Mercurial Grabber

From Discord Security Advisory
Revision as of 05:46, 28 October 2021 by 107.77.204.9 (talk) (Typo)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Mercurial Grabber is an executable made for the purpose of steal Discord Tokens. It has been open-sourced, on Github. As well as, flagged by most common Anti-viruses. However, there are still instances of it that have been seen recently, such as but not limited to the application named "HoneTweaker.exe".

Mercurial Grabber
Language C#
Obfuscation None
Behavior Browser Secrets (Only Discord Token)
Lasting Effects Runs when your machine starts up.
Send Method Discord Webhook

Internals

Obfuscation

When the executable was checked, it had no obfuscation at all.

Behavior

When the executable is ran, it first checks if you have any directories named "Discord", "Discord Canary", "Discord PTB", and "Opera Software" inside of Application Data, as well as checks for "Google", "BraveSoftware", and "Yandex" inside your local data folder. From there it scans those directories for strings that match the general idea of a Discord Token. After it checks that, the program is added to the machine's start up folder, so every time the machine turns on, the executable is ran.

How to Tell if Your Machine is Infected

First of all, open the program named "regedit.msc", it will prompt for admin permissions. At the top you should see a bar that says "Computer," while you're in there paste this into the bar: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", it should open to a list, if you see a entry in the list that says "Discord Token Grabber", or that reference the file then your machine is infected.