Update test_stealc.py

tests_parsers/test_stealc.py

@@ -10,362 +10,4 @@ def test_stealc():
         conf = extract_config(data.read())
         assert conf == {
             "C2": ["http://95.217.125.57"],
-            """
-            "Strings": [
-                {"dword_64a330": "IN"},
-                {"dword_64a5ec": "09"},
-                {"dword_64a31c": "11"},
-                {"dword_64a570": "20"},
-                {"dword_64a56c": "24"},
-                {"dword_64a3f0": "GetProcAddress"},
-                {"dword_64a204": "LoadLibraryA"},
-                {"dword_64a5c8": "lstrcatA"},
-                {"dword_64a644": "OpenEventA"},
-                {"dword_64a264": "CreateEventA"},
-                {"dword_64a250": "CloseHandle"},
-                {"dword_64a2f8": "Sleep"},
-                {"dword_64a4d4": "GetUserDefaultLangID"},
-                {"dword_64a33c": "VirtualAllocExNuma"},
-                {"dword_64a5a0": ""},
-                {"dword_64a548": ""},
-                {"dword_64a3bc": "VirtualAlloc"},
-                {"dword_64a2e8": "HeapAlloc"},
-                {"dword_64a60c": "GetComputerNameA"},
-                {"dword_64a0b0": "lstrcpyA"},
-                {"dword_64a598": "Get"},
-                {"dword_64a224": "GetCurrentProcess"},
-                {"dword_64a418": "lstrlenA"},
-                {"dword_64a634": "ExitProcess"},
-                {"dword_64a0bc": "GlobalMemoryStatusEx"},
-                {"dword_64a12c": "GetSystemTime"},
-                {"dword_64a2b0": "SystemTimeToFileTime"},
-                {"dword_64a550": "advapi32.dll"},
-                {"dword_64a17c": "gdi32.dll"},
-                {"dword_64a104": "user32.dll"},
-                {"dword_64a1dc": "crypt32.dll"},
-                {"dword_64a328": "ntdll.dll"},
-                {"dword_64a4ac": "GetUserNameA"},
-                {"dword_64a424": "CreateDCA"},
-                {"dword_64a1cc": "GetDeviceCaps"},
-                {"dword_64a394": "ReleaseDC"},
-                {"dword_64a128": "CryptStringToBinaryA"},
-                {"dword_64a414": "sscanf"},
-                {"dword_64a150": ""},
-                {"dword_64a540": "HAL9T"},
-                {"dword_64a61c": "JohnDoe"},
-                {"dword_64a0d0": "DISPLAY"},
-                {"dword_64a400": "%hu/%hu/%hu"},
-                {"dword_64a47c": "srttybh"},
-                {"dword_64a440": "!|"},
-                {"dword_64a1fc": "/2f571d994666c8cb.php"},
-                {"dword_64a32c": "/557b2ce3c387a13c/"},
-                {"dword_64a230": "5385386367"},
-                {"dword_64a58c": "GetEnvironmentVariableA"},
-                {"dword_64a1c4": "GetFileAttributesA"},
-                {"dword_64a178": "GlobalLock"},
-                {"dword_64a1ac": "HeapFree"},
-                {"dword_64a534": "GetFileSize"},
-                {"dword_64a1d8": "GlobalSize"},
-                {"dword_64a390": "CreateToolhelp32Snapshot"},
-                {"dword_64a14c": "IsWow64Process"},
-                {"dword_64a1c8": "Process32Next"},
-                {"dword_64a210": "GetLocalTime"},
-                {"dword_64a324": "FreeLibrary"},
-                {"dword_64a608": "GetTimeZoneInformation"},
-                {"dword_64a2d8": "GetSystemPowerStatus"},
-                {"dword_64a38c": "GetVolumeInformationA"},
-                {"dword_64a538": "GetWindows"},
-                {"dword_64a194": "Process32First"},
-                {"dword_64a3e4": "GetLocaleInfoA"},
-                {"dword_64a4fc": "GetUserDefaultLocaleName"},
-                {"dword_64a4f8": "GetModuleFileNameA"},
-                {"dword_64a0b8": "DeleteFileA"},
-                {"dword_64a4dc": "FindNextFileA"},
-                {"dword_64a13c": "LocalFree"},
-                {"dword_64a24c": "FindClose"},
-                {"dword_64a51c": "SetEnvironmentVariableA"},
-                {"dword_64a18c": "LocalAlloc"},
-                {"dword_64a488": "GetFileSizeEx"},
-                {"dword_64a628": "ReadFile"},
-                {"dword_64a44c": "SetFilePointer"},
-                {"dword_64a4e0": "WriteFile"},
-                {"dword_64a54c": "CreateFileA"},
-                {"dword_64a468": "FindFirstFileA"},
-                {"dword_64a35c": "CopyFileA"},
-                {"dword_64a3a8": "VirtualProtect"},
-                {"dword_64a0a0": "GetLogicalProcessorInformationEx"},
-                {"dword_64a420": "GetLastError"},
-                {"dword_64a368": "lstrcpynA"},
-                {"dword_64a568": "MultiByteToWideChar"},
-                {"dword_64a294": "GlobalFree"},
-                {"dword_64a39c": "WideCharToMultiByte"},
-                {"dword_64a3d8": "GlobalAlloc"},
-                {"dword_64a410": "OpenProcess"},
-                {"dword_64a0e0": "TerminateProcess"},
-                {"dword_64a1ec": "GetCurrentProcessId"},
-                {"dword_64a34c": "gdiplus.dll"},
-                {"dword_64a588": "ole32.dll"},
-                {"dword_64a2e4": "bcrypt.dll"},
-                {"dword_64a2b8": "wininet.dll"},
-                {"dword_64a4e4": "shlwapi.dll"},
-                {"dword_64a20c": "shell32.dll"},
-                {"dword_64a220": "psapi.dll"},
-                {"dword_64a4a8": "rstrtmgr.dll"},
-                {"dword_64a260": "CreateCompatibleBitmap"},
-                {"dword_64a518": "SelectObject"},
-                {"dword_64a2a0": "BitBlt"},
-                {"dword_64a4f4": "DeleteObject"},
-                {"dword_64a604": "CreateCompatibleDC"},
-                {"dword_64a380": "GdipGetImageEncodersSize"},
-                {"dword_64a274": "GdipGetImageEncoders"},
-                {"dword_64a2d4": ""},
-                {"dword_64a19c": "GdiplusStartup"},
-                {"dword_64a43c": "GdiplusShutdown"},
-                {"dword_64a62c": "GdipSaveImageToStream"},
-                {"dword_64a344": "GdipDisposeImage"},
-                {"dword_64a624": "GdipFree"},
-                {"dword_64a388": "Get"},
-                {"dword_64a1b4": "CreateStreamOnHGlobal"},
-                {"dword_64a2e0": "CoUninitialize"},
-                {"dword_64a5e8": "CoInitialize"},
-                {"dword_64a42c": "CoCreateInstance"},
-                {"dword_64a464": "BCryptGenerateSymmetricKey"},
-                {"dword_64a160": "BCryptCloseAlgorithmProvider"},
-                {"dword_64a114": ""},
-                {"dword_64a318": "BCryptSetProperty"},
-                {"dword_64a5b0": "BCryptDestroyKey"},
-                {"dword_64a454": "BCryptOpenAlgorithmProvider"},
-                {"dword_64a340": "GetWindowRect"},
-                {"dword_64a510": "GetDesktopWindow"},
-                {"dword_64a530": "GetDC"},
-                {"dword_64a348": "CloseWindow"},
-                {"dword_64a2dc": "wsprintfA"},
-                {"dword_64a460": "EnumDisplayDevicesA"},
-                {"dword_64a504": "GetKeyboardLayoutList"},
-                {"dword_64a52c": "Char"},
-                {"dword_64a4bc": "wsprintfW"},
-                {"dword_64a478": "RegQueryValueExA"},
-                {"dword_64a218": "RegEnumKeyExA"},
-                {"dword_64a57c": "RegOpenKeyExA"},
-                {"dword_64a1c0": "RegCloseKey"},
-                {"dword_64a640": "RegEnumValueA"},
-                {"dword_64a188": "CryptBinaryToStringA"},
-                {"dword_64a308": "CryptUnprotectData"},
-                {"dword_64a25c": "SHGetFolderPathA"},
-                {"dword_64a338": "ShellExecuteExA"},
-                {"dword_64a258": "InternetOpenUrlA"},
