Skip to content

Instantly share code, notes, and snippets.

Blevene Blevene

  • PANW
Block or report user

Report or block Blevene

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Blevene
Blevene / Hoplight IOCs (Extras)
Created Apr 10, 2019
Additional Hoplight IOCs
View Hoplight IOCs (Extras)
Sourced from VT search, YARA rule provided by US-CERT, modified for VTGrep
content:fjiejffndxklfsdkfjsaadiepwn AND (content:google.co OR content:naver.co)
Ref: https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/
a1eb5a0f15cbe7cdd5eb84839f7490aecf38979467f549a9f9b0591e75d7fab6
b0284e9c4cba2bfd019436d4cbe8f1238fd3f6ed4cb79576057be8c4b74d95e0
741c0e5234c85c488f165d5248707436210f15a5c9a43003fec741da1ad05f98
797a23e0900113b23d468d0050cd0c05f15d3afb34eec4d0e27a6f06398dd849
5712e44c3083e394310042afaef6eb40fbe0c56e551433a6370b1f4b9ef0c0e9
889b744a81ccf1209d724798aa1ef1aa2212ba82007c942a6a8746b7b0c3d616
View lockergoga.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 3.
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9
@Blevene
Blevene / SHA256 Hashes
Created Feb 11, 2019
Feb9-11th, 2019: Emotet PDFs
View SHA256 Hashes
5ae51f890d8c99d4332dfed5e823bafc51f746dbe78de5663c724c97b29ab90f
c44653c5317b897ab9192fbaba95f6844221b3598a785733d98f76f67b19edb9
9690b0623ef3a29ed5ac20318afa2bed1d4da4da26350fd2265c5baa7173f9ac
fea7356239b18ee60184f844d563f2c35b6f5e5461baadd62e1c8a46e643c22d
e423f68c36c629b1160069303a87a926182ae6e1d60cd4d88cfb42198870a1ef
f5ed20002cccd20a5096fea1ce46febb6eaa677048c4b3a82ba5ae16319de4c1
c68b49f15b750abff169e855507dc0c5afc0dfa03a8f3136cbe7fd983258565a
1944deb7d7030d9984c7695607ccb842c239ac0438da4390167f8cb8b43d25c6
56e69d7ff0fa3212bb613654c862d1fe6087c6f6a4d107dc42b480082194bd12
9864893e31021debe9df71f6995e562ca46b3a32412ea6d0661f402110d99855
@Blevene
Blevene / Formbook hashes
Created Nov 20, 2018
Formbook, November19-20 2018
View Formbook hashes
a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d
c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a
d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5
f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385
4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3
d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db
3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b
ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8
6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21
58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48
@Blevene
Blevene / Emotet Indicators
Created Nov 16, 2018
Emotet Indicators: November 16th, 2018
View Emotet Indicators
0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b
12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771
View November 13th 2018
f887e50af1c99ba73f280e28c7b0581b392782dba0bf2effc72d1719d039152b,
http://www.xianjiaopi.com/41964H/PAY/US/,
http://agrarszakkepzes.hu/Q1iM9mt5a/,
http://agrarszakkepzes.hu/Q1iM9mt5a,
https://www.linktub.com/blog/wp-content/004444BN/com/Business/,
http://www.linktub.com/blog/wp-content/004444BN/com/Business,
