Skip to content

Instantly share code, notes, and snippets.

Avatar

Blevene Blevene

  • Google
View GitHub Profile
@Blevene
Blevene / Hashes.csv
Last active Jun 8, 2020
VirusTotal previous 365 Days [May 7th, 2019] of Malware Signed with Certs
View Hashes.csv
We can't make this file beautiful and searchable because it's too large.
samples day signers Signer 1 Signer 2 Signer 3 Extra Stuff
a83f2d4073b7ecaf4f277db62ec44f8b10a9f16a297ebb4db9826a7a08eb06d2 2019-02-20 南昌博众彩软件有限公司; WoTrus Code Signing CA; Certum Trusted Network CA 南昌博众彩软件有限公司 WoTrus Code Signing CA Certum Trusted Network CA
7639f505eb9b8ab4e585a2dd5e9f300e936ba73e5b5db4c51bcb0ba52e751581 2018-08-20 A&W Global Ltd; thawte SHA256 Code Signing CA; thawte A&W Global Ltd thawte SHA256 Code Signing CA thawte
bf920c41e76de53a7660c12b7d14d2f1ad60539b142654893e7cc420b2bdbc2b 2018-12-19 深圳市掌星立意科技有限公司; VeriSign Class 3 Code Signing 2010 CA; VeriSign 深圳市掌星立意科技有限公司 VeriSign Class 3 Code Signing 2010 CA VeriSign
d3aaad15925caae5262366e3a5bf4edec0246877c340e2ba75e5dc96f8410c4a 2018-10-05 LEMONADE EVENTS LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™ LEMONADE EVENTS LIMITED COMODO RSA Code Signing CA COMODO SECURE™
54fb9e302b497f99c6e7ac891e31faaeaf62245e8c0f65ca7a81c7916225d511 2018-10-25 AmeriTechnology Group, Inc.; Go Daddy Secure Certificate Authority - G2; Go Daddy Roo
View Rietspoof
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
426a4cd4fc593ad0b9b8050a3e4e89299db5aa32f72647f41905e43ab74abea3
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
1cdc2057c31742b43538d29d749b6a4a1f62be12beeb3a384c77ce17826ef9b9
5c06e75410dd1dbae2fadf7ffe09e7ef2d3dab3c24760141ff3ca20f2f80c140
30a44e3a5ea574049809eb57638b0fd7f11aab150ac791d202d930b7d3e7bd09
@Blevene
Blevene / 3AN Limited CN
Created May 7, 2019
Rietspoof/Megacortex 3AN Limited CN
View 3AN Limited CN
b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef
f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940
f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434
b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a
acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918
9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2
5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993
523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df
25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b
11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
@Blevene
Blevene / