Discord Malware - "i hacked MYSELF??"

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everybody welcome back i'm happy you're here you read the title you know what we're doing today this one should be uh pretty fun i think right we're doing something new we got something spicy for the gamers in the room the gamer gang we're gonna be taking a look at some discord malware and i think that's kind of peculiar and kind of neat so if it wasn't enough for me to be checking out some discord you know gamer stuff i'm wearing a legend of zelda t-shirt so if that doesn't make you like the video i don't know what will what we're gonna be diving into today is something that uh fellow community member right a viewer had had offered to me sent it along and again please please please keep sending me malware thank you literally please send me malware i'm going to keep saying it over and over again but this user was generous enough to donate this send it along and i think that is it is worthy i think it is something that we could have some fun with in a video here disclaimer right the usual kind of a notion and thing that i had to go out and say this is a very exploratory video and that uh i don't know what i'm doing as i'm going through it and i don't know all the things i don't have all the answers so forgive me where i fumble and stuff but hopefully it'll be fun we'll get to learn a little bit we'll have a good time and obviously this is all for education this is all for educational purposes there's obviously nothing spooky scary in here meant to make you some uber elite hacker no no no dude we're here to learn we're to have some fun so let's get to it you know let's uh let's hop over to my computer screen where all the good stuff's going on i have this script open i have this script this was the uh maybe discord malware.pi and the dot pi extension right tells us that it is a python script interesting decision for one thing uh because if this were to end up running on an end user computer if this were to run on the victim or the target it would need to be able to like know how to interpret and run this it would need the python interpreter program because python is a scripting language right so you could you could freeze it you could compile it you could do some weird things with it to make it a bundled packaged executable but that would be i don't know i feel like it would make for a large file if you were to try and get that on a victim but whatever we'll we'll explore it we'll see what's going on here so this is the file maybe discord malware dot pi uh i'm having fun with this one because it is not obfuscated whatsoever it's also written in python and i tend to read and play with python a decent amount so we'll see how it goes we've got a little import os statement right up at the top here so getting that module kind of getting the operating system library to be able to read in and pull some data out here and then it immediately goes through an if statement like hey if the os dot name or if that property from that module here is not equal to nt then we exit then that program just goes ahead and dies that is important because it tells us this is literally only going to run on windows so i have a python 3.9 installed on my machine here i'm running windows currently so if i were to import os if i were to do an os dot name we can see that it is the string nt for new technology windows thing and that's all uh if i were to do that exact same thing over on a linux virtual machine so i have a little ubuntu virtual machine created up here i'll spawn a terminal use python import os os.name will tell me posix because it's running linux and it is not nt it is not windows so there's that distinction and that way we know okay this will only run on windows uh we pull in the find all method from regular expressions that built-in library we pull in some functionality to be able to load and dump strings that are in the json format or the javascript object notation of course base64 for some b64d code for decoding base64 represented data and we pull in the popen and pipe data and stuff uh i lost track of the words because popen is going to end up being a function or the class constructor thing to create and pipe will go ahead and be the constant that it will need for making like pipes but sub process means we're gonna end up running code right we're gonna and end up running a command executing executing like system shell commands urlib is pulled in to grab the requests in the url open etc etc so we can make calls to the internet we of course want to know the time we want to be able to spawn threads grabbing the sleep functionality and knowing arguments that we pass into this program so i don't know if i want to go this entire video at that pace that took us some time to just go through the import statements and some of you that are veterans of watching this content you know like what okay john that easy baby stuff but i want to make this approachable for everybody so all of this right all these modules that we're seeing right now are native and built in to python so it doesn't need any other libraries or modules kind of included to run this malware it'll just do it if you have python they're all part of the kind of core standard library that python would work with so then we go ahead and get some environment variables from that os module here they're defined as local and roaming which will be the name of the variables here but we're getting the environment variable local app data and app data now again this is only going to be running in the context of windows and because i'm on windows i will open up a command prompt and see what those values are i've