Information stealers are malwares that steal sensitive data, aka logs, to be sold in forums or shared in chat groups.
This tool takes a logs archive, parses it, and produces a JSON file.
- Accepts the following archive formats:
. Please note that multi-parts ZIP files aren't handled yet. - Parses files containing credentials and information about compromised systems.
- Outputs result as JSON.
The following data are extracted:
- software: Web browser or email client.
- host: Hostname or URL visited by user.
- username: Username or email address.
- password: Password.
- domain: Domain name extracted from host/URL.
- local_part: The part before the @ in an email address.
- email_domain: Domain name extracted from email address.
- filepath: The credential file path.
- stealer_name: The stealer that harvested the data.
- machine_id: The device ID (UID or machine ID).
- computer_name: The machine's name.
- hardware_id: The hardware ID (HWID).
- machine_user: The machine user's name.
- ip_address: The machine IP address.
- country: The machine's country code.
- log_date: The compromission date.
If a file can't be parsed, it will be saved into the logs
folder as well as a <filename>.log
text file containing the parsing related error message.
- Python 3.10 or greater
- Clone the repository including its submodules and change it to your working directory.
$ git clone --recurse-submodules
- Install the project:
$ poetry install
- Activate the virtual environment:
$ poetry shell
stealer_parser [-h] [-p ARCHIVE_PASSWORD] [-o FILENAME.json] [-v] filename
Parse infostealer logs archives.
positional arguments:
filename the archive to process (handled extensions: .rar, .zip, .7z)
-h, --help show this help message and exit
the archive's password if required
-o FILENAME.json, --outfile FILENAME.json
the output file name (.json extension)
-v, --verbose increase logs output verbosity (default: info, -v: verbose, -vv: debug, -vvv: spam)
Basic use:
$ stealer_parser myfile.rar
2024-07-08 13:37:00 - StealerParser - INFO - Processing: myfile.rar ...
2024-07-08 13:37:00 - StealerParser - INFO - Successfully wrote 'myfile.json'.
Use the verbose option to display extra information:
$ stealer_parser -vvv
2024-07-08 13:37:00 - StealerParser - INFO - Processing: ...
2024-07-08 13:37:00 - StealerParser - DEBUG - Parsed '' (983 systems).
2024-07-08 13:37:00 - StealerParser - INFO - Successfully wrote 'myfile.json'.
Open password-protected archives:
$ stealer_parser --password mypassword
Choose output file name:
$ stealer_parser --outfile results/foo.json
The grammars can be found in the docs
If you want to contribute to development, please read these guidelines.
Lexing and parsing made easier thanks to PLY
by David Beazley.
This project is licensed under Apache License 2.0.