-                {"dword_64a244": "InternetConnectA"},
-                {"dword_64a23c": "InternetCloseHandle"},
-                {"dword_64a40c": "InternetOpenA"},
-                {"dword_64a48c": "HttpSendRequestA"},
-                {"dword_64a46c": "HttpOpenRequestA"},
-                {"dword_64a490": "InternetReadFile"},
-                {"dword_64a5a4": "InternetCrackUrlA"},
-                {"dword_64a1bc": "StrCmpCA"},
-                {"dword_64a55c": "StrStrA"},
-                {"dword_64a240": "StrCmpCW"},
-                {"dword_64a144": "PathMatchSpecA"},
-                {"dword_64a358": "GetModuleFileNameExA"},
-                {"dword_64a5ac": "RmStartSession"},
-                {"dword_64a5c4": "RmRegisterResources"},
-                {"dword_64a100": ""},
-                {"dword_64a0f8": "RmEndSession"},
-                {"dword_64a430": "sqlite3_open"},
-                {"dword_64a148": "sqlite3_prepare_v2"},
-                {"dword_64a3c4": "sqlite3_step"},
-                {"dword_64a3ac": "sqlite3_column_text"},
-                {"dword_64a3d4": "sqlite3_finalize"},
-                {"dword_64a554": "sqlite3_close"},
-                {"dword_64a498": "sqlite3_column_bytes"},
-                {"dword_64a59c": "sqlite3_column_blob"},
-                {"dword_64a0ec": "encrypted_key"},
-                {"dword_64a0b4": "PATH"},
-                {"dword_64a578": "C:\\ProgramData\\nss3.dll"},
-                {"dword_64a290": "NSS_Init"},
-                {"dword_64a520": "NSS_Shutdown"},
-                {"dword_64a1e4": "PK11_GetInternalKeySlot"},
-                {"dword_64a184": "PK11_FreeSlot"},
-                {"dword_64a620": "PK11_Authenticate"},
-                {"dword_64a310": "PK11SDR_Decrypt"},
-                {"dword_64a4a4": "C:\\ProgramData\\"},
-                {"dword_64a134": "SELECT origin_url, username_value, password_value "},
-                {"dword_64a37c": "browser: "},
-                {"dword_64a124": "profile: "},
-                {"dword_64a15c": "url: "},
-                {"dword_64a0dc": "login: "},
-                {"dword_64a29c": "password: "},
-                {"dword_64a350": "Opera"},
-                {"dword_64a36c": "OperaGX"},
-                {"dword_64a528": "Network"},
-                {"dword_64a270": "cookies"},
-                {"dword_64a2fc": ".txt"},
-                {"dword_64a2f4": "SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/10"},
-                {"dword_64a3ec": "T"},
-                {"dword_64a0e4": "FALSE"},
-                {"dword_64a4b8": "autofill"},
-                {"dword_64a594": "SELECT name, value FROM autofill"},
-                {"dword_64a3e0": "history"},
-                {"dword_64a3c0": "SELECT url FROM urls LIMIT 1000"},
-                {"dword_64a3a4": "cc"},
-                {"dword_64a1f8": "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards"},
-                {"dword_64a26c": "name: "},
-                {"dword_64a2cc": "month: "},
-                {"dword_64a28c": "year: "},
-                {"dword_64a214": "card: "},
-                {"dword_64a0c8": "Cookies"},
-                {"dword_64a474": "Login Data"},
-                {"dword_64a4c8": "Web Data"},
-                {"dword_64a320": "History"},
-                {"dword_64a63c": "logins.json"},
-                {"dword_64a1b0": "formSubmitUR"},
-                {"dword_64a364": "usernameField"},
-                {"dword_64a4d0": "encryptedUsername"},
-                {"dword_64a4cc": "encryptedPassword"},
-                {"dword_64a5a8": "guid"},
-                {"dword_64a1f4": "SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies"},
-                {"dword_64a0f4": "SELECT fieldname, value FROM moz_formhistory"},
-                {"dword_64a268": "S"},
-                {"dword_64a428": "cookies.sqlite"},
-                {"dword_64a0a8": "formhistory.sqlite"},
-                {"dword_64a138": "places.sqlite"},
-                {"dword_64a500": "plugins"},
-                {"dword_64a4e8": "Local Extension Settings"},
-                {"dword_64a3dc": "Sync Extension Settings"},
-                {"dword_64a1a8": "IndexedDB"},
-                {"dword_64a4f0": "Opera Stable"},
-                {"dword_64a140": "Opera GX Stable"},
-                {"dword_64a600": "CURRENT"},
-                {"dword_64a0ac": "chrome-extension_"},
-                {"dword_64a0a4": "_0.indexeddb.leveldb"},
-                {"dword_64a5d8": "Local State"},
-                {"dword_64a21c": "profiles.ini"},
-                {"dword_64a2ac": "chrome"},
-                {"dword_64a41c": "opera"},
-                {"dword_64a584": "firefox"},
-                {"dword_64a1f0": "wallets"},
-                {"dword_64a0c4": "%08l"},
-                {"dword_64a398": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"},
-                {"dword_64a434": "ProductName"},
-                {"dword_64a2c0": "x32"},
-                {"dword_64a174": "x64"},
-                {"dword_64a630": "%d/%d/%d %d:%d:%d"},
-                {"dword_64a1d4": "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"},
-                {"dword_64a4ec": "ProcessorName"},
-                {"dword_64a544": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"},
-                {"dword_64a5c0": "DisplayName"},
-                {"dword_64a3d0": "DisplayVersion"},
-                {"dword_64a5f4": "Network Info:"},
-                {"dword_64a228": "\t- IP: IP?"},
-                {"dword_64a0fc": "\t- Country: ISO?"},
-                {"dword_64a180": "System Summary:"},
-                {"dword_64a09c": "\t- HWID: "},
-                {"dword_64a354": "\t- OS: "},
-                {"dword_64a638": "\t- Architecture: "},
-                {"dword_64a1a0": "\t- UserName: "},
-                {"dword_64a314": "\t- Computer Name: "},
-                {"dword_64a248": "\t- Local Time: "},
-                {"dword_64a384": "\t- UTC: "},
-                {"dword_64a450": "\t- Language: "},
-                {"dword_64a4b4": "\t- Keyboards: "},
-                {"dword_64a1a4": "\t- Laptop: "},
-                {"dword_64a3a0": "\t- Running Path: "},
-                {"dword_64a170": "\t- CPU: "},
-                {"dword_64a4a0": "\t- Threads: "},
-                {"dword_64a360": "\t- Cores: "},
-                {"dword_64a304": "\t- RAM: "},
-                {"dword_64a154": "\t- Display "},
-                {"dword_64a5fc": "\t- GPU:"},
-                {"dword_64a614": ""},
-                {"dword_64a1d0": "Installed Apps:"},
-                {"dword_64a618": "All Users:"},
-                {"dword_64a5d4": "Current User:"},
-                {"dword_64a5b8": "Process List:"},
-                {"dword_64a298": "system_info.txt"},
-                {"dword_64a098": "freebl3.dll"},
-                {"dword_64a1e8": "mozglue.dll"},
-                {"dword_64a378": "msvcp140.dll"},
-                {"dword_64a208": "nss3.dll"},
-                {"dword_64a590": "softokn3.dll"},
-                {"dword_64a120": "vcruntime140.dll"},
-                {"dword_64a0c0": "\\Temp\\"},
-                {"dword_64a238": ".exe"},
-                {"dword_64a198": "runas"},
-                {"dword_64a558": "open"},
-                {"dword_64a3cc": "/c start "},
-                {"dword_64a408": "%DESKTOP%"},
-                {"dword_64a494": "%APPDATA%"},
-                {"dword_64a45c": "%LOCALAPPDATA%"},
-                {"dword_64a2bc": "%USERPROFILE%"},