showcased this plenty before in batch tutorials that i have that are like decades old and if you were to actually try and reference a environment variable or a variable in batch kind of the language of the command prompt in windows to begin with you would normally use it wrapped in percent signs if delayed variable expansion is on it could be exclamation points but that's a whole other can of worms right now we just want to use like the percent signs surrounding the variable name that we want to look at so appdata right it's going to evaluate out for me c users john h app data roaming now we know the value of what that will be we'll do the exact same thing for local app data right local app data and now you can see it is local as the subfolder rather than roaming so those are some worthwhile directories apparently because the program is going to grab and gather those and then we have a whole list of paths this is end up being a dictionary right so discord will be referenced with the roaming folder slash discord roaming folder discord canary etc and some local folders as well but it's peculiar here because we can see discord being referenced discord canary ptb and google chrome as well as opera and brave and yandex all of these are seemingly getting the file system location or the path to the data and configuration stuff that might be stored for that particular program right we're going to end up seeing that in app data local or roaming that's where that's typically stored we also have some other functionality defined here get headers and it will take in a keyword argument token that is kind of by default optional and set to none but it also includes a content type as a keyword argument that is set and defined to application slash json i don't think that'll actually end up being used or modified anywhere else truthfully because most of the stuff this is going to end up doing if it does end up working with discord via their api it's going to be in that json format so the headers that it defines inside of this function after it takes in potentially the token and content type are the content type for what request it might make if it were to create some headers and it adds a user agent for a regular like firefox oh chrome here you can see chrome browser connecting to it and if it has a token it will go ahead and add that into the headers with headers.update with the authorization header filling in the token that is good to know because that i think will basically be the crux of how this works let's kind of minimize that for now or like fold that code then we can get user data right with the token and that is a mandatory parameter it will try to loads and that's going to be the javascript object uh object notation json structure and format for making a request with the url library to discord.com api v6 users me with the headers that it's created previously with that token and reading it out and decoding it so that call on its own get user data will get information about your discord account that's it it's just querying the discord api to be able to do that as long as it has a token and that needs to be passed in so the tokens that's going to be the most valuable part right it's going to be how your your account and you are kind of connected in discord and how discord knows who you are it's via your token now these are apparently stored and this is news to me i was learning this right with the path that is passed in inside of this get tokens variable function call here right it adds this path that takes in that argument path and adds in local storage level db now it creates an empty list of these tokens and then for every single file name that it finds inside of that directory or the path that it's just built out here it will check hey if that file name does not end with dot log and it doesn't end with ldb then just ignore it continue on this for loop and keep cruising through until we find something that actually does work if we do find a file that has a dot log or dot ldb then we will look through every single line in that file once we open it up we'll open up that file ignore any errors and then read every single line and look through them so yeah it just pulls out those lines and then it uses the regular expression syntax for a regex in this kind of tuple of two potential like structures the patterns that it's going to look for whether it is a word uh excuse me word character or another 24 iterations or recurrences of those word character following a period six iterations of those another one etc etc or because it's a four regex in both of these it'll continue to loop through both of those or if it starts with mfa a period and then 84 word characters if it finds those based off of that find all call it goes ahead and adds it to the collected tokens so it's just going to end up carving those out that's it interesting right there's a real functionality to steal and harvest the tokens for your user account so let's put that away temporarily and then we have another good one we have this get developer function here i don't know what this dev equals wodx might be referring to i don't know if that isn't why that's created or why it's set to that because just after it again it will try to do something and if it fails it totally ignores it but it will go ahead and download the data from this pastebin url now i wish i could make this pretty cool and pretty fancy but i don't think that that actually exists yeah paceman.com raw that um yeah it's no longer available i don't know if anyone knows or if there's a good way to be able to kind of track down some previous paste pins or if maybe it's a way back machine or internet archive or whatever