 Welcome back everybody, welcome back. I'm happy you're here. You read the title, you know what we're doing today. This one should be pretty fun, I think, right? We're doing something new. We got something spicy for the gamers in the room, the gamer gang. We're gonna be taking a look at some Discord malware. And I think that's kind of peculiar and kind of neat. So if it wasn't enough for me to be checking out some Discord, you know, gamer stuff, I'm wearing a Legend of Zelda t-shirt. So if that doesn't make you like the video, I don't know what will. What we're gonna be diving into today is something that a fellow community member, right? A viewer had offered to me, sent it along. And again, please, please, please keep sending me malware. Thank you, literally, please send me malware. I'm gonna keep saying it over and over again. But this user was generous enough to donate this, send it along. And I think that it is worthy. I think it is something that we could have some fun with in a video here. Disclaimer, right? The usual kind of a notion and thing that I had to go out and say, this is a very exploratory video in that I don't know what I'm doing as I'm going through it. And I don't know all the things. I don't have all the answers. So forgive me where I fumble and stuff. But hopefully it'll be fun. We'll get to learn a little bit. We'll have a good time. And obviously this is all for education. This is all for educational purposes. There's obviously nothing spooky, scary in here meant to make you some Uber Elite hacker. No, no, no, no, dude, we're here to learn. We're here to have some fun. So let's get to it. You know, let's hop over to my computer screen where all the good stuff's going on. I have this script open. I have this script. This was the maybe discord malware.py. And the .py extension tells us that it is a Python script. Interesting decision for one thing because if this were to end up running on an end user computer, if this were to run on the victim or the target, it would need to be able to like know how to interpret and run this. It would need the Python interpreter program because Python is a scripting language, right? So you could freeze it, you can compile it. You could do some weird things with it to make it a bundled packaged executable. But that would be, I don't know, I feel like it would make for a large file if you were to try and get that on a victim, but whatever, we'll explore it. We'll see what's going on here. So this is the file, maybe discord malware.py. I'm having fun with this one because it is not obfuscated whatsoever. It's also written in Python and I tend to read and play with Python a decent amount. So we'll see how it goes. We've got a little import OS statement right up at the top here. So getting that module, kind of getting the operating system library to be able to read in and pull some data out here. And then it immediately goes through an if statement like, hey, if the os.name or if that property from that module here is not equal to NT, then we exit. Then that program just goes ahead and dies. That is important because it tells us this is literally only going to run on Windows. So I have a Python 3.9 installed on my machine here. I'm running Windows currently. So if I were to import OS, if I were to do an os.name, we can see that it is the string NT for new technology, Windows thing, and that's all. If I were to do that exact same thing over on a Linux virtual machine, so I have a little Ubuntu virtual machine created up up here, I'll spawn a terminal, use Python import OS, os.name will tell me posix. So it's running Linux and it is not NT, it is not Windows. So there's that distinction. And that way we know, okay, this will only run on Windows. We pull in the find all method from regular expressions, that built in library. We pull in some functionality to be able to load and dump strings that are in the JSON format with a JavaScript object notation. Of course, base 64 for some B64 decode for decoding base 64 represented data. And we pull in the popin and pipe data and stuff. I lost track of the words of because popin is going to end up being a function or the class constructor thing to create and pipe will go ahead and be the constant that it will need for making like pipes. But sub process means we're gonna end up running code, right? We're gonna end up running a command executing, executing like system shell commands. URL lib is pulled in to grab the requests in the URL open, et cetera, et cetera. So we can make calls to the internet. We of course want to know the time. We want to be able to spawn threads, grabbing the sleep functionality and knowing arguments that we pass into this program. So I don't know if I wanna go this entire video at that pace that took us some time to just go through the import statements. And some of you that are veterans of watching this content, you know, like what? Okay, John, that easy baby stuff, but I wanna make this approachable for everybody. So all of this, right? All these modules that we're seeing right now are native and built in to Python. So it doesn't need any other libraries or modules kind of included to run this malware. It'll just do it if you have Python. They're all part of the kind of core standard library that Python would work with. So then we go ahead and get some environment variables from that OS module here. They're defined as local and roaming, which will be the name of the variables here, but we're getting the environment variable local app data and app data. Now again, this is only going to be running in the context of Windows. And because I'm on Windows, I will open up Command Prompt and see what those values are. I've showcased this plenty before in batch tutorials that I have that are like decades old. And if you were to actually try and reference a environment variable or a variable in batch, kind of the language of the Command Prompt and Windows to begin with, you would normally use it wrapped in percent science. If delayed variable expansion is on, it could be exclamation points, but that's a whole nother can of worms. Right now we just want to use like the percent signs surrounding the variable name that we want to look at. So app data, right? It's going to evaluate out for me, C users, John H app data, roaming. Now we know the value of what that will be. We'll do the exact same thing for local app data, right? Local app data. And now you can see it is local as the subfolder rather than roaming. So those are some worthwhile directories apparently because the program is going to grab and gather those. And then we have a whole list of paths. This is ended up being a dictionary, right? So discord will be referenced with the roaming folder slash discord, roaming folder slash discord canary, et cetera. And some local folders as well. But it's peculiar here because we can see discord being referenced, discord canary, PTB and Google Chrome, as well as opera and brave and Yandex. All of these are seemingly getting the file system location or the path to the data and configuration stuff that might be stored for that particular program, right? We're going to end up seeing that in app data, local or roaming. That's where that's typically stored. We also have some other functionality defined here get headers and it will take in a keyword argument token that is kind of by default optional and set to none. But it also includes a content type as a keyword argument that has set and defined to application slash JSON. I don't think that'll actually end up being used or modified anywhere else truthfully because most of the stuff this is going to end up doing if it does end up working with discord via their API, it's going to be in that JSON format. So the headers that it defines inside of this function after it takes in potentially the token and content type are the content type for what request it might make if it were to create some headers. And it adds a user agent for a regular like Firefox. Oh, Chrome here you can see. Chrome browser connecting to it. And if it has a token, it will go ahead and add that into the headers with headers.update with the authorization header, pilling in that token. That is good to know because that I think will basically be the crux of how this works. Let's kind of minimize that for now or like fold that code. Then we can get user data with the token and that is a mandatory parameter. It will try to loads and that's going to be the JavaScript object notation JSON structure and format for making a request with the URL library to discord.com slash API slash v6 users me with the headers that it's created previously with that token and reading it out and decoding it. So that call on its own get user data will get information about your discord account. That's it. It's just querying the discord API to be able to do that as long as it has a token and that needs to be passed in. So the tokens, that's gonna be the most valuable part, right? It's gonna be how your account and you are kind of connected in discord and how discord knows who you are, it's via your token. Now, these are apparently stored and this is news to me, I was learning this, right? With the path that's passed in inside of this get tokens variable function caller here, right? It adds this path that takes in that argument path and adds in a local storage level DB. Now it creates an empty list of these tokens and then for every single file name that it finds inside of that directory or the path that it's just built out here, it will check, hey, if that file name does not end with .log and it doesn't end with .ldb, then just ignore it, continue on this for loop and keep cruising through until we find something that actually does work. If we do find a file that has .log or .ldb, then we will look through every single line in that file once we open it up. We'll open up that file, ignore any errors and then read every single line and look through them. So yeah, it just pulls out those lines and then it uses the regular expression syntax for a regex in this kind of tuple of two potential regex structures, the patterns that it's going to look for, whether it is a word, excuse me, word character or another 24 iterations or occurrences of those, word character following a period, six iterations of those, another one, et cetera, et cetera, or because it's a four regex in both of these, it'll continue to loop through both of those or if it starts with MFA a period and then 84 word characters. If it finds those based off of that find all call, it goes ahead and adds it to the collected tokens. So it's just going to end up carving those out. That's it. Interesting, right? There's a real functionality to steal and harvest the tokens for your user account. So let's put that away temporarily. And then we have another good one. We have this get developer function here. I don't know what this dev equals WODX might be referring to. I don't know if that is an Y that's created or why it's set to that because just after it, again, it will try to do something and if it fails, it totally ignores it, but it will go ahead and download the data from this Payspin URL. Now, I wish I could make this pretty cool and pretty fancy, but I don't think that that actually exists. Yeah. Payspin.com slash raw, that. Yeah, it's no longer available. I don't know if anyone knows or if there's a good way to be able to kind of track down some previous Payspins maybe it's a way back machine or internet archive or whatever, but that would be interesting to see what that had. Regardless, can offer too much there. Another interesting function though, get IP. All this does is make a get request out to api.ipfi.org which we've seen in other videos we'll just straight up tell you your IP address. So it collects your public IP address. That's what this Discord malware is another thing, another piece of information that it will steal and collect and grab. It will also grab your avatar. Again, just reaching out to the Discord API with your user ID and avatar ID, seemingly, yep. But those would be pulled in and passed to this function here, carve it out. And then we do some interesting stuff that's kind of native and local to that computer. This getHWID or the get hardware ID, that's gonna end up using WMI or the Windows Management Instrumentation C command line, that tool utility, kind of old. It's a very cmd.exe like and DOS oriented interface to the Windows Management Instrumentation interface. It will go ahead and grab the UUID of this current computer. It will run that as a shell, collecting all the data and that's why we pulled in popin or those sub process module functions, right? Pull all that down, collect it, have the convenience functions to be able to do that. Then it does some other spooky stuff. Like, hey, we got getFriends carving out, hey, whatever relationships your Discord user might have, again, passing in the headers generated by the token. And it will get chat information. Based off of another user I'm assuming you're chatting with, right? Reach out to the Discord API for the current user with that token for your current account data, checking if the recipient's ID is going to end up being whoever that other individual wants to talk to or their chat history might be. Pulls it down and pulls it. Now, this one's kind of spooky, spicy, juicy. Hey, what kind of payment methods do you have? Do you have payment methods? Let's pull it down, let's carve it out. So all this one does is check whether or not you actually do, right? It will return a Boolean value if there's content in there. Determines from length, right? As it loads and carves out the JSON, checking out your billing payment information and those sources there based off of your token. Nice. This one is a sendMessage functionality so you can chat with other people that actually the program itself can send other messages via the API. And it adds it in as a really interesting, file, multi-part form data boundary. It's actually added in there. Form.encode, read.encode. Okay, so it posts that data sent along to it, I'm assuming. And this other one, this other function is called spread. Takes a token, takes the form data in a delay variable and it actually is currently disabled. This return function will tell it, hey, don't actually run anything for that function. Just kind of stop and don't bother. But if you were to comment it out, just like this comment here says, hey, remove to re-enable this, well then it'll continue down on the rest of this code. And it grabs all of the friends that your account has and then it tries to actually get the conversation with them, get the chat ID, right? Get to know who that individual is, know the message conversation and then send them a message with the supplied form data. So imagine all of your friends on Discord getting slammed with whatever message or spam comes from this. And it'll sleep just a little bit of time to not be an absolute machine, but that's how it will spread this virus or malware, collecting and harvesting more tokens. There you go. Now this main function is where all the real action happens. This is where it all kind of goes down. The main function is what's going to end up running and executing when the program runs, but all these other functions that we just saw previously that was building out the functionality for what this tool can do. Now the main function will apparently cache some of the data that it finds, stores it in roaming.cache with a little hidden name there. It'll prevent spam supposedly. I don't exactly know where that else is going to be used or even if it is, I'm control f'ing for it, but that's literally the only place that's defined and ever used. It doesn't do anything. Self spread equals true. That is apparently used later. We have two matches in that. So we'll get to that in just a moment, but the embeds is an empty list, working is an empty list, checked all these other things are defined, but it of course immediately grabs your IP address. Hence that getIP function. Then it will grab your username based off of the environment variable on your computer. And we've done this already, right? Pulling up our command prompt, getting that variable username. In this case, it's John H for me. Other one it grabs is computer name. Good enough. Creator is the name of my desktop machine right now. And user profile is going to end up being where it will look for your like programs, et cetera, et cetera. So your essential home directory, right? In this case for me, it's users John H. And that's usually just a user's directory. Developer is going to end up retrieving whether or not supposedly this is a developer account, but we don't know what that paste bin link actually ever had. And then we start to steal some tokens. Yep. Now we start to loop through all of those paths that we had seen already defined up top here for Discord, for Discord Canary, Discord PTB, Google Chrome, Opera, Bravian, et cetera. Now I'm not positive if this is stealing like Google Chrome or Opera credentials. I really don't think it is. I think it's strictly looking for the things that Discord stores and saves and how they do that. But we'll explore and we'll dive into it in just a moment. For each platform and path in those locations, it will try to see if that path exists. If that folder, if that file location doesn't exist, well then it's safe to assume, okay, Opera is not installed or Brave is not installed. So it'll just continue on and keep looping. Now it'll try and get tokens from that path. So this location, roaming slash Discord, now looking at that get tokens function again, slash local storage slash level DB with these log or LDB functions, those will have the tokens that this malware is trying to carve out and steal and compromise. That is the data that's going to end up kind of grabbing. If it has them, if it's kind of in check, then it won't bother to do them again. If it does already have those, or if it doesn't, it'll keep getting those. If it doesn't start with MFA, I'm assuming that's going to be like multi-factor authentication. It will try and do some base 64 decoding magic to grab the other format or representation. But then all it simply does after it has your token as it grabs your user data and then it gets all the information that you might happen to have, right? Your username, your Discord ID, your avatar, your email address, your phone number, your premium type, whether or not you're using Nitro, just grabbing your avatar and of course your payment methods. Huh. So let's get a little meta right now because I think we've laid out enough groundwork that we could really show you how this works. And I have to be careful about doing this because I'm essentially going to hack myself and put it out on the internet or whatever. I'm gonna blur obviously a lot of the sensitive stuff out but we know the file locations where Discord is going to end up storing our token, right? Check it out. Do we still have our command prompt open? No, we don't. All right, so let's bring this down again. We know it's going to be in that roaming variable which was grabbing the data out of app data. So if I go into that directory, we know that there was a Discord directory, right? Cause that's where it tries to go find the Discord. Now I have Discord installed, right? You can see it kind of in my system tray down here and I use it all the time. Inside of the Discord directory, we know from this get tokens function, there should theoretically be a local storage subdirectory and a level DB subdirectory. So let's go check that out and there are those directories. So if I clear my screen here, CLS I think in Windows, yeah, yeah, yeah. I'll dir to see what files we have in this directory and check it out. There are these log and dot LDB files just as it mentioned. Now I need to be super-duper careful here because I'm going to basically hunt for those tokens the same way or at least in a very similar way that we know this function was going to do it. It just looks for regular expressions where a MFA might be present with other word characters. I'm gonna do that just for my account and I'm hopefully gonna successfully blur out the contents here. Because if I were to go ahead and try and run strings and I have that Linux utility kind of installed on Windows right now for MingW and stuff, if I were to strings out everything, there's gonna be a lot of crap and a lot of content. I'm really sorry, seizure inducing thing. But if I were to take that strings of everything and look for the plain text strings and if I were to essentially use grep if I were running on Linux, right, but I don't have grep installed, so I'm gonna have to use the Windows fine string. If I were to run fine string with that data that we know is going to be in the text there, MFA, I will add some spaces so that's visible. Check it out. I'm gonna have to blur that. I'm gonna have to censor that because those are genuinely my Discord tokens. So now let's make it even worse. Now that I've showcased that, let's go ahead and try and retrieve the same information that this malware would have received, yeah? I'm gonna hop over to my Linux virtual machine to be able to do that really quickly and create a new directory here. Just for keeping things clean, I have to make the directory, make directory Discord Mal for Discord malware. And we know I'm going to censor a lot of this here. I'm like collecting my thoughts as I realize what I'm accidentally or might be showing on screen, right? We want to use the curl command so we can actually go ahead and access that API. I'm gonna nerf that command prompt real quick and I will paste in the authorization that we know was the header that used our token. So now that my token is pasted in, there we go, I will go ahead and retrieve the data that might come from getting my user information, that get user data function, right? So Discord app users me is the link that we're going to, including the headers, all that we've sent thus far. So if I include that, if I hit enter here, I made a mistake, authorization, is wrong, I will try a different token. I did have a couple others that opened up and that command prompt. Let me go reopen and do that just a moment. Okay, I'm back. Now I have verified that I have the correct token because there were multiple that were listed in my account. So if I were to go ahead and make this call request, hiding my address here, I will pipe this to JQ. So it's kind of pretty and beautiful. There we go here. Take a look at that. That's the data that you can pull, you can see a supplied phone number, you can see the email address, you can see the country code, the avatar, the ID number, et cetera. Now if we were to try and pull the payment methods, if we were to try and pull the actual friend list, if we were to try and pull other messages and send other messages, that's what this could do. Let me do that just to show