0xToxin
/ JanelaRat November 2023 DGA C2's list 2
Last active
November 18, 2023 18:21
JanelaRat fetches from remote DGA C2's keywords list and the port for the real C2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Related campaign - https://twitter.com/1ZRR4H/status/1725609793216291100 | |
| *************************************** | |
| * no keywords path this time :( * | |
| * /postal.php - for C2 port * | |
| *************************************** | |
| orionprimexgold1.ddns.net | |
| orionprimexgold2.ddnsking.com | |
| orionprimexgold3.3utilities.com |
0xToxin
/ JanelaRat November 2023 DGA C2's list
Created
November 13, 2023 07:25
JanelaRat fetches from remote DGA C2's keywords list and the port for the real C2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *************************************** | |
| * no keywords path this time :( * | |
| * /postal.php - for C2 port * | |
| *************************************** | |
| alpha123.serveblog.net | |
| tango89.myvnc.com | |
| zulu567.onthewifi.com | |
| echo456.redirectme.net | |
| foxtrot234.freedynamicdns.net |
0xToxin
/ URSA Final DLL fetcher.py
Created
November 12, 2023 14:19
The script fetches and decrypts the final URSA DLL based on the vbs stager script accessed post geofence check. The script will print the download URL of the archive which contains the encrypted URSA DLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import zipfile | |
| from io import BytesIO | |
| ''' | |
| Assumptions: | |
| 1. The first const appreance will be the number used for strings decryption. | |
| 2. The first few lines after the const will have the decryption function in it. | |
| 3. The retrieved payload from the C2 is zip archive. | |
| ''' |
0xToxin
/ Hacked Users By URSA Malware.txt
Last active
November 11, 2023 13:36
Emails harvested from the activity of URSA/Mispadu campaign targeting LATAM countries. (25.10.2023 - 09.11.2023)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| leon@ppk.com.mx | |
| marthacesareo@grupokaypa.com | |
| constanciaf4@dolcevita.com.mx | |
| facturacion@dolcevita.com.mx | |
| laura.rodriguez@dolcevitavallarta.com | |
| pagos@dolcevita.com.mx | |
| aflores@eving.com.mx | |
| refacciones.irapuato@altopro.com.mx | |
| alg@chalumex.com.mx | |
| dgv@chalumex.com.mx |
0xToxin
/ JanelaRat October 2023 keywords list C2's
Created
November 1, 2023 08:30
JanelaRat fetches from remote C2 the keywords for triggering the banker action
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *************************************** | |
| * /kepler186f.txt - for keywords * | |
| * /16Psyche.txt - for C2 port * | |
| *************************************** | |
| orionprimexgold1.ddns.net | |
| orionprimexgold2.ddnsking.com | |
| orionprimexgold3.3utilities.com | |
| orionprimexgold4.bounceme.net | |
| orionprimexgold5.freedynamicdns.net |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from hashlib import md5 | |
| from malduck import aes | |
| keyString = input("[!] Enter key: ") | |
| md5Key = md5(keyString.encode()).hexdigest() | |
| print(f'[*] The key for the encryption will be {md5Key}') | |
