9vr
Score

1^/10
behavioral1
- Target
  
  RoBrute-master/RoBrute.py
- Size
  
  6KB
- MD5
  
  459ffbe4a551223287035714b6e274c2
- SHA1
  
  98151335d6fcf0630f03092fee504aa05563d2db
- SHA256
  
  418ab9d7b1c9ee04596bf868b74ba50f7105b3a150f6989d74d445f9810aaef9
- SHA512
  
  385d9317c7b823eef361ae294635697c07b1bf93d4d8d17da703911688f9b2b478532ff800c670507bf6269e7addbba7eb8f057357754e3565999d36af804cee
- SSDEEP
  
  192:aIzopckmTzso484ijEF3VvGK4F21p54wfFaep6D:aIkukwIijEF3VVs6htaepA
Score

3^/10
behavioral2
- Target
  
  RoBrute-master/mainLib.py
- Size
  
  481B
- MD5
  
  d605f4316cf7dd5b2f4d68e5534903a5
- SHA1
  
  1d9f87b0316cacdbc97c265a2005ceb9f04dd0e2
- SHA256
  
  930cac6585d68eef349b1db9e376c3c9cef6a764a51c6e19a55b3d23cbe4acbd
- SHA512
  
  384a3e39dad72d77fa8da085714b08ea8bddaa49c70df389febf9290c9ce09114646c417d31d6888437d237817b2eea67d183c7c65e5e985faa66a02b05a746b
Score

3^/10
behavioral3
- Target
  
  RoBrute-master/mainLib.pyc
- Size
  
  806B
- MD5
  
  a69353c0a05226a823732ff09def0462
- SHA1
  
  29d202a58960848f8a74c52cc5e0f28c239cbe1d
- SHA256
  
  14db2c7373b04e3767f4210e473906661b5251afceb5f9e445ab276f13b51a01
- SHA512
  
  b40d9ec41b4ef60d7d84400d4bcbcf11d0f469bd0365e84ff4a6b92f0dc71e12fd1f7ee4af5dd7d47dc2bd4548ecb1e75631a20829717f7ab5c46e80ed8cdfaa
Score

3^/10
behavioral4
- Target
  
  RoBrute-master/socks.py
- Size
  
  31KB
- MD5
  
  48785c4abab003e3567e381d81a4e3fe
- SHA1
  
  b78b23d63ac8d301e24e9a0f2c709f4d02abba87
- SHA256
  
  bc89e89dcd6a255af82c73cbd6cbbaaddba2aa83380188bbb8282aef40b0a11a
- SHA512
  
  52d7002548b3dc31ba4c355270577b92980c4a569dcad45c6af518da7355fcec0ace7c9ce5fabcf68dc04b2211d0d31a5cac1e7dc92a5017a1c3f1ed74cbb09a
- SSDEEP
  
  768:MTMqwGwX3Q/28zGh9czigrcQcJWN2hqoJRBLXo:M1rwXl8zGhCzig4QIWN0JRBjo
Score

3^/10
behavioral5
- Target
  
  RoBrute-master/socks.pyc
- Size
  
  26KB
- MD5
  
  c59597fcf54f22c79d319b129c33a62a
- SHA1
  
  316daa8cc82926af92ae9400c83c172681f427be
- SHA256
  
  245adcd5c71c12585d86e4cee0370781d99bd3ea8029e9869744028ed26bb7d5
- SHA512
  
  bf1b978029e2500ef16c4f201ef456324752f2dfc5e213153a861c990010518520e7e2d4b501deab30056302201537291ceff77312f5adae2d3845c8bce2a9c9
- SSDEEP
  
  768:x+TMqK0DoOgVH8zD5x50Y8a6RA516g0QsCh:k1DIVczDbXr6Ku4h
Score

3^/10
behavioral6
- Target
  
  RGF-main/RBF.exe
- Size
  
  41KB
- MD5
  
  09d12c328c88bfdfef9dcc0927dca671
- SHA1
  
  4f61a36bc05dbd9229b56db5ead4ea3d37e4308a
- SHA256
  
  64e772d1da472d9da1dde4d9b070c1d9acf98d9819ec04058a0161f020022e49
- SHA512
  
  4774119f1eb6f3f712fc29f7c7cceb31a67c62c01a6b7f09ccf17a85a4d78b3fed4f3a9532c353490f9058aae5db58d305a92a65a8e8039e7c123f48e73d1d51
- SSDEEP
  
  768:escGoAxWdPN+wauZLePWTjZKZKfgm3Ehpe:tcVdPN9ePWTVF7Ebe
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral7

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7