but that would be interesting to see what that had regardless can't offer too much there another interesting function though get ip all this does is make a get request out to api which we've seen in other videos will just straight up tell you your ip address so it collects your public ip address that's what this discord malware is another thing another piece of information that it will steal and collect and grab it will also grab your avatar again just reaching out to the discord api with your user id and an avatar id seemingly yep but those would be pulled in and passed to this function here carve it out and then we do some interesting stuff that's kind of native and local to that computer this get hw id or the get hardware id that's going to end up using wmi or the windows management instrumentation c command line right that tool utility kind of old it's a it's a very cmd.exe like and dos oriented uh interface to the windows management instrumentation interface it will go ahead and grab the uuid of this current computer it will run that as a shell collecting all the data and that's why we pulled in popen or those sub process module functions right pull all that down collect it have the convenience functions to be able to do that then it does some other spooky stuff like hey we got get friends carving out hey whatever relationships your discord user might have again passing in the headers generated by the token and it will get chat information based off of another user i'm assuming you're chatting with right reach out to the discord api for the current user with that token for your current account data checking if the recipient's id is going to end up being whoever that other individual wants to talk to or their chat history might be pulls it down and pulls it now this one's kind of spooky spicy juicy hey what kind of payment methods do you have do you have payment methods let's pull it down let's carve it out so all this one does is check whether or not you actually do right it'll return a boolean value if there's content in there determines from lang as it or length right as it loads and carves out the json checking out your billing payment information and those sources there based off of your token nice this one is a send message functionality so you can chat with other people that actually the program itself can send other messages via the api and it adds it in as a really interesting like file multi-part form data boundary it's actually added in there form dot encode read-in code okay so it just it posts that data sent along to it i'm assuming and this other one this other function is called spread it takes a token takes the form data and a delay variable and it actually is currently disabled this return function will tell it hey don't actually run anything for that function just kind of stop and don't bother but if you were to comment it out just like this comment here says hey remove to re-enable this well then it'll continue down on the rest of this code and it grabs all of the friends that your account has and then it tries to actually get the conversation with them get the chat id right get to know who that individual is know the message conversation and then send them a message with the supplied form data so imagine all of your friends on discord getting slammed with whatever message or spam comes from this and it'll sleep just a little bit of time to not be an absolute machine but uh that's how it will spread this virus or malware collecting and harvesting more tokens there you go now this main function is where all the real action happens this is where it all kind of goes down the main function is what's going to end up running and executing when the program runs but all these other functions that we just saw previously that was building out the functionality for what this tool can do now the main function will apparently cache some of the data that it finds stores it in roaming dot cash with a little hidden name there it'll prevent spam supposedly i don't exactly know where that else is going to be used or even if it is i'm control effing for it but that's literally the literally the only place that's that's defined and never used it doesn't do anything self spread equals true uh that is apparently used later we have two matches in that so we'll get to that in just a moment but the embeds is an empty list working is an empty list checked all these other things are defined but it of course immediately grabs your ip address hence that get ip function then it will grab your username based off of the environment variable on your computer and we've done this already right pulling up our command prompt getting that variable username in this case it's john h for me although when it grabs his computer name good enough creator is the name of my desktop machine right now and user profile is going to end up being where it will look for your like programs etc etc so your essential home directory right in this case for me it's users john h and that's usually just a user's directory developer is going to end up retrieving whether or not supposedly this is a developer account but we don't know what that paste bin link actually ever had and then we start to steal some tokens yup now we start to loop through all of those paths that we had seen already defined up top here for discord for discord canary discord ptb google chrome opera brave vendors etc now i'm not positive if this is stealing like google chrome or opera credentials i really don't think it is i think it's strictly looking for the things that discord stores and saves and how they do that but we'll we'll explore and we'll dive into it in just a moment uh for each platform and path in those locations it will try to see if that path exists if that folder at that file location doesn't exist well then it's safe to assume okay opera is not installed or brave is not installed so it'll just continue on and keep looping now it'll try and get tokens from that path so this location roaming slash discord now looking at that get tokens function again slash local storage slash level db with these log or ldb functions those will have the tokens that this malware is trying to carve out and steal and compromise that is the data that's going to end up kind of grabbing if it has them if it's kind of been checked then it won't bother to do them again if it does already have those or if it doesn't it'll keep getting those if it doesn't start with mfa i'm assuming that's going to be like multi-factor authentication it will try and do some base64 decoding magic to grab the other format or representation but then all it simply does after it has your token is it grabs your user data and then it gets all the information that you might happen to have right your username your discord id your avatar your email address your phone number your premium type whether or not you're using nitro grabbing your avatar and of course your payment methods huh so let's get a little meta right now because i think we've laid out enough groundwork that we could really show you how this works and i have to be careful about doing this because i'm essentially going to hack myself and put it out on the internet or whatever i'm going to blur obviously a lot of the sensitive stuff out but we know the file locations where discord is going to end up storing our token right check it out do we still have our command prompt open no we don't all right so let's bring this down again we know it's going to be in that roaming variable which was grabbing the data out of app data so if i go into that directory we know that there was a discord directory right because that's where it tries to go find the discord now i have discord install right you can see it kind of in my system tray down here and i use it all the time uh inside of the discord directory we know from this get tokens function there should theoretically be a local storage subdirectory and a leveldb subdirectory so let's go check that out and there are those directories so if i clear my screen here cls i think in windows yeah yeah yeah i'll dir to see what files we have in this directory and check it out there are these log and ldb files just as it mentioned now i need to be super duper careful here because i'm going to basically hunt for those tokens the same way or at least in a very similar way that we know this function was going to do it it just looks for regular expressions where a mfa might be present with other word characters i'm going to do that just for my account and i'm hopefully going to successfully blur out the contents here because if i were to go ahead and try and run strings and i have linux utility kind of installed on windows right now for ming w and stuff if i were to strings out everything there's gonna be a lot of crap and a lot of content i'm really sorry seizure inducing thing um but if i were to take that strings of everything and look for the plain text strings and if i were to essentially use grep if i were running on linux right but i don't have grep installed so i'm going to have to use the windows find string if i were to run find string with that data that we know is going to be in the text there mfa i will add some spaces so that's visible check it out uh i'm going to have to blur that i'm going to have to censor that because those are genuinely my discord tokens so now let's make it even worse now that i've showcased that let's go ahead and try and retrieve the same information that this malware would have received yeah i'm gonna hop over to my linux virtual machine to be able to do that really quickly and create a new directory here just for keeping things clean i have to make the directory make directory discord now for discord malware and we know i'm going to censor a lot of this here i'm like collecting my thoughts as i realize what i'm accidentally or might be showing on screen right uh we want to use the curl command so we can actually go ahead and access that api i'm gonna uh nerf that command prompt real quick and i will paste in the authorization that we know was the header that used our token so now that my token is pasted in there we go i will go ahead and retrieve the data that might come from getting my user information that get user data function right so discord app users me is the link that we're going to including the headers all that we've sent thus far so if i include that if i hit enter here i made a mistake uh authorization is wrong i will try a different token i did have a couple others that opened up in that command prompt let me go reopen and do that just a moment okay i'm back now i have verified that i have the correct uh token because there were multiple that were listed in my account uh so if i were to go ahead and make this curl request hiding my address here i will pipe this to jq so it's kind of pretty and beautiful there we go here take a look at that that's the data that you can pull you can see a supplied phone number you can you can see the email address you can see the country code the avatar the id number etc now if we were to try and pull the payment methods if we were to try and pull the uh actual friend list if we were to try and pull other messages and send other messages that's what this could do let me do that just to show you the spooky right so we had some fun with get user data but now that we know we have could get the avatar or get the friends or the payment methods is probably going to be what the hackers are interested in right they want to see what other information could they carve out of this so i'll grab this location and i will go ahead and add that in to what we will go ahead and display out with jq here paste that in and i'm going to need to blur this you can see a kind of card payment method you can see the last four of that credit card you can see the original address for the billing address etc uh that can get kind of spooky okay that's enough uh publicly embarrassing myself for trying to hack myself via this malware just using the tokens that you can uncover from the discord account that is stored and saved on your computer here let's continue to explore what we had because this now got interesting in that it would collect all this data right whether or not you have nitro what billing methods you have and you would be able to have that message received and if you were the hacker if you were the bad guy if you had this malware if you were distributing this this virus right you can get the account info the pc info uh ip address right pc username pc name etc uh and token location right i think i see over here yeah and then the token themselves right so you could become and act as that user the author here is uh whatever is really supplied in that username or user id but the footer is kind of interesting it says hey this is a token grabber by thc 4l [Music] gotta love that attribution am i right i love it when they just straight up tell you who you are granted it right this is a hacker handle it's an alias it's not anything like whoever it's not a name or an individual but we could obviously do some more research do some more digging and trying to see who th c4l happens to be and with these embeds right now we've saved and captured all of that and it could be sent later on uh and retrieved right for whoever was ending up using this token stealer or this malware so it will of course save all this information in that cash path that we saw previously it will append some data to working that i'm not exactly positive why that's doing it but take a look at this web hook right the web hook includes the embeds that was just carved out from this username that we might want to supply in for the bad guy right and this avatar url is supplied now if i were to go back to chrome try to see what this avatar might be i wish it were something kind of more fun but it's just kind of the bland blank discord logo so after we've defined this web hook we try and make a request to the web hook and send that data right so that way the bad actor the one waiting to receive all the stolen information the stolen tokens etc those would be displayed and just sent to them right those are fish that they caught in their fishnet great we also have some other functionality for self spread uh whether or not this thing is going to spread and we did see that was set to true right so for every token that it knows is working for everything that collected it will try and open up itself it'll try and open up this script like this this python code on its own it'll read that save it as this content variable and then develop a payload that will send with the data information name the file name will be this file right and then the content being this entire script being this code and now an interesting thing is it includes the message server crasher python download and it links to the python website so that potential victim or target might be fooled and maybe they'll go download python so they could run this to go crash some servers i don't know or it'll just keep farming tokens for the original bad guy so there's that this thing could potentially spread but it does rely on that end user target victim computer of course having python installed so that's why they're literally linking the download to go install python and it threads this out right for every single token it tries to spin it off and they'll go spread that function that we saw earlier that will message everyone in their friends list it'll include the token that it needs right the payload and then how long it's going to actually wait to send those it looks like what is that seven and a half seconds i think but starts it and that's it it runs that main function but that is the damage that could come from this thing now i got kind of curious right i want to know who is this thc4l if they're literally telling us hey check it out this is a token grabber here's some discord malware by yours truly me uh is this known is this present on the internet so i started to uh you know ask uncle google went to our good friend over here ta token grabber by thc4l let's look for i guess discord reference here and now there's a lot of peculiar stuff in fact this one i just saw the other day this is literally when i when i was receiving this method message uh when someone sent this code to me that which was yesterday this video was released then the day before and now this is two days ago but this video is kind of peculiar it shows other interesting things it's just not the exact same code it's actually a completely different program so maybe we'll dabble in that for just a little bit uh i actually kind of want to table this but the the the comments are here are interesting this i like this i like this thread here it says hey this is for educational purposes only i'm not responsible if the tools used for legal purposes as you can download it with the password here but the tags are discord token grabber github discord token grabber discord token grabber best discord token grabber discard like yeah is that so buddy educational