-                {"dword_64a2d0": "%DOCUMENTS%"},
-                {"dword_64a11c": "%PROGRAMFI"},
-                {"dword_64a53c": "%PROGRAMFILES_86%"},
-                {"dword_64a334": "%RECENT%"},
-                {"dword_64a564": "*.lnk"},
-                {"dword_64a508": "files"},
-                {"dword_64a30c": "\\discord\\"},
-                {"dword_64a284": "\\Local Storage\\leveldb\\CURRENT"},
-                {"dword_64a2c8": "\\Local Storage\\leveldb"},
-                {"dword_64a300": "\\Telegram Desktop\\"},
-                {"dword_64a610": "key_datas"},
-                {"dword_64a280": "D877F783D5D3EF8C*"},
-                {"dword_64a438": "map*"},
-                {"dword_64a374": "A7FDF864FBC1"},
-                {"dword_64a484": "A92DAA6EA6F"},
-                {"dword_64a1e0": "F"},
-                {"dword_64a3b8": "Telegram"},
-                {"dword_64a5f8": "Tox"},
-                {"dword_64a3b4": "*.tox"},
-                {"dword_64a4c4": "*.ini"},
-                {"dword_64a580": "Password"},
-                {"dword_64a5f0": "Software\\"},
-                {"dword_64a10c": "Software\\Microsoft\\Office\\13.0\\Outlook\\Profiles\\Outlook\\93"},
-                {"dword_64a234": "Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles\\Outlook\\93"},
-                {
-                    "dword_64a370": "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\"
-                },
-                {"dword_64a200": "Software\\Microsoft\\"},
-                {"dword_64a574": "oftware\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\"},
-                {"dword_64a3c8": "00000001"},
-                {"dword_64a190": "00000002"},
-                {"dword_64a110": "00000003"},
-                {"dword_64a1b8": "0"},
-                {"dword_64a16c": "\\Outlook\\accounts.txt"},
-                {"dword_64a108": "Pidgin"},
-                {"dword_64a130": "\\.purple\\"},
-                {"dword_64a288": "accounts.xml"},
-                {"dword_64a0d8": "dQw4w9WgXcQ"},
-                {"dword_64a404": "token: "},
-                {"dword_64a4d8": "Software\\Valve\\Steam"},
-                {"dword_64a0d4": "SteamPath"},
-                {"dword_64a168": "\\config\\"},
-                {"dword_64a158": "ssfn*"},
-                {"dword_64a448": "config.vdf"},
-                {"dword_64a4b0": "DialogConfig.vdf"},
-                {"dword_64a164": "DialogConfigOverlay*.vdf"},
-                {"dword_64a3fc": "libraryfolders.vdf"},
-                {"dword_64a27c": "loginusers.vdf"},
-                {"dword_64a3f8": "\\Steam\\"},
-                {"dword_64a560": "sqlite3.dll"},
-                {"dword_64a254": "browsers"},
-                {"dword_64a3e8": "done"},
-                {"dword_64a524": "soft"},
-                {"dword_64a22c": "\\Discord\\tokens.txt"},
-                {"dword_64a444": '/c timeout /t 5 & del /f /q "'},
-                {"dword_64a2a8": '" & del "C:\\ProgramData\\*.dll"" & exit'},
-                {"dword_64a5e4": "C:\\"},
-                {"dword_64a480": "https"},
-                {"dword_64a118": "Content-Type: multipart/form-data; boundary=----"},
-                {"dword_64a49c": "POST"},
-                {"dword_64a2b4": "HTTP/1.1"},
-                {"dword_64a2f0": 'Content-Disposition: form-data; name="'},
-                {"dword_64a458": "hwid"},
-                {"dword_64a514": "build"},
-                {"dword_64a470": "token"},
-                {"dword_64a3f4": "file_name"},
-                {"dword_64a0cc": "file"},
-                {"dword_64a0f0": "message"},
-                {"dword_64a2a4": "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456"},
-                {"dword_64a278": "screenshot.jpg"},
-                """
-            ],
         }