mercurialgrabber | 8694257c04deed3937833145954c65564627f7d40cd20f8401696933a03b7e3f | Triage

Submit
Reports

Overview

overview

Static

static

3

Celesty.exe

windows7-x64

Celesty.exe

windows10-2004-x64

Sharing

General

Target

Celesty.exe
Size

1.7MB
Sample

240518-bgjyqscf23
MD5

8966d25141f5e150ff7d02ac502cce46
SHA1

f882485d1ffac1b75b60794824b771e4ce33d7b7
SHA256

8694257c04deed3937833145954c65564627f7d40cd20f8401696933a03b7e3f
SHA512

caedef6e8fdc042d6586816bdc87c36b3d40c22a8e4e331d46296b669ed03f2e295f4b44ed4092f43e8d0dad8cc40766982d6938d1d638fb4e4eecaddd529df3
SSDEEP

49152:6PxCjaDpascfyHTtgWc79pGvFog9hlQ0xM7QYeYnUgy:mCq4sokTtlPFooQzzU/

Score

10^/10

mercurialgrabber evasion spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Celesty.exe

Resource

win7-20240215-en

mercurialgrabber evasion spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Celesty.exe

Resource

win10v2004-20240508-en

mercurialgrabber evasion spyware stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/935223250571640882/ViB43kUXE9CCFxm2v1jxJfLyHYVNk3Y3-laU94OpWmJjw7id0TwbDJUP1by4-O7zvfZu

Targets

- Target
  
  Celesty.exe
- Size
  
  1.7MB
- MD5
  
  8966d25141f5e150ff7d02ac502cce46
- SHA1
  
  f882485d1ffac1b75b60794824b771e4ce33d7b7
- SHA256
  
  8694257c04deed3937833145954c65564627f7d40cd20f8401696933a03b7e3f
- SHA512
  
  caedef6e8fdc042d6586816bdc87c36b3d40c22a8e4e331d46296b669ed03f2e295f4b44ed4092f43e8d0dad8cc40766982d6938d1d638fb4e4eecaddd529df3
- SSDEEP
  
  49152:6PxCjaDpascfyHTtgWc79pGvFog9hlQ0xM7QYeYnUgy:mCq4sokTtlPFooQzzU/
Score

10^/10

mercurialgrabber evasion spyware stealer
- Mercurial Grabber Stealer
  Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
  stealer mercurialgrabber
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

mercurialgrabberevasionspywarestealer

behavioral2

mercurialgrabberevasionspywarestealer

© 2018-2024

Terms | Privacy