rerednawyerg/stealc_string_decrypt.py

## stealc_string_decrypt.py
from arc4 import ARC4
import sys
import pefile
import requests
import binascii
import re
import base64

class Config_Extract():
    def __init__(self, filename):
        self.filename = filename

    def rc4_decrypt(self, key, data):
        cipher = ARC4(key)
        try:
            decoded_data = base64.b64decode(data)
        except:
            return ""
        decrypted = cipher.decrypt(decoded_data)
        return decrypted

    def locate_configs(self, data):
        pattern = "([0-9]{20})"
        b64_pattern ="(\x00{4}([0-9A-Za-z+=/]+))"
        match_object = re.search(pattern, data.decode('latin-1', 'ignore'))
        key = data[match_object.start():match_object.end()]
        matches = re.findall(b64_pattern, data.decode('latin-1', 'ignore'))
        config = []
        for i in matches:
            config.append(bytes(i[1], "utf-8"))
        return key, config

    def config_extract(self):
        pe = pefile.PE(self.filename)
        #Loop through sections until we find .rdata
        for section in pe.sections:
            if ".rdata" in str(section.Name):
                data = section.get_data()
        return data

def main():
    filename = sys.argv[1]

    extractor = Config_Extract(filename)
    data = extractor.config_extract()
    key, config = extractor.locate_configs(data)

    for item in config:
        output = extractor.rc4_decrypt(key, item)
        if output == "":
            continue
        else:
            print(output.decode('latin-1'))

if __name__ == '__main__':
    main()
	from arc4 import ARC4
	import sys
	import pefile
	import requests
	import binascii
	import re
	import base64

	class Config_Extract():
	def __init__(self, filename):
	self.filename = filename

	def rc4_decrypt(self, key, data):
	cipher = ARC4(key)
	try:
	decoded_data = base64.b64decode(data)
	except:
	return ""
	decrypted = cipher.decrypt(decoded_data)
	return decrypted

	def locate_configs(self, data):
	pattern = "([0-9]{20})"
	b64_pattern ="(\x00{4}([0-9A-Za-z+=/]+))"
	match_object = re.search(pattern, data.decode('latin-1', 'ignore'))
	key = data[match_object.start():match_object.end()]
	matches = re.findall(b64_pattern, data.decode('latin-1', 'ignore'))
	config = []
	for i in matches:
	config.append(bytes(i[1], "utf-8"))
	return key, config

	def config_extract(self):
	pe = pefile.PE(self.filename)
	#Loop through sections until we find .rdata
	for section in pe.sections:
	if ".rdata" in str(section.Name):
	data = section.get_data()
	return data

	def main():
	filename = sys.argv[1]

	extractor = Config_Extract(filename)
	data = extractor.config_extract()
	key, config = extractor.locate_configs(data)

	for item in config:
	output = extractor.rc4_decrypt(key, item)
	if output == "":
	continue
	else:
	print(output.decode('latin-1'))

	if __name__ == '__main__':
	main()