purposes only except you really want to tell people about it you people really should know so that's that the comment is like hey lol malware and the comments are like for real yeah man lmfao now the file itself is a token grabber so he's trying to grab people that are trying to grab someone else ooh ooh what a scheme hack the hackers am i right so there's that um there's another interesting one how to use token grabber on this location oh oh where am i now easy way to get discord tokens this just looks like this just looks sketch uh discord malware stack overflow how to spam raid discord servers 2020 best discord token stealer others github stuff like this so this like opened my eyes to a complete new world that i had no idea existed uh and this actually the original individual that had sent this to me told me that he produced this or published this and posted it on stack overflow um and he said hey a friend of mine contacted me with the problem he's been having with discord windows asked what program the code below should be run with and default is discord every time discord is run the chunk of code is run so it looks like they didn't have like python actually installed or something and maybe just it just straight up wouldn't run but that was the original code um the comments here are like yeah hey it does seem to be malware he says what i believe be the creator's youtube channel is reference in the code here and you could go visit this link but of course hey that's been terminated and shot down for being a bad guy and then the creator's twitter account is apparently linked in the code uh i didn't see that exactly but uh kelly lincoln's that are protected tweets errors.tools oh god that brought me to a discord server i'm sketched out leave me alone so uh let's put that one away sorry i didn't mean to be shouting the response is hey that is malware not only a token logger but also stealing chrome brave opera and yandex passwords uninstall that immediately and change your passwords youtube channel of creator um that's the same link as earlier as it turns out it also steals your ip address so we saw that as we were going through it but i'm not a thousand percent positive if it is stealing like your chrome cache or your your the web browser passwords that are stored and saved locally uh brave opera and yandex passwords i don't know because i just don't know off the top of my head where those are stored or how those are stored but it looked like it was more pertinent to getting the discord stuff it didn't seem to have anything specific to like hey cracking or those are not the right words but tracking down the chrome cache and everything these are specific to discord i think maybe those are going to be the locations if someone were to open and use discord in the browser in those browsers maybe where that information is stored i don't know truthfully the desktop application of discord is what i'm using and that is where we saw genuinely uh the discord tokens so that's that this is an interesting one i think uh this site wants to show me notifications no no no thank you of course video is no longer available some other peculiar things but like look at this look at this some of these just oh no these actually aren't that bad there's like hey create a discord bot you know good stuff genuine purposeful use but best discord token steeler grabber hosting in scripps march 19th oh that's actually today you can see that down below like in my calendar down there it's genuinely march 19th is this updated today these are just that's just a crap ton of tags you don't need to download any files imagine the imagine the audacity right imagine the imagine what fire has to be in you to make the sales tactic to to market this thing like oh you don't need to download you don't need to have any extra software it's fully undetectable whatever you do to like market and have a business strategy for for malware and bad stuff is just insane oh here's a video today i will show you a discord token stealer yeah is that right oh this is the same this is the same youtube video that we saw earlier didn't it isn't it wait let's go to youtube let's see this thing for real now this is back in february download area oh they sent me a discord link i don't like it 51 comments what are these people doing the juice world song just hits different man okay okay you know what let's uh what else does this thing do oh no this is this is the exact same footage that we saw in that one that was uploaded just two days ago wait what is he sending install this to get free fortnite hacks legit h111.exe what the heck what what was that [Laughter] webcam.jpg oh i don't like it that's oh no get me out of here i'm leaving uh github stuff that doesn't exist but like check it out so let's say we looked for that on youtube like we we had googled thc4l and now there's a grey dank discussion community post apparently redirecting me to slamnetwork.rf.gd that might not be good uh but he's all about look dude check me out on youtube thc4l cheats check me on youtube i don't know if this is the way to internet fame my guy i don't know if this is the path you want to take to be a content creator um shop paid my thc for discord token shop i'm clicking on going i'm going to weird parts of the internet right now and i probably shouldn't so i'm going to stop i'm not going to do that anymore but look at this video before i actually you know hang on i've said a lot of things um i did have an original thought though that i wanted to latch on to before we get to kind of the end of the video this this best discord token steeler grabber 2021 that was released two days ago this download is different right