http://bandarbola.net/4KMA/PAYMENT/Personal,
d8829e9c2929163f31b001419bb2f9bf88ebf9f92bc1783229ba42b8e1ba8029,
543beab4afdffb67c0b1cdc05a357404c7a9830b50f3e0125c0d57f2fcb8c19e,
7a142698e26899993b4d4b78276c26cde44d3a8fc724bd392e6eb7a5161e0b12,
@Blevene
Blevene / Emotet IOCs
Created Nov 9, 2018
Emotet Campaigns: November 9th, 2018
View Emotet IOCs
Emotet Campaign 1: https://www.virustotal.com/graph/g9c1d51be17da4d3d856dadb8ce07046e45da445e9dfa4304bc49880d90df381e
12b379ac95454c365edf299e087e861fbe8df739dcdb3d82b30dae3c4a201583
18d8a6f6bd307d67250eaccc4cc7b82f660a1923f6163c58666b969a5be18cd3
39942a00f9a77d75652b1c3911efdad8d8ff9f7c4f2b645418c54c5bb5074e32
6bd4b3f2072f67bb90832835c91a977dead10682a2a5f76b17993c73782179c0
6e7475b559f466986e6b33ff0c54896e3d85b3e6f7c04b75ca719433672eb1a4
7f52604743302a60f667bbcaddc4dc372a602862f41bf7a741f3676ebb3cbc6b
9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
9f874949de45411ab799b437564babfb14560b13383b8feb6dfad4944cf0a79d
@Blevene
Blevene / Emotet indicators
Created Nov 7, 2018
Emotet Indicators, November 7th, 2018
View Emotet indicators
01b52a15ba574e0ff16992965e3ebded49184b773465c2e48c41a6eaaec5fb70
0e825a9d115094b55e7ba9ce61735a6f5a7f6d94bd96de1440d63c01f5f93328
15663cca3c0e6837bf152f9cf9e995044721912fc7be0af486d14ba5a9d30776
1669658aa33d503a33501b21e315eca3be32ddcca70cb2077cc26275a3af05cb
21a52f2daad62f5cae0bb5307cc1d52cc0ada69ab05c0bafb0b543a74d012976
2aba409bab2990d7e48372698f361ce745b77b1b69924f14e3d713cfedf5c497
3dfd5b39ebf59837ff31dca9dded2a4770179d701589a125c61c84cafc307a56
4d5be1e5dace81b566024381e087f309413a2ffbe53982e1378a28b6a56be02b
51b324525eef0c5183f3841b14d6bae0ae368687ce9599b660dc09d690126fc3
56611c695a5fd11ebe3d42accc6b7ba109d70204898f37749ad1f803d5fa7106
View Modules from 92[.]38.163.10
cb1b429cd203a995b05d3f6fcffd703ab78f79d24b6b08a856b0b8a08f564347,
2893c138c1e082ed6a626f5b87d21205245cd68a8f9a21711956a4313131666c,
d19a58e092f4c9eb99d6eff68208fdcbd6c94d35621bab96e98d6030d614b197,
87976b4815c508a22c55d3c8edfa0f7f6466db5681555b2c97a9c92ddab1945a,
hXXp://92.38.163[.]10/MailLer.exe,
hXXp://92.38.163[.]10/mailloggerref.exe,
hXXp://92.38.163[.]10/mailLoggerRef.exe,
hXXp://92.38.163[.]10/LoadStr.exe,
hXXp://92.38.163[.]10/MailClient.exe
@Blevene
Blevene / Emotet Indicators
Created Nov 6, 2018
Emotet - November 6th, 2018
View Emotet Indicators
Source: https://www.virustotal.com/graph/g73ae9e6a5e604209a65afdbf2a9fa99cdb112ff2c6e64a7b96df0734f81afb7f
0a5bbf5ce342db273b6f97e1cfb311ef7b67a46c3c1e9730a54aec51955d46f4
10d13d95c03cc3f6db0b17c47dcccd5c7da63983542511ae33fdbca278a42837
19115d137ec794ccc0d03636c70882b41dbc1872d970a658ecb5174f5fd1d2ff
1e105f89b77b13224ae58aa6445dd71df058da1358adc73d9548abaae9cf1f77
2ee6bea3c759dfb82e373bc39c4c7727ab0fff582b60c0308ce64c4d9b44343e
33ba0f5bcd94e39b9e46fc56a0a91531f732f0c1cf83988a7d2bce233c9838ac
33e3447fff8de6a489bbbf5998b25de0fd71b7067db9efb02d867674b4d24755
39b664c0a66bd1ba471dc56ebf1874f5fdb100c1c1d073ddd7e72fbb3b5aaeb0
You can’t perform that action at this time.