https://github.com/sallie-may/bad-stealer-analysis

A simple leak of a stealer that start to show up on as lot of python program as dualhook
https://github.com/sallie-may/bad-stealer-analysis

account leak malware miner miner-crypto monitoring python rat russian source-code src stealer

Last synced: about 3 hours ago
JSON representation

A simple leak of a stealer that start to show up on as lot of python program as dualhook

• Host: GitHub
• URL: https://github.com/sallie-may/bad-stealer-analysis
• Owner: Sallie-May
• Created: 2024-07-20T10:48:57.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2024-08-07T13:01:37.000Z (3 months ago)
• Last Synced: 2024-08-08T02:19:03.246Z (3 months ago)
• Topics: account, leak, malware, miner, miner-crypto, monitoring, python, rat, russian, source-code, src, stealer
• Language: Python
• Homepage:
• Size: 128 KB
• Stars: 9
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Welcome to Stealer Analysis + Source Code + List of malware (github) account hoster

`You see any obfuscated repository that seem sketchy, open a issues, i will try to deobfuscate it.`

This repo provides analysis and source code for various bad stealers, focusing especially on the poorly coded ones in Python.

Click on the text under this to get all infos about them!

  1312 Stealer

## A simple leak of this stealer that start to show up on as lot of python program as dualhook

The stealer is hidden inside a lot of program, fake stealer, fake tools etc.. using the ; technique.

```py

import requests                                                                ;exec("code")

```

It is doing requests.get() to a website and remove tag to get the code hidden inside of the fake Cloudflare blocked webpage

The stealer seem original, but still pretty bad, nothing very advanced

They have an crypto miner too that is executed at some point 

- https[:][/][/]kleinanzeigen[.]ru/hvnc.exe

- https[:][/][/]kleinanzeigen[.]ru/miner.exe

What it steal : 

- Browser data (History, Cookies, Password and more!)

- Telegram files

- Discord token

- It inject a modified asar file on Exodus and Atomic

- It search on the whole computer for these

- Passwords and Account Information:

  file with those name: passw, mdp, motdepasse, mot_de_passe, login, secret, account, acount, paypal, banque, compte

  Cryptocurrency and Security:

  - metamask, wallet, crypto, exodus, 2fa, token, backup, memo, seecret

  Communication and Miscellaneous:

  -discord, code

  It check if the file exist and then verify if the extension is :

  Text and Document Files:

    - .txt, .log, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .pdf, .rtf, .json, .csv, .db

  Image and Video Files:

   -  .jpg, .jpeg, .png, .gif, .webp, .mp4

And even more data !

 If at one point you feel like "using" it, don't, it is shit

RUN IN A VM

  Acab Stealer (1312 STEALER COPY)

## A simple leak of this stealer that start to show up on as lot of python program as dualhook (Like 1312)

The stealer is hidden inside a lot of program, fake stealer, fake tools etc.. using the ; technique.

```py

import requests                                                                ;exec("code")

```

It is doing requests.get() to a website and remove tag to get the code hidden inside of the fake Cloudflare blocked webpage

The stealer seem original, but still pretty bad, nothing very advanced

They have an crypto miner too that is executed at some point 

- https[:][/][/]kleinanzeigen[.]ru/hvnc.exe

- https[:][/][/]kleinanzeigen[.]ru/miner.exe

- 

What it steal : 

- Browser data (History, Cookies, Password and more!)

- Telegram files

- Discord token

- It inject a modified asar file on Exodus and Atomic

- It search on the whole computer for these

- Passwords and Account Information:

  file with those name: passw, mdp, motdepasse, mot_de_passe, login, secret, account, acount, paypal, banque, compte

  Cryptocurrency and Security:

  - metamask, wallet, crypto, exodus, 2fa, token, backup, memo, seecret

  Communication and Miscellaneous:

  -discord, code

  It check if the file exist and then verify if the extension is :

  Text and Document Files:

    - .txt, .log, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .pdf, .rtf, .json, .csv, .db

  Image and Video Files:

   -  .jpg, .jpeg, .png, .gif, .webp, .mp4

And even more data !

 If at one point you feel like "using" it, don't, it is shit

RUN IN A VM

## Because i'm bored here a small list of account that host malware NEVER download from them

   Github account list

  

```

@joncema  (Reported by me and got banned)

@webs0ckett (Reported by me and got banned, insulting trans people get you ban after all ;))

@zevx-nz (Reported by me and got banned)

@Rabchin (Reported by me or maybe someone else and got banned)

@Marcel1997 (Reported by me and got banned)

@FriedrichScholl (Reported by me and got banned)

@0PPHUNT3R - Not malware but may be a dualhook

@prometheusdevelop (Reported by me and got banned)

@kelgleRCrpatty (Reported by me and got banned)

@errias

@theruebezahl

@noth1ng86

And pretty much everything that is constantly updated and with emoji like fire rocket and flame

 ```

You can contribute to this repository if you wish for

Always run in a VM

AND DONT USE ANY OF PROGRAM IM NOT RESPONSIBLE FOR YOUR ACTIONS