Mercurial Grabber Malware Builder

Mercurial Grabber is an open-source C# malware builder developed in May 2021 and uploaded on Github as a public repository for educational purposes. However, Threat Actors (TAs) have been using this builder to target people and steal their information by modifying the code given in the repository.

TAs can customize the builder and steal user information such as Chrome browser passwords and cookies, Windows product keys, Discord tokens, victims’ device info with screenshots and IP information. This Stealer can also steal the cookies of Roblox and the session data of the popular game – Minecraft.

The builder provides additional features to any attackers leveraging it. Some of these are hiding the console during execution, creating start-up entries to establish persistence, and using anti-VM techniques to ensure the malware does not run in a virtual environment.

The builder also uses an anti-debugging trick to prevent anyone from debugging it. It also provides additional features for the attacker to use their personalized file icons, file names, and Command and Control (C&C) server details while compiling the malware binary.

Figure 1:Working of Mercurial Stealer.exe

Figure 2 shows a screenshot of the Mercurial Grabber Builder dashboard.

Figure 2: Mercurial Grabber Compiler Dashboard

Cyble Research Labs has evidenced that Threat Actors have used Mercurial Grabber stealer malware in recent data leaks. The following image shows Mercurial Grabber stealer logs captured by a TA in a major data leak.

Figure 3: Mercurial Grabber Stealer Logs captured by TA

Technical Analysis

In this blog post, we will conduct a deep dive analysis of the technical details of Mercurial Grabber.

We have downloaded the publicly available Mercurial Github repository, customized the settings, and compiled the binary for analyzing it. We have also changed the C&C option of the builder to to understand the C&C communication behaviour.

Figure 4: C# code of the Mercurial Builder

The static analysis of the compiled binary reveals that the malware is in x86 architecture Windows binary written in C# language (.NETv4.0.30319).

Figure 5: Basic Static Information of Builder exe

While debugging the sample, we have observed that the stealer malware contains separate classes of code for stealing functionalities, as shown in Figure 6.

Figure 6: Classes for Stealing User Data

Main Function

Figure 7 shows the primary function of the Mercurial Stealer. When the Stealer is executed, it hides its console in the background. Additionally, it checks for the involvement of any anti-debugging techniques and checks for the presence of VM in the user’s machine. If any one of the checks is found positive, the malware terminates itself without executing further.

Figure 7: Complete flow of Executable file

Stealing Windows Product Keys

The Stealer reads the registry data from the location SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\DigitalProductId anduses the custom logic to get the Windows product key of the victim’s machine. After converting the product key to a readable format, the Stealer then sends it to the C&C server.

Figure 8: Code for Stealing Windows Product Key

Stealing Passwords & Cookies from Chrome Browser

The malware steals saved credentials from the Chrome browser by reading the .db file from the following location:

  • Google\Chrome\User Data\default\Login Data\login.db

Additionally, the malware creates a file named “passwords.txt,” appends the stolen credentials in the newly generated file and sends the file to the C&C server.

The malware uses a similar process to steal Chrome cookie details from the below location: 

  • Google\Chrome\User Data\default\Cookies\cookies.db

The malware then creates a file called “cookies.txt” and copies the details to the newly created file to send to the C&C server.

Figure 9: Chrome Passwords & Cookies Stealing Code

Stealing IP Address and Geolocation

The Stealer captures the victims; IP address details and other information such as country, country code, region name, city, ZIP code, and ISP using the websites mentioned below:

Figure 10: Code for IP & Geo Location Stealing

Stealing device and Hardware information

The malware also can steal information such as Operating System name, processor information, GPU information, disk, and memory details from the compromised machine.

Figure 11: Code for Stealing Machine Info

Stealing captured screenshots

The stealer captures the desktop image of the infected machine and saves it as “capture.jpg” in the “Temp” folder before sending data to its C&C server.

Figure 12: Code for Screen Capture

Stealing Minecraft Session

The malware steals Minecraft’s session and account details by reading the JSON files “lanucher_profiles.json”, as shown below.

Figure 13: Code for Stealing Minecraft Session Cookies

Stealing Roblox cookies information

The Stealer reads the Robox game cookie information from the registry location mentioned in Figure 14 and sends it to the C&C server.

Figure 14: Boblox cookies stealing

Persistence Mechanism

Mercurial Grabber stealer creates a start-up entry to ensure the malware runs every time after system reboot.

Figure 15: Start-up Entry

Embedded SQLite Library

This Stealer has an SQLite library embedded to systematically manage all data and send it to the C&C server.

Figure 16: Embedded SQLite Library

Anti-VM Techniques

The Stealer checks for the presence of virtualization software such as VMware, VirtualBox, vboxm, qemu, and Xen and terminates its execution if such virtualization software is identified. The Stealer also checks for the presence of a debugger in the machine. It terminates the execution if the condition is found to be “True”.

Figure 17: Techniques used for saving debugging

Encryption Technique

The Stealer uses the AES GCM encryption technique to encrypt the data before exfiltrating and uses the bcrypt.dll file, supporting the encryption process.

Figure 18: Encryption Method

Communication with C&C Server

Finally, the stolen data is sent to the Threat Actor’s C&C server, which an attacker can customize accordingly. The Stealer uses two functions, SendContent() and SendData(), to send the stolen data successfully to the C&C server.

Figure 19: Process of Sending Stealing Data

Figure 20: Communication with Customised C&C


Threat Actors have been using similar malware to steal sensitive data from victim devices for some time now. Currently, we have observed Stealer malware becoming increasingly active worldwide.

The primary vectors for spreading this malware are pirated software and targeted phishing campaigns. Cyble Research Labs previously observed and reported Stealer activity aimed at organizations to steal employees’ credentials.

Cyble Research Labs will continue to monitor emerging threats and targeted cyber-attacks. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Don’t keep important files at common locations such as the Desktop, My Documents, etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1204 User Execution 
Credential Access T1555 
Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
Collection T1113 Screen Capture 
Discovery T1087 
Account Discovery 
Software Discovery
Process Discovery 
System Service Discovery 
System Location Discovery 
Command and Control T1095 Non-Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C&C Channel  

Indicators Of Compromise (IoCs)

IndicatorsIndicator type Description 
493fa8da8bf89ea773aeb282215f78219a5401b7SHA-1 Mercurial Builder 

aa241e2f1fb8a02c501e19fd1536dc9bba3383ed8240a0e2dc338c40ddc421dbSHA-256Instagramm Checker Working 2021.exe

Scroll to Top