forked from RussianPanda95/Configuration_extractors
-
Notifications
You must be signed in to change notification settings - Fork 0
/
metastealer_config_extractor.py
167 lines (136 loc) · 5.92 KB
/
metastealer_config_extractor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
import base64
import os
import re
from pathlib import Path
from sys import argv
from tempfile import NamedTemporaryFile
from typing import BinaryIO, List, Optional
import clr
from maco.extractor import Extractor
from maco.model import ExtractorModel
# Check default location from package install
dn_lib_found = list(Path("/usr/lib").glob("**/dnlib.dll"))
DNLIB_PACKAGE_PATH = str(dn_lib_found[0]) if dn_lib_found else "dnlib"
DNLIB_PATH = os.environ.get("DNLIB_PATH", DNLIB_PACKAGE_PATH)
if not os.path.exists(DNLIB_PATH):
raise FileNotFoundError(DNLIB_PATH)
clr.AddReference(DNLIB_PATH)
import dnlib
from dnlib.DotNet import ModuleDefMD
from dnlib.DotNet.Emit import OpCodes
def xor_data(data, key):
return bytes([data[i] ^ key[i % len(key)] for i in range(len(data))])
def extract_strings_from_dotnet(target_path):
module = ModuleDefMD.Load(target_path)
hardcoded_strings = []
for t in module.Types:
for m in t.Methods:
if m.HasBody:
for instr in m.Body.Instructions:
if instr.OpCode == OpCodes.Ldstr:
hardcoded_strings.append(instr.Operand)
return hardcoded_strings
class MetaStealer(Extractor):
family = "MetaStealer"
author = "@RussianPanda"
last_modified = "2024-02-02"
sharing: str = "TLP:CLEAR"
reference: str = "https://russianpanda.com/2023/11/20/MetaStealer-Redline%27s-Doppelganger/"
yara_rule: str = """
import "pe"
rule MetaStealer {
meta:
author = "RussianPanda"
decription = "Detects the old version of MetaStealer 11-2023"
date = "11/16/2023"
strings:
$s1 = "FileScannerRule"
$s2 = "MSObject"
$s3 = "MSValue"
$s4 = "GetBrowsers"
$s5 = "Biohazard"
condition:
4 of ($s*)
and pe.imports("mscoree.dll")
}
"""
def run(self, stream: BinaryIO, matches: List = []) -> Optional[ExtractorModel]:
with NamedTemporaryFile() as file:
file.write(stream.read())
file.flush()
extracted_strings = extract_strings_from_dotnet(file.name)
cfg = ExtractorModel(family=self.family)
b64 = r"^[A-Za-z0-9+/]+={0,2}$"
b64_strings = []
last_b64_index = -1
for i, string in enumerate(extracted_strings):
if re.match(b64, string) and len(string) % 4 == 0 and len(string) > 20:
b64_strings.append(string)
last_b64_index = i
xor_key_match = None
if last_b64_index != -1 and last_b64_index + 2 < len(extracted_strings):
xor_key_match = extracted_strings[last_b64_index + 2]
if b64_strings:
string = b64_strings[0]
self.logger.info("Authentication token:", string)
cfg.other["Authentication token"] = string
xor_key = None
if last_b64_index is not None and last_b64_index + 1 < len(extracted_strings):
potential_key = extracted_strings[last_b64_index + 1]
if potential_key:
xor_key = potential_key.encode()
else:
xor_key = xor_key_match.encode() if xor_key_match else None
if xor_key:
for string in b64_strings[1:]:
dec_Data = base64.b64decode(string)
xor_result = xor_data(dec_Data, xor_key)
try:
final_result = base64.b64decode(xor_result)
string_result = final_result.decode("utf-8")
self.logger.info("Decrypted String:", string_result)
cfg.encryption.append(cfg.Encryption(algorithm="XOR", key=xor_key))
cfg.decoded_strings.append(string_result)
except Exception:
pass
if len(b64_strings) < 3:
dec_data_another = None
xor_key_another = None
if last_b64_index != -1 and last_b64_index + 1 < len(extracted_strings):
dec_data_another = extracted_strings[last_b64_index + 1]
if last_b64_index != -1 and last_b64_index + 2 < len(extracted_strings):
xor_key_another = extracted_strings[last_b64_index + 3]
if xor_key_another:
xor_key = xor_key_another.encode()
if dec_data_another:
try:
dec_Data = base64.b64decode(dec_data_another)
xor_result = xor_data(dec_Data, xor_key)
final_result = base64.b64decode(xor_result)
string_result = final_result.decode("utf-8")
self.logger.info("Decrypted String:", string_result)
cfg.encryption.append(cfg.Encryption(algorithm="XOR", key=xor_key))
cfg.decoded_strings.append(string_result)
except Exception as e:
self.logger.info(f"Error in decryption: {e}")
for string in b64_strings:
try:
dec_Data = base64.b64decode(string)
xor_result = xor_data(dec_Data, xor_key)
final_result = base64.b64decode(xor_result)
string_result = final_result.decode("utf-8")
self.logger.info("Decrypted String:", string_result)
cfg.encryption.append(cfg.Encryption(algorithm="XOR", key=xor_key))
cfg.decoded_strings.append(string_result)
except Exception:
continue
return cfg
if __name__ == "__main__":
parser = MetaStealer()
file_path = argv[1]
with open(file_path, "rb") as f:
result = parser.run(f)
if result:
print(result.model_dump_json(indent=2, exclude_none=True, exclude_defaults=True))
else:
print("No configuration extracted")