| encryptedString = input("[!] Enter hexvalue encrypted data: ") | |
| decryptedData = aes.ecb.decrypt(bytes.fromhex(md5Key), bytes.fromhex(encryptedString)) |
0xToxin
/ DarkGate_Network_payloads_decoder.py
Created
September 13, 2023 08:50
Can be used to decode payloads retrieved from DarkGate C2's
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LIST = 'zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=' # Replace list used for config decoding | |
| DATA = '' # Replace with the encrypted data from the network traffic | |
| ID = '' # Replace with the ID from the network traffic | |
| def decShiftFunc(arg1, arg2, arg3, arg4): | |
| final = b'' | |
| tmp = (arg1 & 0x3F) * 4 | |
| final += bytes([((arg2 & 0x30) >> 4) + tmp]) | |
| tmp = (arg2 & 0xF) * 16 | |
| final += bytes([((arg3 & 0x3C) >> 2) + tmp]) |
0xToxin
/ DarkGate_Final_Payload_Extractor_v_4_14.py
Created
September 13, 2023 08:47
Extraction of DarkGate final payload from AutoIT script Version 4.14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AUTO_IT_PATH = 'pay.au3' #Change to the AutoIT script path. | |
| FINAL_PAYLOAD_PATH = 'final2.bin' #Change to output path. | |
| def decShiftFunc(arg1, arg2, arg3, arg4): | |
| final = b'' | |
| tmp = (arg1 & 0x3F) * 4 | |
| final += bytes([((arg2 & 0x30) >> 4) + tmp]) | |
| tmp = (arg2 & 0xF) * 16 | |
| final += bytes([((arg3 & 0x3C) >> 2) + tmp]) | |
| final += bytes([(arg4 & 0x3F) + ((arg3 & 0x03) << 6)]) |
0xToxin
/ Metamorfo_PS1_Cleaner.py
Created
August 24, 2023 16:04
Metamorfo PowerShell script cleaner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Tested on the sample (Sha256): | |
| 70e303792d1699fc53b9b3251faf7fc66a070a981972ab64783a1a368e4c96f8 | |
| ''' | |
| import re | |
| from base64 import b64decode | |
| pattern = r'(\$\(\[Text\.Encoding\].*FromBase64String(\(.*\'\))\)\))' | |
| file_handle = open('metamorfo_stage.ps1', 'r').readlines() |
0xToxin
/ BlackRock_KLBanker_strings.py
Last active
August 11, 2023 18:31
Decryption of the latest variant of KLBanker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import malduck, base64 | |
| stringsArr = ["l6PjPku2W0NahCbd36HRrMt3OvjY3svw1l1VAr63795ZSuvoliYrT76jhbTr4DE8", "4WRsAYF5K2xRj+RDB0sKxkw/o2ydLwGi6hIsHroFCdSiRcRHYtZnvb0vCwvSX/gZZm0XrYdyIRihnH0golgTnw==", "kmzDkgXFNZdRuTuEfEqezXxHNC1Rwm0b4ue46PIMCepKi1QIqIq7E2+SGtocFtO8", "6R8tAX5y2sTw3n3BbYUlkjyTeUc5Ofw54meqCSi4mH+9ZYfEB2131KxLGdN69eJK", "Jr6UMUJ0YhXKRkEIpLCp24bTPyxnJWdtVXhOC7+0AyWQWTSPZjyonsULOO2ZOWF/", "xGJJoWLWFMxSxoB8htqGOmYX/TMOIA7Bzko0YYF5Y9EhBvslJyDCKS/rwfro++UP", "SC2owWo4MmTJBghMVtfnpRbs8+qH52p4DmwW3eIP6czxHpW5sHkepVpqH6Gbrahj", "ZfRqRkS4CHiLOSm7xkYtAOZnOtCJ0PUrE0LtPXqgMk3caiFq5kvaQaEnMn9JJVK2", "NEbscDY49aJvF7kL06jKIDFb9jj1YlLzMyWZMl544mrTzoKm+lGEDBWdryGyQrHR", "ojKSz0v47RFdKwl9S6O1zHupe7ZenfrEAR/9rgOrwHwmYNOslKo3MjFCDs9DPNuY","Y4HSgrFfpnLhMfKBVsjyPZD0QPwUKKbg6dWnoqwo5G8E2KM+5S+UyNU/P8conXK4", "EDZYNxVIULdr5D3RKLvWJwjhhmvR8xT4v0KfwrYiSwA54E+o1hpLK2Wk0BIQbwEb", "I0gpZ9ePYvBLfpMhjUvizL3CYp5lh1y9AnM30RW7o0zh4qjMMq0Q/bxLWkR7B7e5", "oR9rs61M+SrQkpnQ21S5AnRhHz3eyDk8Sti9cABB8/gkAfaAEWRg/DY9kOcJDuHv", "Y2U8u7XAzFi |
NewerOlder