you the spooky, right? So we have some fun with get user data, but now that we know we could get the avatar or get the friends or the payment methods is probably gonna be what the hackers are interested in, right? They wanna see what other information could they carve out of this. So I'll grab this location and I will go ahead and add that in to what we will go ahead and display out with JQ here. Paste that in and I'm gonna need to blur this. You can see a kind of card and payment method, you can see the last four of that credit card, you can see the original address for the billing address, et cetera. That can get kinda spooked. Okay, that's enough publicly embarrassing myself or trying to hack myself via this malware, just using the tokens that you can uncover from the Discord account that is stored and saved on your computer here. Let's continue to explore what we had because this now got interesting and that it would collect all this data, right? Whether or not you have Nitro, what billing methods you have and you would be able to have that message received and if you were the hacker, if you were the bad guy, if you had this malware, if you were distributing this virus, right? You can get the account info, the PC info, IP address, right, PC username, PC name, et cetera and token location, right? I think I see over here. Yeah. And then the token themselves, right? So you could become and act as that user. The author here is whatever is really supplied in that username or user ID, but the footer is kinda interesting. It says, hey, this is a token grabber by THC4L. Gotta love that attribution. Am I right? I love it when they just straight up tell you who you are. Granted, this is a hacker handle. It's an alias. It's not anything like whoever, it's not a name or an individual, but we could obviously do some more research, do some more digging and trying to see who THC4L happens to be and with these embeds, right? Now we've saved and captured all of that and it could be sent later on and retrieved for whoever was ending up using this token stealer or this malware. So it will of course save all this information in that cache path that we saw previously. It will append some data to working that I'm not exactly positive why that's doing it, but take a look at this webhook, right? The webhook includes the embeds that was just carved out from this username that we might wanna supply in for the bad guy, right? And this avatar URL is supplied. Now, if I were to go back to Chrome, try to see what this avatar might be. I wish it were something kind of more fun, but it's just kind of the bland blank Discord logo. So after we've defined this webhook, we try and make a request to the webhook and send that data, right? So that way, the bad actor, the one waiting to receive all the stolen information, the stolen tokens, et cetera, those would be displayed and just sent to them, right? Those are fish that they caught in their fish net. Great. We also have some other functionality for self-spread, whether or not this thing is going to spread, and we did see that was set to true, right? So for every token that it knows is working for everything that it collected, it will try and open up itself. It'll try and open up this script, like this Python code on its own. It'll read that, save it as this content variable, and then develop a payload that will send with the data information name, the file name will be this file, right? And then the content being this entire script, being this code. And now, an interesting thing is that it includes the message server crasher, Python download and it links to the Python website so that potential victim or target might be fooled and maybe they'll go download Python so they could run this to go crash some servers, I don't know, or it'll just keep farming tokens for the original bad guy. So there's that. This thing could potentially spread, but it does rely on that end user target victim computer of course having Python installed. So that's why they're literally linking the download to go install Python. And it threads this out, right? For every single token, it tries to spin it off and they'll go spread that function that we saw earlier that will message everyone in their friends list. It'll include the token that it needs, right? The payload and then how long it's going to actually wait to send those. It looks like, what is that? Seven and a half seconds, I think, but starts it. And that's it. It runs that main function. But that is the damage that could come from this thing. Now I got kind of curious, right? I wanna know who is this THC4L if they're literally telling us, hey, check it out. This is a token grabber. Here's some Discord malware by yours truly. Me, is this known? Is this present on the internet? So I started to ask Uncle Google, went to our good friend over here, token grabber by THC4L. Let's look for, I guess, Discord reference here. And now there's a lot of peculiar stuff. In fact, this one, I just saw the other day. This is literally when I was receiving this message when someone sent this code to me, which was yesterday. This video was released then the day before and now this is two days ago. But this video is kind of peculiar. It shows other interesting things. It's just not the exact same code. It's actually a completely different program. So maybe we'll dabble in that for just a little bit. I actually kind of wanna table this. But the comments are here are interesting. I like this thread here. It says, hey, this is for educational purposes only. I'm not responsible if the tool is used for legal purposes, as you can download it with the password here. But the tags are Discord Token Grabber GitHub, Discord Token Grabber, Discord Token