Created
April 25, 2023 14:14
-
-
Save rerednawyerg/6b6ff1ee6ed701f656e235a6d9cd460f to your computer and use it in GitHub Desktop.
Attempt at Stealc String Decryptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from arc4 import ARC4 | |
import sys | |
import pefile | |
import requests | |
import binascii | |
import re | |
import base64 | |
class Config_Extract(): | |
def __init__(self, filename): | |
self.filename = filename | |
def rc4_decrypt(self, key, data): | |
cipher = ARC4(key) | |
try: | |
decoded_data = base64.b64decode(data) | |
except: | |
return "" | |
decrypted = cipher.decrypt(decoded_data) | |
return decrypted | |
def locate_configs(self, data): | |
pattern = "([0-9]{20})" | |
b64_pattern ="(\x00{4}([0-9A-Za-z+=/]+))" | |
match_object = re.search(pattern, data.decode('latin-1', 'ignore')) | |
key = data[match_object.start():match_object.end()] | |
matches = re.findall(b64_pattern, data.decode('latin-1', 'ignore')) | |
config = [] | |
for i in matches: | |
config.append(bytes(i[1], "utf-8")) | |
return key, config | |
def config_extract(self): | |
pe = pefile.PE(self.filename) | |
#Loop through sections until we find .rdata | |
for section in pe.sections: | |
if ".rdata" in str(section.Name): | |
data = section.get_data() | |
return data | |
def main(): | |
filename = sys.argv[1] | |
extractor = Config_Extract(filename) | |
data = extractor.config_extract() | |
key, config = extractor.locate_configs(data) | |
for item in config: | |
output = extractor.rc4_decrypt(key, item) | |
if output == "": | |
continue | |
else: | |
print(output.decode('latin-1')) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment