Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have many detections (at the time of writing this blog) which attracted our interest in diving deeper into the sample.

Upon analyzing the sample we found some interesting technique that describes  how threat actors steal your credentials/any personal information stored in Discord; a popular social networking app,  by grabbing Discord’s authtokens.

Let’s now look at the analysis 

As the first step of analysis , we used “Detect It Easy” to identify the compiler and its Microsoft Visual C++. Further investigation showed that the malware’s source python script is compiled using PyInstaller to create a Microsoft Visual C payload.

Figure 1: Compiler details

The compiled sample has the actual malicious python script in the overlay.  

We used pyinstxtractor to extract the .pyc files (including 333.pyc)  from the zlib archive (overlay).

Figure 2: Extracted files from binary

Behavioral Analysis

Figure 3: Startup logo

When the original malware sample is executed, it verifies and downloads the required python modules through pip if not found in the user’s PC.

Figure 4: Imported Modules

After downloading the required modules, it searches for all the processes running in the system and kills if the process name has any one of the strings “http, wireshark, fiddler, packet”  in their name.

For ease of understanding, images shown below are from the extracted 333.pyc file.  

Figure 5: Procedure for killing monitoring apps

After killing the identified network monitoring application, it sends a POST request with the following JSON containing “ready to log” message  to the Discord webhook url “hxxps[:]//discord[.]com/api/webhooks/954910299654328380/SKmJo86TbjSj905A8TODrBL2vC5uwsmlXWNzGsphdrRfvC_aAwwTfl02Pcrv2LW2oC8G

Figure 6: JSON payload sent during the start of malware activity

After the initial network request, it starts the activity to steal cookies and tokens of Discord. 

Figure 7: Default location of browsers local storage

The malware steals the token from the below mentioned browsers and apps

  1. Discord app
  2. Google Chrome
  3. Opera Browser
  4. Brave 
  5. Yandex

Then for each of the obtained paths, it creates a full path using string operation and points to the leveldb directory.

For example, the full path to the leveldb directory in Chrome would look like “C:\Users\*******\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\”

Figure 8: Parsing files to steal Discord token

It then iterates through all the files inside the obtained directory and searches for files ending with .log or .ldb extension. Once a log file is obtained it reads the content into memory and searches for the Discord token/MFA pattern through the below regex r”[\w-]{24}\.[\w-]{6}\.[\w-]{27}”, r”mfa\.[\w-]{84}”. Each token found is then appended to a Python List.

Using the stolen token, the malware sends an API request to the Discord server “/billing/payment-sources” route, to check if the user has any saved payment sources like credit/debit cards.

Figure 9: Checks if the user has any payment info saved

The following information is collected by the malware by sending a request to the URL with the stolen token in the Authorization Header. 

  1. User data saved in Discord
  2. Public IP address of the user obtained through a GET request to “”
  3. Username
  4. Discord user_id
  5. Avatar_id
  6. Avatar_url
  7. Email
  8. Phone Number
  9. MFA_Enabled status
  10. Premium user status
  11. Is Email verified
  12. Billing Information
Figure 10: User data response from Discord Server

After collecting all the information, it creates a JSON payload for sending it to the webhook URL.

The JSON payload structure in this malware is as follows

Figure 11: Stolen Information sent to C2 as JSON payload

The process then continues to run in the background and maintains all the tokens sent to the C2 in its local memory. If a user changes their Discord credentials, a new token would get generated and this would trigger the malware again to send the details to its C2 server.

The malware also has the capability to steal the browser cookies and send them to C2.

Figure 12: Browser cookie stealing capability

Indicators of Compromise (IOCs)

Hash: CBA0E7DEBB118110852F7F2B1F0C9C2A

Detection Name: Trojan ( 0001140e1 )

C2 (Discord Webhook URL): hxxps://discord[.]com/api/webhooks/954910299654328380/SKmJo86TbjSj905A8TODrBL2vC5uwsmlXWNzGsphdrRfvC_aAwwTfl02Pcrv2LW2oC8G


Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “The Discord Token Grab”