RHAD Stealer *Wiki*
Main features
- [More secure network architecture] The communication between the client and the server fully supports SSL encryption. The back-end main server supports the setting of a front-end shim server as a protection. It really does not expose the main server IP. After getting rid of IP abuse complaints, the server is shut down Hazard of stopping. Just start a new shim server and activate it on the main server to return to normal. The main server operation panel, the TOR network address is enabled by default during installation, and the security is further guaranteed
- Better runtime All operations on the client end are done in SYSCALL mode. Better avoid AV edr runtime detection, users only need to care about the AV static detection of the initial program, and do a good job of encrypting the static files, and then it can have a good execution effect
- Everything can be collected New programs and information interception capabilities can be added at any time. The construction characteristics of the program determine that it can expand this capability almost infinitely. As long as you think of it, it can help you achieve it.
- Real-time wallet cracking As the first to introduce real-time wallet cracking into the thief program, we will support more types of wallets and launch a new offline cracking program for members.
- The function of the panel is more powerful, now you can export the cookie password by domain name, you can download it in batches, and you can clearly know whether the log has been downloaded and the number of downloads. etc. There are too many changes in details, so I won’t express them one by one.
Build Generation
requirements:
Build Generation steps:
@bingo_sir Rhadamanthys Stealer.mp4
1. Click "Build" to open the client build page
2. Modify the URL and replace it with the
IP and port of the shim server (or main server).
Choose to use according to your specific needs
The complete URL composition is:http(s)://srver
IP port/gateway address/file name
Only need to replace the part of server ip port
keep the others, otherwise it is wrong URL
(Please ignore the wrong operation of URL replacement in the video)
3. Upload the corresponding server.crt
4. Select the function options that need to be turned on or not
5. Click "Build", the server will automatically generate and package the download client
6. The decompression password of the generated ZIP file
is the password used by the management panel.
7. Please CRYPT the generated files before using them. ⭐️⭐️⭐️⭐️⭐️⭐️
⚠️ procexp.exe procexp64.exe tcpview.exe tcpview64.exe Procmon.exe Procmon64.exe vmmap.exe vmmap64.exe portmon.exe processlasso.exe Wireshark.exe Fiddler Everywhere.exe Fiddler.exe ida.exe ida64.exe ImmunityDebugger.exe WinDump.exe x64dbg.exe x32dbg.exe OllyDbg.exe ProcessHacker.exe If there are these processes, the program will automatically exit
⚠️The client-side construction URL only supports the use of shim server or main server addresses for communication, and does not support the use of TOR addresses. Be careful not to make typos.
⚠️terms of use: - The crypt is required, don't spoil ours, yours or others' mood :). - Disable builds submitted on VT
OLD LOG INFO
WEB-Panel-Dashboard
2 Server memory usage, two pie charts. The first is a percentage of total server system memory usage, which includes memory usage taken up by file-level storage. Don't worry about it showing a high percentage. Secondly, the use of memory occupied by the server program. If this is over 50%, consider upgrading the memory configuration.
Rhadamanthys Stealer -v0.4.1
In order to place the panel, you will need a VPS or a dedicated server (server, which can be purchased here ) running a Centos8 system.
4GB memory
4 cores
60GB disk
1GB/sec port
After purchasing the subscription, you will receive the server installation ZIP package I gave you, which will contain the RPM installation files and one-click installation scripts of the currently working server programs. The JSON file is the corresponding sample configuration.
**Get ready to install the file package and connect to the server to upload the tool Bitvise SSH Client **
3. Wait for a while, the installation script will automatically complete all the installation and environment settings
WEB-Panel-Logs
December 19, 2022 December 19, 2022
After the client works, it will transmit the acquired data back to the server in real time, and the server will completely receive, analyze, process and record the data in the database.
The information corresponding to each log can be obtained very clearly and intuitively on the WEB panel.
① ID: The digital number of the record. This record is an incremental record +1, which is the unique number of the log record. Records are not cleared in the library.
