Igal Lytzki 0xToxin

## loader.ps1
#Sample => https://bazaar.abuse.ch/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50/
$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\dotNetLoader.bin")

$mainType = $reflectedAsm.GetType("rwcQssqTcyOdXXoBLoie.DCPmslvtGCDAiOhxxQvq")

$key = [System.Convert]::FromBase64String("iUlREPUR7NQ6ocefGLoxBty1eSNembQTSWsROZidb0A=")
$iv = [System.Convert]::FromBase64String("U+YnktYGyx/j43tP2+WVyw==")

$encryptedStrings = ("8qhzRqWw9fiH/7/a5reZMA==", "D/l1SD7OECP0XB2rUm87gA==", "lbk35FoNbOitTifMeNV97Q==", "uJDwrcc4OjLfnn4YCE0Bxw==", "x9nd50/ydQ4NyJMlduaTA1aZE7EpXLNuSa2GwfmjWlxjNEtyTrE+c9z9hlGIXS4Q")

## Async.ps1
#Sample => https://bazaar.abuse.ch/sample/00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f/
$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\AsyncRAT.bin")

$SettingsType = $reflectedAsm.GetType("Client.Settings")

($SettingsType.GetMethod("InitializeSettings")).Invoke($null, $null)

$fields = $SettingsType.GetFields()

foreach ($field in $fields){

## loaderDecrypt.py
from malduck import aes
from base64 import b64decode

BATCH_FILE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.bat'
AES_KEY = 'I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc='
AES_IV = 'mehcJXqMnXZUmnmrBD1Eeg=='
OUTPUT_ARCHIVE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.gz'

batchFile = open(BATCH_FILE_PATH, 'r').readlines()
encFile = ''

## BumbleBeePS1LoaderExtractor.py
from base64 import b64decode
import re
import os
import gzip

PS1_FILE_PATH = '' # Full path to inital ps1 payload
OUTPUT_FOLDER = '' # Full path for archives, example: C:/Users/Bumble/Archives/
OUTPUT_FILE = '' # Full path for second stage script
OUTPUT_PAYLOAD = '' # Full path for final DLL

## BumbleBeeWsfFetchURL.py
'''
Related Tweet:
https://twitter.com/0xToxin/status/1649131620383825923
Tested on:
doc_12QICZ_85.wsf - 5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246
Bazzar - https://bazaar.abuse.ch/sample/5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246/
Triage - https://tria.ge/230420-w4g3wabf48
'''
import re

## qakbot_14_06_23.py
'''
https://twitter.com/Cryptolaemus1/status/1668965414867443712
'''
import requests

response = requests.get('https://www.computerhope.com/jargon/t/tilde.htm')

if response.status_code == 200:
    response_text = response.text
else:

## remcosConfigExtractor.py
'''
output will be in format of list, was lazy to play with regex,
if you want to see regex fetching, check RussianPanda95 extractor:
https://github.com/RussianPanda95/Configuration_extractors/blob/main/remcos_rat_config_extractor.py
'''
import pefile
import struct
from Crypto.Cipher import ARC4
import binascii

## DarkGate_Strings_Decryptor.py
'''
Tested on the samples:
5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2
8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8
'''
import idc
import idautils
import idaapi
import re

## DarkGate_Final_Payload_Extractor.py
from base64 import b64decode

AUTO_IT_PATH = '' #Change to the AutoIT script path.
FINAL_PAYLOAD_PATH = '' #Change to output path.

fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore')

stringsArray = fileData.split('|')
modifiedXorKey = 'a' + stringsArray[1][1:9]

## DarkGate_Strings.txt
Mozilla\
firefox.exe
/c cd /d "
" && move firefox firefox
cmd.exe
firefox
/c del /q /f /s
firefox\*
cmd.exe
Google
	#Sample => https://bazaar.abuse.ch/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50/
	$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\dotNetLoader.bin")

	$mainType = $reflectedAsm.GetType("rwcQssqTcyOdXXoBLoie.DCPmslvtGCDAiOhxxQvq")

	$key = [System.Convert]::FromBase64String("iUlREPUR7NQ6ocefGLoxBty1eSNembQTSWsROZidb0A=")
	$iv = [System.Convert]::FromBase64String("U+YnktYGyx/j43tP2+WVyw==")

	$encryptedStrings = ("8qhzRqWw9fiH/7/a5reZMA==", "D/l1SD7OECP0XB2rUm87gA==", "lbk35FoNbOitTifMeNV97Q==", "uJDwrcc4OjLfnn4YCE0Bxw==", "x9nd50/ydQ4NyJMlduaTA1aZE7EpXLNuSa2GwfmjWlxjNEtyTrE+c9z9hlGIXS4Q")
	#Sample => https://bazaar.abuse.ch/sample/00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f/
	$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\AsyncRAT.bin")

	$SettingsType = $reflectedAsm.GetType("Client.Settings")

	($SettingsType.GetMethod("InitializeSettings")).Invoke($null, $null)

	$fields = $SettingsType.GetFields()

	foreach ($field in $fields){
	from malduck import aes
	from base64 import b64decode

	BATCH_FILE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.bat'
	AES_KEY = 'I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc='
	AES_IV = 'mehcJXqMnXZUmnmrBD1Eeg=='
	OUTPUT_ARCHIVE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.gz'

	batchFile = open(BATCH_FILE_PATH, 'r').readlines()
	encFile = ''
	from base64 import b64decode
	import re
	import os
	import gzip

	PS1_FILE_PATH = '' # Full path to inital ps1 payload
	OUTPUT_FOLDER = '' # Full path for archives, example: C:/Users/Bumble/Archives/
	OUTPUT_FILE = '' # Full path for second stage script
	OUTPUT_PAYLOAD = '' # Full path for final DLL
	'''
	Related Tweet:
	https://twitter.com/0xToxin/status/1649131620383825923
	Tested on:
	doc_12QICZ_85.wsf - 5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246
	Bazzar - https://bazaar.abuse.ch/sample/5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246/
	Triage - https://tria.ge/230420-w4g3wabf48
	'''
	import re
	'''
	https://twitter.com/Cryptolaemus1/status/1668965414867443712
	'''
	import requests

	response = requests.get('https://www.computerhope.com/jargon/t/tilde.htm')

	if response.status_code == 200:
	response_text = response.text
	else:
	'''
	output will be in format of list, was lazy to play with regex,
	if you want to see regex fetching, check RussianPanda95 extractor:
	https://github.com/RussianPanda95/Configuration_extractors/blob/main/remcos_rat_config_extractor.py
	'''
	import pefile
	import struct
	from Crypto.Cipher import ARC4
	import binascii
	'''
	Tested on the samples:
	5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2
	8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8
	'''
	import idc
	import idautils
	import idaapi
	import re
	from base64 import b64decode

	AUTO_IT_PATH = '' #Change to the AutoIT script path.
	FINAL_PAYLOAD_PATH = '' #Change to output path.

	fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore')

	stringsArray = fileData.split('\|')
	modifiedXorKey = 'a' + stringsArray[1][1:9]
	Mozilla\
	firefox.exe
	/c cd /d "
	" && move firefox firefox
	cmd.exe
	firefox
	/c del /q /f /s
	firefox\*
	cmd.exe
	Google