blackhatpakistan.net

Stealer Parser — Usage Guide

ddf

New member
Joined
Jun 26, 2026
Messages
1
Reaction score
0
Points
0
Points
5
USD
5
# Stealer Parser — Usage Guide
## Table of Contents
- [Overview](#overview)
- [Command-Line Usage](#command-line-usage)
- [Basic usage](#basic-usage)
- [Password-protected archives](#password-protected-archives)
- [Custom output path](#custom-output-path)
- [Verbosity levels](#verbosity-levels)
- [Output Format](#output-format)
- [Credential fields](#credential-fields)
- [System fields](#system-fields)
- [Supported Archive Formats](#supported-archive-formats)
- [Error Handling](#error-handling)
## Overview
**stealer-parser** is a command-line tool that parses infostealer log archives
and produces a structured JSON report containing compromised credentials and
system information.
Infostealers are malwares that harvest sensitive data — passwords, browser
credentials, machine identifiers — and bundle them into archives sold on
underground forums. This tool automates the extraction and normalization of
that data.
## Command-Line Usage
```
stealer-parser [-h] [-p ARCHIVE_PASSWORD] [-o FILENAME.json] [-v] filename
```
### Basic usage
```console
$ stealer-parser myfile.rar
2024-07-08 13:37:00 - StealerParser - INFO - Processing: myfile.rar ...
2024-07-08 13:37:00 - StealerParser - INFO - Successfully wrote 'myfile.json'.
```
The output file is named after the input archive (e.g. `myfile.json`).
### Password-protected archives
Use `-p` or `--password` to supply the archive password:
```console
$ stealer-parser myfile.zip --password mypassword
```
### Custom output path
Use `-o` or `--outfile` to specify a custom output filename:
```console
$ stealer-parser myfile.zip --outfile results/foo.json
```
Parent directories are created automatically if they don't exist.
### Verbosity levels
The `-v` flag controls log output verbosity. Repeat it for more detail:
| Flag | Level | Description |
|---------|----------|------------------------------------|
| (none) | `INFO` | Essential progress messages |
| `-v` | `VERBOSE`| Additional processing details |
| `-vv` | `DEBUG` | Per-file parsing statistics |
| `-vvv` | `SPAM` | Maximum detail, token-level output |
Example with debug output:
```console
$ stealer-parser -vv myfile.zip
2024-07-08 13:37:00 - StealerParser - INFO - Processing: myfile.zip ...
2024-07-08 13:37:00 - StealerParser - DEBUG - Parsed 'myfile.zip' (983 systems).
2024-07-08 13:37:00 - StealerParser - INFO - Successfully wrote 'myfile.json'.
```
## Output Format
The tool produces a JSON file containing an array of system entries. Each entry
represents a compromised machine and its associated credentials.
### Credential fields
| Field | Type | Description |
|----------------|--------|------------------------------------------------|
| `software` | string | Web browser or email client |
| `host` | string | Hostname or URL visited by the user |
| `username` | string | Username or email address |
| `password` | string | Password |
| `domain` | string | Domain name extracted from host/URL |
| `local_part` | string | Part before the `@` in an email address |
| `email_domain` | string | Domain name extracted from email address |
| `filepath` | string | Path of the credential file inside the archive |
| `stealer_name` | string | Name of the stealer that harvested the data |
### System fields
| Field | Type | Description |
|-----------------|--------|-----------------------------------|
| `machine_id` | string | Device UID or machine ID |
| `computer_name` | string | Machine hostname |
| `hardware_id` | string | Hardware ID (HWID) |
| `machine_user` | string | Username on the compromised host |
| `ip_address` | string | Machine IP address |
| `country` | string | Country code |
| `log_date` | string | Date of compromise (ISO 8601) |
## Supported Archive Formats
| Format | Extension | Notes |
|--------|-----------|------------------------------|
| RAR | `.rar` | Requires `unrar` binary |
| ZIP | `.zip` | Multi-part ZIP not supported |
| 7-Zip | `.7z` | Password-protected supported |
## Error Handling
Files that cannot be parsed are saved to the `logs/` directory alongside a
`.log` file containing the error message. Common causes:
- Corrupted or truncated archive files
- Unsupported compression methods (e.g. multi-part ZIP)
- Missing `unrar` system binary for RAR archives
- Encoding errors in credential files



password:stealer_0000
 
661Threads
1,232Messages
3,056Members
BandsNotFriendsLatest member
Top