② IP: record the corresponding machine external network IP
③ Status: Display rough log information
2. Credits shows that there are several information card records
3. Logins shows how many browser password records
4. Cookies shows how many cookies there are
5. The number of acquired digital currency wallets.
⓵ Click to directly download the corresponding wallet file ⓶ Copy the seed phrase of the wallet
④ Important: Display the domain name TAG set in the TAG setting that needs to be focused on
⑤ Origin: The installation source identification corresponding to the log record
⑥ Timestamp: the time when the server receives the data
⑦ Comment: You can write corresponding notes on the log
⑩ Delete: delete the currently viewed record, the deletion operation has a confirmation mechanism to prevent misoperation
⑪ More: Click to open to view log details
Flexible and powerful search and filter functions
⓵ Date range: time range selection
⓸ Oringin Tags: Install source tags, traffic merchant tags
⓺ Note: The contents of the notes, support fuzzy query
⓻Includes: The built-in software category label of the program, the selection of all supported software types.
Search conditions support single or compound condition filtering query. Set filter criteria , in the absence of a reset or execution panel on the
, it will always be valid, and will affect the condition settings of all export log operations. You can use this function to conveniently package and export log records of specified conditions. Example: You only need to include the logs recorded by GOOGLE. You can search and filter first, and then execute the export package function. At this time, the export function will automatically use this filter condition for log export.
Powerful log packaging and export function
On the WEB panel, in addition to single records, you can choose to download and display log records in batches. It also has a key to export all logs. Automatic sync export function.
One-click all export & high-speed download:
After the export work is completed, the WEB panel will be unlocked, and then the exported log file will be downloaded back. In addition to using SFTP to connect to the server for downloading, the V0.4 version provides the function of directly downloading on the WEB panel. Open WEB directory access. You can hand over the download to the IDM download tool, and download it back efficiently, quickly and safely. The operation is as follows:
⓵ If it is not on the server configuration page, open directory WEB access, it will be displayed in red, and you need to click Edit to open WEB access.
② You can click the log entry on the panel to download. When there are many logs, click the IDM... button, the program will generate a download list text of all logs, and you can import it into the IDM download tool for quick download.
⓷ When the above operations are completed, we need to delete all exported files to release the disk space they occupy, execute "Remove all file"
The automatic synchronization export function is a new function in V0.4, which is for the convenience of those users who have the automatic checker function. When new data is received, the new data can be automatically exported and saved in the specified directory, and you can set the directory to be the same directory as all exports.
The difference here is that it does not need to choose the ZIP format. Instead, it directly exports the decompressed folder and saves it in the form of a directory. You can use SYN synchronization software to synchronize files in the server-side synchronization directory with your local system.
Export passwords as brute-force dictionary:
WEB-Panel-grab
The client has a built-in file collection module. Search rules are passed from the server backend configuration. Real-time modification can be flexibly configured. Windows system variables and wildcards are supported as search criteria. Recursive operations are supported. Wildcard operations are fully compatible: https://documentation.help/PuTTY/psftp-wildcards.html
support using %DSK235% as a conditional item for file search operations.
5 is a network-mapped drive that requires a system-assigned drive letter
Maximum size: “The unit of measurement here is bytes 1024 =1k“
WEB Panel-Temporary
When the server is running, temporarily change the settings, which will take effect immediately, and the server will restore the default settings after repeating. Changes made here take precedence over settings made in the server configuration.
When the function switch is selected as ON
❶ Filter by HWID, the newly received duplicate records will not be displayed on the panel.
❷ After the open log is exported to the directory, with the WEB access right of the directory, you can directly use tools such as IDM to download all the logs in batches
❸ Specify the log display page, display the number of recorded lines per page, and support a maximum of 2000 log records per page
WEB Panel-Origin
❶ Add a new browsing source label
❷ ❸ Import and export label settings. Let's take it easy when migrating servers. No need to rebuild manually
❹ Obtain the URL of the installation visit statistics page of the independent traffic source label
WEB Panel-Custom Tags
Custom labels can be applied to the display of the log list to intuitively know whether the log data has the required information. It will also be used as a condition item when searching. And the filter trigger condition of the loader download task.
❷ Import local backup TAG configuration
❸ Export current configuration to local backup
❹ Edit and modify existing tags
WEB Panel-Extension
This functional module can realize the interactive operation between the POWERSHELL script and the main program through simple setting operations on the panel, and complete complex functional operations. The POWERSHELL script runs in the BYpass AMSI ETW environment and can run independently without affecting the stability of the main program. At the same time, it can interact with the main program and return operation results. Configuration enablement, addition, and modification all take effect in real time, and the client does not need to be rebuilt.
❷ Import script configuration of local backup
❸ Export the existing configuration to the local backup
❹ Internal functions built into the program that can interact with the main program
❺ Several teaching examples provided
❻ Edit and modify the current script
❼ Delete the current script configuration
WEB Panel-Server
When the switch selection is ON
|
❶ Hide the display of duplicate log records on the panel and identify duplicates by HWID
❷ Do not display log entries with empty passwords in the panel
❸ Disable country and region restrictions, all countries and regions are not restricted, and the program can work in all countries
❹ When the log is exported in ZIP, it is forbidden to insert the logo banner in the cookie record text to avoid the abnormality of some processing tools
❺ Server WEB port change, the port can be customized
❻ The URL gateway entry when the client communicates with the server, starting with /
❼ Change of access port of admin panel
❽ Management panel password modification
❾ Cloaked website can use a path or full zip file path
❿ Crack the custom password dictionary of the wallet, in plain text format, one password per line, and the password should not be less than 8 characters
⓫ ZIP packaging and exporting the storage directory of all logs
WEB Panel-Telegram Bot
Telegram Bot can flexibly send the received log information notification to the specified CHAT_ID for reception.
With flexible and diverse condition configuration, different messages and content information can be sent to different CHAT_IDs to receive, truly supporting the teamwork mode.
bot api token: https://t.me/BotFather
chat_id: https://t.me/RawDataBot
❶ New robot work configuration
❷ Set the Api token of your telegram bot
❸ Import the telegram robot work configuration backed up locally
❹ Export the configuration of the electric suit robot to the local backup
❻ Delete the current working configuration
V0.4.1 began to support message template customization:
https://www.youtube.com/results?search_query=telegram+token+chatid+
WEB Panel-Task
The built-in native loader can realize two types of download execution types: global and conditional trigger execution. Support multi-condition trigger setting. Support EXE and pack EXE into ZIP package two formats.
⓵ Upload the EXE or ZIP file that needs to be downloaded and executed to the server
② Set the global download task
In the drop-down list, select the file type to download and execute and the corresponding file [image clear=del]
③ Condition trigger download task
When the client is running, it will obtain the task from the server and execute it according to the set conditions. The execution result will be displayed on the log display page. Here it shows that the two global tasks were executed successfully. Because there is no matching condition, the condition triggers the task Not implemented.
WEB Panel-Build
Natitve Exe: x32 x64 DLL:x32 x64
customizable X86 X64 shellcode native dotnet. stub
During the validity period of the license, you can build unlimited times
Provides multiple build generation parameters. Can be used in combination as required. To cope with different environments and usage occasions.
Enable screenshot function [screen del]
After setting the parameter selection, click the Build button to generate a zip file with a password, the EXE or DLL is compressed and stored in it, and the decompression password is the access password of the WEB panel.
The build will do FUD cleaning regularly.
Dear customers and friends! We have the ability to root static and runtime states as FUD, but this takes time and effort. Therefore, it is recommended to delegate this part of the work to a more professional service.
I need to devote more effort to the functional development of the program and the fixing and improvement of the defective parts, so everyone should regulate the use. Do not use the original files directly from the build. This works for a while, but soon, due to the raw build, the runtime state will be collected and AV will quickly identify and intercept the runtime. Your delivery will be bad in no time!
So having a third party, such as hAp Crypt, do the packaging process first after the build will give the stub runtime a longer life. You'll also get a longer, more reliable return on your investment.
https://t.me/hAp_Crypt_Channel
Custom admin panel entry address
Now the old background management entry is invalid, you can use