Grabber, Best Discord Token Grabber Discord. Like, yeah, is that so, buddy? Educational purposes only, except you really wanna tell people about it. You people really should know. So that's that. The comment is like, hey, LOL malware. And the comments are like, for real? Yeah, man, LMFAO. Now the file itself is a token grabber, so we're trying to grab people that are trying to grab someone else. Ooh, ooh, what a scheme. Hack the hackers, am I right? So there's that. There's another interesting one, how to use Token Grabber on this location. Uh-oh. Oh, where am I now? Easy way to get Discord tokens. This just looks like. This just looks sketch. Discord malware stack overflow. How to spam RAID Discord servers 2020. Best Discord token stealer. Oh, there's GitHub stuff like this. So this like opened my eyes to a complete new world that I had no idea existed. And this actually, the original individual that had sent this to me told me that he produced this or published this and posted it on Stack Overflow. And he said, hey, a friend of mine contacted me with a problem he's been having with Discord. Windows Asset Program, the code below should be run with and default is Discord. Every time Discord is run, the chunk of code is run. So it looks like they didn't have like Python actually installed or something. And maybe it just, right, it wouldn't run. But that was the original code. The comments here are like, yeah, hey, that does seem to be malware. He says, what I believe to be the creator's YouTube channel is referencing the code here and you could go visit this link. But of course, hey, that's been terminated and shot down for being a bad guy. And then the creator's Twitter account is apparently linked in the code. I didn't see that exactly, but Kelly Linkox that are protected tweets, errors.tools. Oh God, that brought me to a Discord server. I'm sketched out. Leave me alone. So let's put that one away. Sorry, I didn't mean to be shouting. The response is, hey, that is malware, not only a token logger, but also stealing Chrome, Brave, Opera, and Yandex passwords. Uninstall that immediately and change your passwords. YouTube channel of creator. That's the same link as earlier. As it turns out, it also steals your IP address. So we saw that as we were going through it, but I'm not a thousand percent positive if it is stealing like your Chrome cache or the web browser passwords that are stored and saved locally. Brave, Opera, and Yandex passwords. I don't know, because I just don't know off the top of my head where those are stored or how those are stored, but it looked like it was more pertinent to getting the Discord stuff. It didn't seem to have anything specific to like, hey, cracking or, those are not the right words. But tracking down the Chrome cache and everything, these are specific to Discord, I think. Maybe those are going to be the locations if someone were to open and use Discord in the browser, in those browsers, maybe where that information is stored. I don't know, truthfully, the desktop application of Discord is what I'm using and that is where we saw genuinely the Discord tokens. So that's that. This is an interesting one, I think. This site wants to show me notifications? No, no, thank you. Of course, video is no longer available. Some other peculiar things, but like, look at this, look at this. Some of these, oh no, these actually aren't that bad. There's like, hey, create a Discord bot, you know? Good stuff. Genuine purposeful use, but best Discord token stealer grabber hosting in scripts, March 19th, oh, that's actually today. You can see that down below, like in my calendar down there. It's genuinely March 19th, is this updated today? These are just, that's just a crap ton of tags. You don't need to download any files. Imagine the, imagine the audacity, right? Imagine the, imagine what fire has to be in you to make the sales tactic, to market this thing, like oh, you don't need to download, you don't need to have any extra software. It's fully undetectable. Whatever you do to like market and have a business strategy for malware and bad stuff is just insane. Oh, here's a video. Today I will show you a Discord token stealer. Yeah, is that right? Oh, this is the same, this is the same YouTube video that we saw earlier, didn't it? Isn't it? Wait, let's go to YouTube. Let's see this thing for real. No, this is back in February. Tamed Devo, download area. Oh, they sent me a Discord link. I don't like it. 51 comments. What are these people doing? The Juice World song just hits different, man. Okay, okay, you know what? Let's, what else does this thing do? Oh no, this is the exact same footage that we saw in that one that was uploaded just two days ago. Wait, what? What is he sending? Install this to get free Fortnite hacks legit. H1111, how do you XE? What the heck? What was that? Webcam.jpeg, oh, I don't like it. That's, oh no, get me out of here. I'm leaving. GitHub stuff that doesn't exist, but like, check it out. So let's say we were to look for that on YouTube. Like we had Googled THC4L, and now there's a gray dank discussion community post, apparently redirecting me to slamnetwork.rf.gd. That might not be good. But he's all about, look, dude, check me out on YouTube. THC4L cheats, check me on YouTube. I don't know if this is the way to internet fame my guy. I don't know if this is the path you wanna take to be a content creator. Shop paid my THC4 discord token shop. I'm clicking on, I'm going to weird parts of the internet right now and I probably shouldn't. So I'm gonna stop. I'm not gonna do that anymore. But look at this video, before I actually, you know, hang on, I've said a lot of things. I did have an original thought though, that I wanted to latch on