um i'm gonna check it out steelybuilder.org i just want to see if it was the same thing because when i checked it was different i am going to do this on linux actually i have ielts by so i know right i'm gonna have a little bit of foresight to uh excuse me figure out what might be going down here i need to have a rawr decoder do i have il spy on this thing opt is my i else i do all right so let's do that um let's we have firefox open on this go to that url please download that thing come on mega uh yep that's fine download the thing downloaded it save please i'm gonna go back to my terminal i'm gonna move that downloads steely builder dot rawr let's unrar that thing steely builder what is unrar is a command i have to install it what all right if you guys can't tell at this point i have taken off my uh presenter showman uh personality persona and now i'm just kind of goofing so yeah let's unrar that thing because now we're back on the keyboard why can't i not tab complete that unrar x or something yeah enter password oh it said it was six yes use the same password on all of them please okay so now i have this builder directory and i have all these files in here we have a steelybuilder.exe and an assembler source what is that thing steely.il whoa whoa what is this this should be [Music] a c sharp c sharp syntax is that right i don't know module is hog steeler v4 um i don't know how much we'll get out of this but index.js other variables what the heck all right um this before we dive in i don't think we really need to deal with the il thing because we know that this i this executable right is a net assembly so we can open up an ielts buy especially if this is a il there's particularly good stuff in there so let's run opt iel spy il spy and completely change direction to go analyze something else you know oh please forgive my malware please totally ignore all the other things i had open um we want to go to discord mail builder steely builder and our good friend steely builter has assembly version 0.0.0.0 which makes sense some of the references that it refers to are nothing interesting text regular expressions actually there's there's a lot here though there's like a lot here i don't know if that's just from what it already had in ielts by or something but first and second have these values this looks like javascript code that looks like javascript code am i wrong those are in the resources though but we genuinely have and can see those can we not res resources steely.res is that going to be plain text nope what about you nope uh i also i could save that to a table so let's do it let's put that in discord mail builder wait no no i just want like a plain text thing resources.xml resources imagine that we'll call the resources file resources uh resources oh what the f guys i don't know what i'm doing can i copy this whole value no string table okay that looks like javascript though that's very obfuscated and not easily readable so i'm very sorry that you can't see that sorry for that tangent everybody that's the that's the danger in doing it like live except it's not live you're gonna be this is a dead john by the time that you watch this video but i'm doing it live in the past so that i can have the opportunity to edit things out and blur things like payment information and my discord token and all that so yeah this hog sealer v4 program checks out a couple build strings discord of course enumerates through all of them and runs mod and melt so mod will check if the directory exists in the get folder environment special name build which is that and if it does inside of each of those directories it adds an index.js oh wow okay so that index.js must have been that other value for each string text and files if it contains a discord desktop core it will go ahead and take the full path of that location and replace the discord desktop core modules with our index.js so okay so it's just going to like basically hijack what discord will do to begin with and it replaces the hook id hook token variables and that i'm assuming is going to be another web hook right to send that data out to the individual or the bad guy collecting all this data so username will be hog delivery service avatar url ooh we got a little bitly link here dude we should check that out let's do it i am in uh my vm still right look at that hog stealer so part of me part of me wants to save this image and go look around to see like where where else is this used on the internet if i do a google images on this are there any other spooky squirrely places that people have just straight up i don't know use this software if we were to search for hogs steeler v4 is there anything out there soft the definition by merriam-webster fat pig meme oh okay okay okay let's get back to looking at c sharp and il spy so content says congratulations a discord client has been infected with hog stealer it's whoa congrats what a party the modifications will only be applied upon restarting a client so you may have to wait a little yeah and then okay it sends a web client web hook stuff melt i'm assuming looks like it starts cmd.exe with a choice and uh deletes itself the and del is to run the other command and it's going to grab its current process and its file name so it deletes itself [Laughter] okay and that's it checking out settings over here oh you got a your web hook so like the web hook that we saw in the python script and this web hook that we can see right here like it's cool that we can see it and all but i don't know if there's a way that we can like kind of skirt back as to where it's used or how it was where it was ever put to use um maybe i'm just naive maybe i'm stupid but if your web