Hey, I've had a friend fall victim to this attack and acquired a possible new version targetting a new domain bbystealer.rip

I'm unable to attach the zipped executable to this issue for some reason, but here is the Discord link they sent:
https://cdn.discordapp.com/attachments/932236302290669598/933799379385610282/Pencil_Of_Death.exe

I've managed to mostly deobfuscate the loader script for this version, I've attached it to this comment
deobfuscated-loader.zip

is your friend still infected?

I believe so

you can try to get the index file from his discord client (found at: %AppData%\Discord\[version]\modules\discord_desktop_core\index.js) and I can surely deob that. but as for the loader it seems they use an improved version of the obfuscation that overloads node js's memory and crashes it no matter what i do, and i don't have time to look into that one more, sadly.

Unfortunately I haven't been able to get any index.js file yet, but I have managed to significantly restore the loader on another version I was sent that targets a new endpoint, though the code looks pretty much the same. It should be a bit less messy than the last one I sent; I should be able to deobfuscate future ones easier now.

deobfuscated-loader.zip

I've managed to find a new version and the associated index.js that was downloaded! I've attached the index.js file to this comment.
index.zip

I'm doing my own analysis of this but my payload link is dead. Do you happen to have a fresh one?

Here's my copy of the loader completely deobfuscated:
https://github.com/Green-Avocado/bbystealer-malware-analysis/blob/main/deobfuscation/loader_deobfuscated.js

This loader is a few weeks out of date. The links no longer work and it lacks new features found in some, like stealing from metamask and exodus cryptocurrency wallets.

@kem0x I'd be happy to work together on this, I can share some techniques for deobfuscating the loader and bypassing its self-defending protections which cause these crashes.

@Green-Avocado I don't have the latest, but I can send you what I have mentioned previously in this thread. GitHub won't let me upload it, but I'd be happy to send everything I have by email or whatever other method you prefer.

@ButterscotchV Thanks for the offer, but it looks like the endpoint for the loader you posted above is also down. If I try downloading the file I get:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
	<title>iloveyoubby.ru - Offshore Reverse Proxies.</title>
</head>
<body>
<div style="margin: auto; width: 50%">
	<img src="https://cdn.discordapp.com/attachments/933000250011037786/937934462858174524/d.png" style="width: 200px;">
			<p>Offshore Reverse Proxy Services.</p>
			<p>Interested in rock solid <b>Offshore Reverse Proxies</b>?<br>
			Contact us at <i>sales [a] iloveyoubby.ru</i></p>
			<ul>
				<li>No logs.</li>
				<li>All servers encrypted.</li>
				<li>Confidential handling of customer data.</li>
				<li>An anonymous alternative to CloudFlare, or an extra layer of anonymity between CF and origin.</li>
				<li>We are highly flexible and yes: We do accept bitcoin.</li>
			</ul>
			<p>Send abuse reports to <i>abuse [a] iloveyoubby.ru</i>.</p>
		</div>
	

</body></html>

Thanks for posting the index.js earlier though, I might take a look at that instead.

@Green-Avocado I'm unable to upload them to GitHub and I would prefer not to send it through Discord, the original link I sent was the link from the scammer themself. If you would like the files, I could send them by email, my email is on my profile if you wanted to send me an email there and I could pass it over. If you have any alternatives then I'd be open to it, but I'm unaware of any site that would work best.

@ButterscotchV Thanks, I'm not opposed to email, but I was looking for a copy with an endpoint that's still active. Both of mine seem to be down, as well as the one you posted. If you have a more recent copy please let me know, but otherwise, the file you provided already should suffice.

Ah, I see, I'll continue collecting as much as I can. I can see you have an email on your profile, I can send you the versions I mentioned before and I can continue send any more I collect in the future.

Sure, if you find any versions in the future I'd appreciate it.

Nice work cleaning up your loader by the way, it looks like our files were mostly the same, though mine had different variable names and yours seems to include an anti-debugging function.

I have a second version that seems to be an upgrade of the one you shared with the addition of cryptocurrency wallet stuff if you happen to be interested.

hello how can i setup this bby

We are not malware developers. We do not condone the use or development of malware and we will not provide any support for it.

I believe this issue has outlived its purpose, I'll be posting any new versions on my repo and documenting them there.
https://github.com/ButterscotchV/Discord-Trojan-Research