to you before we get to kind of the end of the video. This, this best discord token stealer grabber 2021 that was released two days ago, this download is different, right? I'm gonna check it out, steelybuilder.rar. I just wanna see if it was the same thing because when I checked it was different. I am gonna do this on Linux. Actually, I have ILSPy, so I know, right? I'm gonna have a little bit of foresight to, excuse me, figure out what might be going on here. I need to have a raw decoder. Do I have ILSPy on this thing? Opt ILSPy, I do. All right, so let's do that. Let's, we have Firefox open on this. Go to that URL, please download that thing. Come on mega, yep, that's fine. Download the thing, downloaded it. Save, please, I'm gonna go back to my terminal. I'm gonna move that downloads steelybuilder.rar. Let's unrar that thing. Steelybuilder, what is unrar is a command. I have to install it, what? All right, if you guys can't tell at this point, I have taken off my presenter showman personality persona and now I'm just kind of goofing. So yeah, let's unrar that thing because now we're back on the keyboard. Why can I not tab complete that? Unrar X or something? Yeah, enter password. Oh, it said it was six. Yes, use the same password on all of them, please. Okay, so now I have this builder directory and I have all these files in here. We have a steelybuilder.exe and an assembler source. What is that? Steely.il, whoa, whoa, what is this? This should be a C-sharp, C-sharp syntax. Is that right? I don't know. Module is hog stealer v4. I don't know how much we'll get out of this but index.js, other variables? What the heck? All right, this, before we dive in, I don't think we really need to deal with the IL thing because we know that this executable, right, is a .NET assembly so we can open up an IL spy especially if this is a .IL. There's particularly good stuff in there. So let's run opt IL spy IL spy and completely change direction to go analyze something else, you know? Oh, please forgive my malware. Please totally ignore all the other things I had open. We want to go to discord mal builder, steelybuilder and our good friend, steelybuilder has assembly version 0.0.0.0 which makes sense. Some of the references that it refers to are nothing interesting. Text for the expression, actually there's a lot here though. There's like a lot here. I don't know if that's just from what it already had an IL spy or something but first and second have these values. This looks like JavaScript code. That looks like JavaScript code. Am I wrong? Those are in the resources though but we genuinely have and can see those. Can we not? Rez resources, steely.rez. Is that gonna be plain text? Nope. What about you? Nope. I also like could save that to a table so let's do it. Let's put that in discord mal builder. Wait, no, no, no. I just want like a plain text thing. Resources.xml? Resources. Imagine that. We'll call the resources file resources. Resources. Oh, what the F guys? I don't know what I'm doing. Can I copy this whole value? No. String table. Okay. That looks like JavaScript though. That's very obfuscated and not easily readable so I'm very sorry that you can't see that. Sorry for that tangent everybody. That's the danger in doing it like live except it's not live. You're gonna be, this is a dead John by the time that you watch the video but I'm doing it live in the past so that I can have the opportunity to edit things out and blur things like payment information and my discord token and all that. So yeah. This Hog Stealer v4 program checks out a couple build strings, discord of course, enumerates through all of them and runs mod and melt. So mod will check if the directory exists and the get folder environment special name slash build which is that and if it does inside of each of those directories it adds an index.js. Oh wow. Okay. So that index.js must have been that other value for each string text and files if it contains a discord desktop core it will go ahead and take the full path of that location and replace the discord desktop core modules with our index.js. Okay. So it's just going to like basically hijack what discord will do to begin with and it replaces the hook ID, hook token variables and that I'm assuming is going to be another web hook right to send that data out to individual the bad guy collecting all this data. So username will be hog delivery service avatar URL. Ooh, we got a little bitly link here. Dude, we should check that out. Let's do it. I am in my VM still, right? Look at that hogs dealer. So part of me wants to save this image and go look around to see like where else is this used on the internet? If I do a Google images on this, are there any other spooky squirrely places that people have just straight up, I don't know, use this software? If we were to search for hogs dealer v4, is there anything out there? Soft. The definition by Maryam Webster. Fat pig meme. Oh, okay. Okay, okay. Let's get back to looking at C sharp NIL spy. So content says congratulations. A discord client has been infected with hogs dealer. Whoa, congrats, what a party. Modifications will only be applied upon restarting the client. So you may have to wait a little. Yeah. And then, okay, it sends a web client, webhook stuff. Melt. I'm assuming looks like it starts cmd.exe with a choice and deletes itself. The and DEL is to run the other command and it's gonna grab its current process and its file name. So it deletes itself. Okay. And that's it. Checking out settings over here. Oh, you got a your webhook. So like the webhook that we saw in the Python script and this webhook that we can see right here, like it's cool that we can see it at all but I don't know if there's a way that we can like