This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Sample => https://bazaar.abuse.ch/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50/ | |
$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\dotNetLoader.bin") | |
$mainType = $reflectedAsm.GetType("rwcQssqTcyOdXXoBLoie.DCPmslvtGCDAiOhxxQvq") | |
$key = [System.Convert]::FromBase64String("iUlREPUR7NQ6ocefGLoxBty1eSNembQTSWsROZidb0A=") | |
$iv = [System.Convert]::FromBase64String("U+YnktYGyx/j43tP2+WVyw==") | |
$encryptedStrings = ("8qhzRqWw9fiH/7/a5reZMA==", "D/l1SD7OECP0XB2rUm87gA==", "lbk35FoNbOitTifMeNV97Q==", "uJDwrcc4OjLfnn4YCE0Bxw==", "x9nd50/ydQ4NyJMlduaTA1aZE7EpXLNuSa2GwfmjWlxjNEtyTrE+c9z9hlGIXS4Q") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Sample => https://bazaar.abuse.ch/sample/00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f/ | |
$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\AsyncRAT.bin") | |
$SettingsType = $reflectedAsm.GetType("Client.Settings") | |
($SettingsType.GetMethod("InitializeSettings")).Invoke($null, $null) | |
$fields = $SettingsType.GetFields() | |
foreach ($field in $fields){ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from malduck import aes | |
from base64 import b64decode | |
BATCH_FILE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.bat' | |
AES_KEY = 'I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=' | |
AES_IV = 'mehcJXqMnXZUmnmrBD1Eeg==' | |
OUTPUT_ARCHIVE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.gz' | |
batchFile = open(BATCH_FILE_PATH, 'r').readlines() | |
encFile = '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from base64 import b64decode | |
import re | |
import os | |
import gzip | |
PS1_FILE_PATH = '' # Full path to inital ps1 payload | |
OUTPUT_FOLDER = '' # Full path for archives, example: C:/Users/Bumble/Archives/ | |
OUTPUT_FILE = '' # Full path for second stage script | |
OUTPUT_PAYLOAD = '' # Full path for final DLL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Related Tweet: | |
https://twitter.com/0xToxin/status/1649131620383825923 | |
Tested on: | |
doc_12QICZ_85.wsf - 5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246 | |
Bazzar - https://bazaar.abuse.ch/sample/5b7dfd88fcbbbb7e3d1b4b6606c4fdd10397dd5c00e18cfe83cd9a94ed136246/ | |
Triage - https://tria.ge/230420-w4g3wabf48 | |
''' | |
import re |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
https://twitter.com/Cryptolaemus1/status/1668965414867443712 | |
''' | |
import requests | |
response = requests.get('https://www.computerhope.com/jargon/t/tilde.htm') | |
if response.status_code == 200: | |
response_text = response.text | |
else: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
output will be in format of list, was lazy to play with regex, | |
if you want to see regex fetching, check RussianPanda95 extractor: | |
https://github.com/RussianPanda95/Configuration_extractors/blob/main/remcos_rat_config_extractor.py | |
''' | |
import pefile | |
import struct | |
from Crypto.Cipher import ARC4 | |
import binascii |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Tested on the samples: | |
5b17e978c2ca2cf03e4ffff1e4609f2ec98738b1541fa41ba5b67f061e9e2af2 | |
8137e72db1c4ef3f375378d62a7dd84c5852a9371edd87f7b2a527609f2553b8 | |
''' | |
import idc | |
import idautils | |
import idaapi | |
import re |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from base64 import b64decode | |
AUTO_IT_PATH = '' #Change to the AutoIT script path. | |
FINAL_PAYLOAD_PATH = '' #Change to output path. | |
fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore') | |
stringsArray = fileData.split('|') | |
modifiedXorKey = 'a' + stringsArray[1][1:9] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mozilla\ | |
firefox.exe | |
/c cd /d " | |
" && move firefox firefox | |
cmd.exe | |
firefox | |
/c del /q /f /s | |
firefox\* | |
cmd.exe | |
OlderNewer