hook contains that information it checks hey is this a valid web hook right then it will carve out the hook id as necessary and the hook token and grab it all and then program melt or kill itself supposedly that's hog stealer as kind of an extracurricular as to the python one that we were doing this time written in an actual executable right actually written in a net assembly program to be compiled and could run but i don't think this will spread the same way unless we don't know what that index.js was though oh i really want to find that index.js um was it in steely.il because we had this thing open we know there was a constant value in a string no no oh dang i really want to see how we could de-obfuscate that javascript but maybe that'll have to be a different video because i think we're already been going for quite a while i think we're already at an hour so we've been partying if i were to run foremost though on like steely.resources would it carve it out oh shoot is it an output no it's just audit right now oh that needs to be rmtech r because it's directory um same problem checking out output yeah nothing and it would be a string so oh maybe if we did like a strings everything rep for that constant command grip tuck i oh my gosh i don't care we don't even need takai so for cost oh it's all gonna be on one line right this is humongous though zero bar and this is probably muffed up in some way but oh this is like base64 in here i'd be curious to like run this with node and uh maybe cover it up but look at it look at that yeah yeah discord modules.node it's indexing a bunch of stuff this would be a gold mine it's also horrifically disgusting obfuscated javascript and that will be hell to go through but i see some passwords and stuff in here oh dude content type hook id hog stealer v4 we're in the right spot ladies and gentlemen i don't know if we're cleanly carving it all out though just trusting strings that seems like a bad idea but this definitely is a good start so regex electron require yeah massive funny maybe this has some uh goodness to it that we could uh we could look through eventually but i don't think i have the volition to do it right now i'll be honest add it to the list keep screaming at me in the comments if you want me to go back and do this thing eventually if i can i'm probably gonna fail at this thing but wow okay um well i hope you had fun uh i will say as i mentioned that this is crazy to me because look we were looking up discord token steeler when we had to look it up on youtube there's a lot of stuff on this idea uh demonstration discord token still three months ago there's one two weeks ago imagine writing one oh we have to watch this now easy way to discord token best discord token grabber grab all the information of an account how to hack a discord co discord token oh my gosh this is a whole new world and i have no idea so uh maybe we'll have to pour into this a little bit more if if some folks are are curious about the discord stuff but i think that just blows my mind because i don't know i've never i'm not that kind of guy you shouldn't be that kind of guy no one should be that kind of guy no one should be doing that sort of thing it's all bad it's bad so i hope you did learn a ting or two a ting or two i don't know what i'm saying i'm getting the end of the video and i'm burning out you guys know me so uh i hope you had fun i hope you learned a thing or two about some of this python stuff that we were doing i hope you enjoyed maybe diving into some of the research or just googling around with me uh ielts by again for checking out that hog stealer one we could maybe research if there's some other stuff on that but of course like the token grabber thing we saw a reference to and if we're googling a hog stealer for the sewer pig cool grabber black troll black troll malware anarchy grabber steeler this this has some runway you know hogs in there oh this is the source code this is just this is just the original thing don't have to use ielts buy is it wow oh i thought i was going to end the video but i mean they're doing basically the same thing we saw already kind of neat though um solution settings yeah theseurepig.github not cool dude hog spammer a discord rating tool written in html and javascript check out oh join my server everybody prepare to get spammed oof anarchy grabber targets discord users that's insane to me oh it does the same thing though index.js file apparently that's a known technique clobbering index.js to run different things you literally hijack what discord does as it starts up that's insane well hey if you didn't know anything about discord tokens and discord session stealing now you do you know just as much as me at this point so wow wow wow wow hey i think i'm done recording at this point i had fun i hope you had fun i hope this was a good video i really appreciate you watching i appreciate you doing all the youtube algorithm things and you can tell by the endless video i'm already going crazy uh if you enjoy my suffering if you like watching this pain if you like kind of seen it please do those youtube algorithm things i'd love to see you like the video remember that remember the legend of zelda t-shirt dude that gets a like come on i feel like that gets a like comment and subscribe if you could please like comment and subscribe i'd be super duper grateful thank you so much for watching everybody i love you i'll see you in the next video this has been fun take care [Music] [Music] with

Info

Channel: John Hammond

Views: 117,766

Rating: undefined out of 5

Keywords:

Id: s3wS1Dd3FFs

Channel Id: undefined

Length: 58min 21sec (3501 seconds)

Published: Sun Mar 21 2021