kind of skirt back as to where it's used or how it was, where it was ever put to use. Maybe I'm just naive. Maybe I'm stupid. But if your webhook contains that information, it checks, hey, is this a valid webhook, right? Then it will carve out the hook ID as is necessary and the hook token and grab it all and then program melt or kill itself supposedly. That's Hogs dealer as kind of an extracurricular as to the Python one that we were doing this time written in an actual executable, right? Actually written in a .NET assembly program to be compiled and could run but I don't think this will spread the same way unless we don't know what that index.js was though. Oh, I really want to find that index.js. Was it in steely.il? Cause we had this thing open. We know there was a constant value in a string. No. Dang, I really want to see how we could deopt, just get that JavaScript but maybe that'll have to be a different video because I think we're already been going for quite a while. I think we're already at an hour. So we've been partying. If I were to run foremost though and like steely.resources, would it carve it out? Oh, shoot. Is it an output? No, it's just audit right now. Oh, that needs to be RM Tech R because it's a directory. Same problem. Checking out output. Yeah, nothing. And it would be a string. So maybe if we did like a strings everything grep for that constant command, grep.i. Oh my gosh. I don't care. We don't even need Tech R. So for const, oh, it's all gonna be on one line, right? This is humongous though. Zero bar. And this is probably muffed up in some way but oh, this is like base 64 in here. I'd be curious to like run this with node and be carved up. Look at it. Yeah, yeah, yeah. Discord modules.node. It's indexing a bunch of stuff. This would be a gold mine. It's also horrifically disgusting obfuscated JavaScript and that will be hell to go through. But I see some passwords and stuff in here. Oh dude. Content type, hook ID, hogstealer v4. We're in the right spot, ladies and gentlemen. I don't know if we're cleanly carving it all out though, just trusting strings. That seems like a bad idea. But this definitely is a good start. So, regex, electron require. Yeah, massive, funny. Maybe this has some goodness to it that we could look through eventually but I don't think I have the volition to do it right now. I'll be honest. Add it to the list. Keep screaming at me in the comments if you want me to go back and do this thing eventually. If I can, I'm probably gonna fail at this thing but. Wow. Okay. Well, I hope you have fun. I will say, as I mentioned, that this is crazy to me. Cause look, we were looking up Discord Token Stealer when we had looked it up on YouTube. There's a lot of stuff on this idea. Demonstration Discord Token store three months ago. There's one two weeks ago. Imagine running one in pipe. Oh, we have to watch this now. Easy way to do Discord Token. Best Discord Token grabber. Grab all the information of an account. How to hack a Discord Token. Oh my gosh. This is a whole new world and I have no idea. So maybe we'll have to pour into this a little bit more if some folks are curious about the Discord stuff. But I think that just blows my mind. Cause I don't know. I'm not that kind of guy. You shouldn't be that kind of guy. No one should be that kind of guy. No one should be doing that sort of thing. It's all bad. It's bad. So I hope you did learn a ting or two. A ting, a ting or two? I don't know what I'm saying. I'm getting the end of the video when I'm burning out. You guys know me. So I hope you had fun. I hope you learned a thing or two about some of this Python stuff that we were doing. I hope you enjoyed it. Maybe dive into some of the research or just Googling around with me. I else buy again for checking out that Hog Stealer one. We could maybe research if there's some other stuff on that. Of course, like the token grabber thing we saw referenced to. And if we're Googling a Hog Stealer four, the sewer pig, cool grabber, black troll, black troll malware, anarchy grabber stealer. This, this has some runway. You know, Hog Stealer. Oh, this is the source code. This is just, this is just the original thing. I don't have to use IELTS by is it? Wow. Oh, I thought I was gonna end the video, but I mean, they're doing basically the same thing we saw already. Kind of neat though. Solution settings. Yeah. The sewer pig.github. Not cool dude. Hog spammer. A discord rating tool written in HTML and JavaScript. Oh, join my server everybody. Prepare to get spammed. Oof. Anarchy grabber targets discord users. That's insane to me. Oh, it does the same thing though, index.js file. Apparently that's a known technique. Clobbering index.js to run different things. You're literally a hijack what discord does as it starts up. That's insane. Well, hey, if you didn't know anything about discord tokens and discord session stealing, now you do. You know just as much as me at this point. So wow. Wow. Wow, wow, wow. Hey, I think I'm done recording at this point. I had fun. I hope you had fun. I hope this was a good video. I really appreciate you watching. I appreciate you doing all the YouTube algorithm things and you can tell by the endless video I'm already going crazy. So if you enjoy my suffering, if you like watching this pain, if you like kind of seen it, please do. Those YouTube algorithm things. I'd love to see you like the video. Remember that. Remember the Legend of Zelda t-shirt. Dude, that gets a like. Come on. I feel like that gets a like comment and subscribe. If you could please like comment and subscribe. I'd be super duper grateful. Thank you so much for watching everybody. I love you. I'll see you in the next video. This has been fun. Take care.