General
-
Target
Exloader.zip
-
Size
151KB
-
Sample
240703-xaamdasdpn
-
MD5
c6c3c12c7afcd9860e733e427eb58924
-
SHA1
ee890ec984095e4e3ed3a452fdc0020d6de60bdd
-
SHA256
c802c3f6097984de6f1b01a67931c8f52bc153d1fceab4bb128e26c9898d8172
-
SHA512
a1459905a57ab48fe522d5a71457140835b58759eb7960696a2943a1cd11d7e58bf6497b89d84d5280c6259e2d4ff0d35706694a80ba55bbcb1b196dbd2b850f
-
SSDEEP
3072:0xUbR1nlHdYwthZ/Bxk/2Zxx3Oa5Enr5ccK7zoT4/0eTtBlvdl:3xlHCwthTGoAa6rbgzokl
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1256361610746925099/IbCyQQ4iqnO5SW1hJgJ5T2ABGEW65CJZGgMuAqC3t24mFSry2Cx2mE0ZcNkbOB4nSwnU
Targets
-
-
Target
ExLoader.exe
-
Size
226KB
-
MD5
ed16ba1945f2a6eef8b8be3403b86049
-
SHA1
c95e68a7b9de43ca8084c8f5feff3c6b4e5e6043
-
SHA256
2caac5163d30f34c56559ba0c22c8cfeb1d13fd3ae0d98054750a09566072129
-
SHA512
148d981e81c11e8fb39fa73370dad2538b6044966a4ad5a943303b567b575213382178b1dffc9ef4a2177d75f504b9e7463d6039bfd5e98d374058c405e74697
-
SSDEEP
6144:TIgV6lk/z1hTGoca6rbRqYNKEa3w38xC77zK3idK:0gV6l+zbGaQb0YNKEa3wsxC7y
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-