search

TaxMachine / Grabbers-Deobfuscator

Decompiler and deobfuscator that offers support to track discord webhooks inside: blank stealer, luna grabber, thiefcat, Creal and all unobfuscated grabbers
84 stars 7 forks source link

Vare stealer #10

Closed XerooPY closed 6 months ago

XerooPY commented 7 months ago

https://github.com/saintdaddy/Vare-Stealer

TaxMachine commented 7 months ago

I didn't implement any node.js deobfuscator but I'll take a look at it when I'll be free

XerooPY commented 7 months ago

ah i thought it was python cuz when i tried to decompile it, it outputted a pyc file and some long string was encrypted this is like 4 of the things from it: '15|05|45|201' a bunch of different numbers in a string seperated by | so idk if u know whats going on you'd find alot more than me tho i can tell u that

TaxMachine commented 7 months ago

This string obfuscation is typical for javascript but idk why you got pyc files. Maybe you're mixing things up

XerooPY commented 7 months ago

ah i ran it through py instxtractor and it came out with a pyc file i can upload the exe i used but its not mine and im very sure the webhook is still active. but I did look through it config = { 'VARE': '2.0', 'Author': 'https://github.com/saintdaddy' } and found this. the rest is weirdly obfuscated here's a bit of the code, cant really make out what's going on here also the imports are at the bottom if you need to see them.

def saint4902433(): if 8903155 == 5939562: print(4043628) aaa6049639 = 1943559 print(3135092) bbb1013806 = 378568 aa1544944 = 6391692 z8070468 = 8102617 zz8028378 = 1412870 c5071980 = 3045091 cc8319098 = 2453375 return None if None == 368254: print(5689286) aaa9295404 = 258391 print(1232651) bbb423758 = 646837 aa2758976 = 7650540 x1487175 = 9137954 xx6451771 = 1851509 a6018230 = 171586 aa3598360 = 2134285 return None

def saint9451877(): if 7327944 == 2709796: print(3142404) aaa8014783 = 8344604 print(6798708) bbb1341597 = 3141412 aa3467248 = 1189328 z5277968 = 1508241 zz7464729 = 3786551 c7448617 = 533649 cc935851 = 5364804 return None if None == 2966081: print(7145137) aaa5169395 = 5677245 print(8023773) bbb5944885 = 3532180 aa3968941 = 8056843 x5128157 = 6087291 xx4466228 = 2552475 a1758780 = 8443311 aa4979105 = 6922573 return None

import base64 import ctypes import json import os import random import re import sqlite3 import subprocess import sys import threading import time from shutil import copy2 from zipfile import ZIP_DEFLATED, ZipFile import psutil import requests from Crypto.Cipher import AES from PIL import ImageGrab from requests_toolbelt.multipart.encoder import MultipartEncoder from win32crypt import CryptUnprotectData

TaxMachine commented 7 months ago

That's weird. Its probably not the same grabber

TaxMachine commented 6 months ago

Btw can you send me on discord the grabber?

XerooPY commented 6 months ago

yeah sure sorry for the late reply havent been on my pc for a while im joining your discord right now

XerooPY commented 6 months ago

ah your discord invite doesnt work can u drop a quick add to my tag envyyy.me

XerooPY commented 6 months ago

ah found ur tag added u

TaxMachine commented 6 months ago

Deobfuscation added 👍