What is a discord token grabber3/16/2024 The malware steals the token from the below mentioned browsers and apps Figure 7: Default location of browsers local storage Figure 5: Procedure for killing monitoring appsĪfter killing the identified network monitoring application, it sends a POST request with the following JSON containing “ready to log” message to the Discord webhook url “ hxxps//discordcom/api/webhooks/954910299654328380/SKmJo86TbjSj905A8TODrBL2vC5uwsmlXWNzGsphdrRfvC_aAwwTfl02Pcrv2LW2oC8G ” Figure 6: JSON payload sent during the start of malware activityĪfter the initial network request, it starts the activity to steal cookies and tokens of Discord. Figure 4: Imported ModulesĪfter downloading the required modules, it searches for all the processes running in the system and kills if the process name has any one of the strings “http, wireshark, fiddler, packet” in their name.įor ease of understanding, images shown below are from the extracted 333.pyc file. When the original malware sample is executed, it verifies and downloads the required python modules through pip if not found in the user’s PC. Figure 2: Extracted files from binary Behavioral Analysis Figure 3: Startup logo pyc files (including 333.pyc) from the zlib archive (overlay). The compiled sample has the actual malicious python script 333.py in the overlay. Further investigation showed that the malware’s source python script is compiled using PyInstaller to create a Microsoft Visual C payload. Let’s now look at the analysisĪs the first step of analysis, we used “Detect It Easy” to identify the compiler and its Microsoft Visual C++. Upon analyzing the sample we found some interesting technique that describes how threat actors steal your credentials/any personal information stored in Discord a popular social networking app, by grabbing Discord’s authtokens. Thanks you if you found some solutions, send it in the Github pull requests.Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have many detections (at the time of writing this blog) which attracted our interest in diving deeper into the sample. The characters of list and dictionary to make it look more understandable. I also managed to get banner as gif / png in the embed, I found that it was almost the sameĪs avatar link but it was /banners/userid/bannerid instead of /avatars/userid/avatarid.Īnd finally for linked accounts I still put them in the token grabber but only deleting Give it as list of dictionaries and I tried to split them but it was to difficult.Īpart from that I added to the token grabber victim's account biography as footer text. I could not use get function because converting it in dictionary is very hard because Discord API I updated all old Discord API versions on request links.įor the account connections (linked accounts) like YouTube, Steam, Github. You only have to input your Discord webhook on line nine and compile it. The program has been made for educational purposes, do not use it for malicious purposes. Unfortunately, after being "skidded" every time I made programs, I don't really want to share my codes again, being generous was a loss of time, just make your codes by yourself, it will make you better at programming, good luck for the future, cordially, venax. For people that constantly ask me to update it so it can decrypt the new Discord clients tokens, I already did it thanks to tested it and it is working, so the grabber already has already been updated, and upgraded, for me.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |