-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathAsyncRAT_config_extractor.py
84 lines (60 loc) · 2.4 KB
/
AsyncRAT_config_extractor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Author: RussianPanda
from dotnetfile import DotNetPE
from Crypto.Cipher import AES
from backports.pbkdf2 import pbkdf2_hmac
from base64 import b64decode
import re
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-f", "--file", help="path of the binary file", required=True)
args = parser.parse_args()
def decrypt_AES(ciphertext, key, iv):
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
return plaintext
salt = b'\xbf\xeb\x1e\x56\xfb\xcd\x97\x3b\xb2\x19\x02\x24\x30\xa5\x78\x43\x00\x3d\x56\x44\xd2\x1e\x62\xb9\xd4\xf1\x80\xe7\xe6\xc3\x39\x41'
dotnet_file_path = args.file
dotnet_file = DotNetPE(dotnet_file_path)
data = dotnet_file.get_user_stream_strings()
''' // Token: 0x04000045 RID: 69
private const int KeyLength = 32;
// Token: 0x04000046 RID: 70
private const int AuthKeyLength = 64;
// Token: 0x04000047 RID: 71
private const int IvLength = 16;
// Token: 0x04000048 RID: 72
private const int HmacSha256Length = 32; '''
b64dec = data[1:2][0]
b64dec = b64decode(b64dec)
key_enc = data[7:8][0]
key_dec = b64decode(key_enc).decode()
key = bytes(key_dec, 'utf-8')
dec_key = pbkdf2_hmac("sha1", key, salt, 50000, 32)
iv = b64dec[32:48]
# look for base64 pattern
base64_pattern = r"^(?=.{20,})(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
b64_values = ['Ports','Hosts','Version','Install','Key','MTX','Certificate', 'ServerSignature', 'Anti', 'Pastebin', 'BDOS', 'Group']
other_list = ["InstallFolder", "InstallFile", "Delay", "Hwid"]
value_strings = []
counter_list = []
counter = 0
for value in data:
if re.search(base64_pattern, value):
value_decode = b64decode(value)
value_decrypt = decrypt_AES(value_decode, dec_key, iv)
value_strip = value_decrypt[48:]
value_strip = value_strip.decode()
value_strip = re.sub(r'[^a-zA-Z0-9 _.,|]+', '', value_strip)
value_strings.append(value_strip)
else:
counter += 1
if 2 <= counter <= 5:
counter_list.append(value)
elif counter > 5:
break
for i in range(len(counter_list)):
print(other_list[i] + ": " + counter_list[i])
# appending to the key item
value_strings[4] = data[7:8][0]
for i in range(len(value_strings)):
print(b64_values[i] + ": " + value_strings[i])