PowerShell 7+ · MIT License · Open Source

NO-STEALER ENGINE

A comprehensive PowerShell scanning engine for detecting stealer-type malware on Windows. Chains hash, static, memory, C2, and behavioral analysis into a single tool.

⬇ Get it on GitHub How to Install

6 Detection Layers

Free Always

MIT License

PS7+ Required

Anti-Stealer — UI

Detection Modules

Six Layers.
Zero Escape.

Modules run sequentially, chaining static, memory, and behavioral analysis to catch what single-layer tools miss.

MODULE · 01

Hash-Based Detection

SHA256 exact match against a maintained database of known stealer binaries. Fastest path to a Confirmed verdict.

SHA256

MODULE · 02

Static Similarity

Extracts printable strings and scores similarity against signature sets. Catches polymorphic variants where hashes change but string patterns don't. Thresholds: 0.01 → Low / 0.08 → Potential.

JACCARD > 0.08

MODULE · 03

Memory Scan

Reads live process memory regions and matches against in-memory signatures. Detects injected payloads that never touch disk.

LIVE PROCESS

MODULE · 04

C2 Network Detection

Compares active TCP connections to a curated C2 IP/domain database. Returns Confirmed-C2 on a match — use results to generate firewall rules.

TCP · LIVE

MODULE · 05

Network Behavior

Rule-based checks: suspicious TLDs, non-standard ports, multiple simultaneous domains, and known-bad process names in outbound connections.

RULE-BASED

MODULE · 06

Behavioral Detection

Weighted Jaccard similarity across API calls, registry writes, file operations, and command-line patterns using NO-ST JSON rules. Threshold ≥ 0.30 triggers a finding; ≥ 0.60 is High risk.

NO-ST RULES

Installation

Up and Running
in Minutes

Requires PowerShell 7+ and Windows 10/11 (64-bit). Run as Administrator for full system access.

01.

Download the files

Download install.ps1 and kural.txt from the repository and place them in the same folder.

GITHUB

02.

Open PowerShell 7 as Admin

Right-click PowerShell 7 → Run as Administrator. Then bypass execution policy for the session.

ADMIN REQUIRED

03.

Run install.ps1 then 2.ps1

Execute both scripts in order from your folder. If you hit a Python build error, install C++ Build Tools from the Microsoft link, restart PowerShell, then run again.

PS7 REQUIRED

04.

Optional — Launch the GUI

Install pywebview via pip, then run UI.ps1 in PowerShell 7 (Admin) for the graphical interface.

UI.PS1

// quickstart PowerShell 7+

1 — Bypass execution policy

Set-ExecutionPolicy -Scope Process Bypass

2 — Run installer

# Replace with your actual path
C:\path\to\folder\install.ps1

3 — Run main script

C:\path\to\folder\2.ps1

4 — Optional GUI

# Install pywebview first
pip install pywebview
C:\path\to\folder\UI.ps1

Windows Defender may flag the scripts. Add a folder exclusion, run the scan, then remove it. Source code is fully auditable on GitHub.

⬇ View on GitHub

Who Is It For

Built for the
Security Community

Anti-Stealer is research-oriented — it generates shareable rules and structured telemetry, not just a pass/fail result.

🔬

Malware Researchers

Reverse-engineer stealer families, write and validate YARA/Sigma rules against a real multi-layer behavioral engine.

🛡️

AV / AM Engineers

Use NO-ST JSON rule output for signature generation, test automation, and AV vendor submissions.

🔔

SOC / IR Teams

Rapid on-host scanning, structured telemetry, and prioritized risk levels for fast incident triage.

🕵️

Threat Intel Teams

Expand C2 and SHA databases, export structured IoC data to open intelligence platforms.

Output Formats

Rules &
Reports

Every scan produces structured, shareable artefacts — not just a clean/infected verdict.

YARA

YARA Rules

Static string and byte-pattern rules ready for AV vendor submission or VirusTotal upload.

Sigma

Sigma Rules

Normalized behavioral patterns compatible with SIEM platforms and log-based detection pipelines.

JSON

NO-ST Rules

Structured API calls, registry, file, and network telemetry powering the behavioral detection module.

LOG

Per-Finding Reports

One JSON object per finding: module, risk level, family classification, PID, and similarity score.

Example NO-ST Rule

{
  "id": "no-st-0001",
  "family": "RedLine",
  "apicalls": [
    "CreateFileA",
    "WriteFile",
    "RegSetValueExA"
  ],
  "writtenfiles": [
    "%APPDATA%\\*\\logs.dat"
  ],
  "registry": [
    "HKCU\\Software\\*\\Config"
  ],
  "risk": "Confirmed",
  "jaccardScore": 0.74,
  "module": "BehaviorJaccard"
}

FAQ

Common Questions

Yes, this is a false positive. Local PowerShell scripts that inspect live processes are sometimes caught by heuristic engines. The full source is on GitHub — audit every line before running. Add a folder exclusion in Defender, run the scan, then remove it.

The engine uses parallel job execution, modern .NET APIs, and module features unavailable in Windows PowerShell 5.1. Install PowerShell 7 from the Microsoft store or GitHub — it runs alongside the built-in version without conflict.

Confirmed means a direct SHA256 or exact C2 match — high confidence. Potential-Stealer means static similarity exceeded 0.08 or 20+ string matches were found without a hash hit. Treat it as suspicious and investigate, especially if combined with unusual network activity.

Analyse the sample in an isolated VM, extract API calls / registry patterns / strings, write a NO-ST JSON rule or YARA signature, test against both malicious and benign samples, then submit a pull request with sample metadata and test results.

No. Anti-Stealer runs entirely on-host. It reads outbound TCP connections to detect C2 traffic but makes no outbound calls itself. All reports and logs are written locally.

NO-STEALER ENGINE

Six Layers.Zero Escape.

Up and Runningin Minutes

Built for theSecurity Community

Rules &Reports

Star it. Fork it.Contribute.

Common Questions

Six Layers.
Zero Escape.

Up and Running
in Minutes

Built for the
Security Community

Rules &
Reports

Star it. Fork it.
Contribute.