Skip to content

A simple leak of a stealer that start to show up on as lot of python program as dualhook

Notifications You must be signed in to change notification settings

Sallie-May/Bad-Stealer-Analysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 

Repository files navigation

Welcome to Stealer Analysis + Source Code + List of malware (github) account hoster

You see any obfuscated repository that seem sketchy, open a issues, i will try to deobfuscate it.

This repo provides analysis and source code for various bad stealers, focusing especially on the poorly coded ones in Python.

Click on the text under this to get all infos about them!

1312 Stealer

A simple leak of this stealer that start to show up on as lot of python program as dualhook

The stealer is hidden inside a lot of program, fake stealer, fake tools etc.. using the ; technique.

import requests                                                                ;exec("code")

It is doing requests.get() to a website and remove tag to get the code hidden inside of the fake Cloudflare blocked webpage

The stealer seem original, but still pretty bad, nothing very advanced

They have an crypto miner too that is executed at some point

  • https[:][/][/]kleinanzeigen[.]ru/hvnc.exe
  • https[:][/][/]kleinanzeigen[.]ru/miner.exe

What it steal :

  • Browser data (History, Cookies, Password and more!)

  • Telegram files

  • Discord token

  • It inject a modified asar file on Exodus and Atomic

  • It search on the whole computer for these

  • Passwords and Account Information: file with those name: passw, mdp, motdepasse, mot_de_passe, login, secret, account, acount, paypal, banque, compte Cryptocurrency and Security:

    • metamask, wallet, crypto, exodus, 2fa, token, backup, memo, seecret Communication and Miscellaneous: -discord, code

    It check if the file exist and then verify if the extension is : Text and Document Files:

    • .txt, .log, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .pdf, .rtf, .json, .csv, .db Image and Video Files:
    • .jpg, .jpeg, .png, .gif, .webp, .mp4

And even more data !

If at one point you feel like "using" it, don't, it is shit

RUN IN A VM

Acab Stealer (1312 STEALER COPY)

A simple leak of this stealer that start to show up on as lot of python program as dualhook (Like 1312)

The stealer is hidden inside a lot of program, fake stealer, fake tools etc.. using the ; technique.

import requests                                                                ;exec("code")

It is doing requests.get() to a website and remove tag to get the code hidden inside of the fake Cloudflare blocked webpage

The stealer seem original, but still pretty bad, nothing very advanced

They have an crypto miner too that is executed at some point

  • https[:][/][/]kleinanzeigen[.]ru/hvnc.exe
  • https[:][/][/]kleinanzeigen[.]ru/miner.exe

What it steal :

  • Browser data (History, Cookies, Password and more!)

  • Telegram files

  • Discord token

  • It inject a modified asar file on Exodus and Atomic

  • It search on the whole computer for these

  • Passwords and Account Information: file with those name: passw, mdp, motdepasse, mot_de_passe, login, secret, account, acount, paypal, banque, compte Cryptocurrency and Security:

    • metamask, wallet, crypto, exodus, 2fa, token, backup, memo, seecret Communication and Miscellaneous: -discord, code

    It check if the file exist and then verify if the extension is : Text and Document Files:

    • .txt, .log, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .pdf, .rtf, .json, .csv, .db Image and Video Files:
    • .jpg, .jpeg, .png, .gif, .webp, .mp4

And even more data !

If at one point you feel like "using" it, don't, it is shit

RUN IN A VM

Because i'm bored here a small list of account that host malware NEVER download from them

Github account list
@joncema  (Reported by me and got banned)
@webs0ckett (Reported by me and got banned, insulting trans people get you ban after all ;))
@zevx-nz (Reported by me and got banned)
@Rabchin (Reported by me or maybe someone else and got banned)
@Marcel1997 (Reported by me and got banned)
@FriedrichScholl (Reported by me and got banned)
@0PPHUNT3R - Not malware but may be a dualhook
@prometheusdevelop (Reported by me and got banned)
@kelgleRCrpatty (Reported by me and got banned)
@errias
@theruebezahl
@noth1ng86


And pretty much everything that is constantly updated and with emoji like fire rocket and flame

You can contribute to this repository if you wish for

Always run in a VM

AND DONT USE ANY OF PROGRAM IM NOT RESPONSIBLE FOR YOUR ACTIONS

About

A simple leak of a stealer that start to show up on as lot of python program as dualhook

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages