stealergram/README.md

# ULP Credential Monitor

A Telegram-based credential exposure monitor for threat intelligence teams.
Watches channels for combo/stealer log files and alerts you when your
organization's credentials appear in them.

---

## How it works

```
User session (Telethon)
  └─ watches N channels
       └─ detects file attachments (.txt, .zip, .7z, .rar)
            └─ downloads → extracts → searches line by line
                 └─ hit? → writes to data/ + sends bot alert
                 └─ no hit? → deletes file, moves on
```

---

## Project structure

```
ulp_monitor/
├── main.py           Entry point
├── config.py         All settings (keywords, channels, paths)
│
├── core/             Telegram I/O pipeline
│   ├── scraper.py        Live listener + backfill
│   ├── tdl_downloader.py Fast downloads via tdl (Go MTProto)
│   ├── bot_downloader.py Inline button / bot-dispatched file flows
│   ├── processor.py      Archive extraction + line-by-line search
│   └── notifier.py       hits.txt / hits.csv writer + bot alerts
│
├── utils/            Pure logic — no Telegram dependencies
│   ├── scorer.py         Hit severity scoring
│   ├── cache.py          Seen-file deduplication
│   └── database.py       SQLite persistence layer
│
├── tui/              Textual TUI frontend
│   ├── app.py            MonitorApp + all Screen classes
│   └── events.py         Thread-safe event bus (bot thread → TUI)
│
└── data/             Runtime-generated (gitignored)
    ├── hits.db           SQLite database
    ├── hits.txt          Human-readable hit log
    ├── hits.csv          CSV hit log (importable into Excel / pandas)
    ├── dedup.json        Deduplication hashes
    ├── cache.json        Seen file-ID cache
    └── logs/monitor.log
```

---

## Setup

### 1. Get Telegram API credentials
- Go to https://my.telegram.org → *API development tools*
- Create an app → note your `api_id` and `api_hash`

### 2. Create a bot
- Message [@BotFather](https://t.me/BotFather) → `/newbot`
- Start a chat with your new bot before running

### 3. Get your chat ID
- Message [@userinfobot](https://t.me/userinfobot)

### 4. Configure

```bash
cp .env.example .env
# fill in API_ID, API_HASH, BOT_TOKEN, NOTIFY_CHAT_ID
```

Open `config.py` and set:

- **`TARGET_KEYWORDS`** — your org's domains and email patterns.
  Keywords with `@` (e.g. `r"@myorg\.cl"`) are **employee email domains** → CRITICAL.
  Keywords without `@` are plain domain matches → LOW baseline.
- **`WATCHED_CHANNELS`** — channel usernames or numeric IDs
- **`BACKFILL_LIMIT`** — past messages to scan per channel on startup

### 5. Install dependencies

```bash
pip install -r requirements.txt
# rarfile needs the unrar binary:
# Ubuntu/Debian: sudo apt install unrar
# macOS:         brew install rar
```

### 5a. Install tdl (strongly recommended)

```bash
curl -sSL https://raw.githubusercontent.com/iyear/tdl/main/scripts/install.sh | bash
tdl login -n monitor_session
```

### 6. First run — complete Telegram auth

```bash
python main.py --no-tui
# follow the phone + 2FA prompts once
```

### 7. Run

```bash
python main.py          # TUI mode (recommended)
python main.py --no-tui # plain CLI
```

---

## TUI keybindings

| Key | Action |
|-----|--------|
| `s` | Search hits database |
| `h` | Browse hits by severity |
| `k` | Edit keyword patterns live |
| `c` | Clear logs |
| `r` | Refresh stats |
| `q` | Quit |

---

## Output

| File | Description |
|------|-------------|
| `data/hits.db`  | SQLite — all hits with scores, severity, dedup flag |
| `data/hits.txt` | Human-readable grouped log |
| `data/hits.csv` | CSV — easy to pull into Excel / pandas |
| `data/logs/monitor.log` | Full run log |

Telegram alerts fire for CRITICAL / HIGH / MEDIUM only. LOW is stored silently.

---

## Notes

- **Session files are sensitive** — equivalent to a logged-in account. Gitignored, never share.
- **Flood limits** — `FloodWaitError` is handled automatically.
- **Private channels** — your user account must already be a member.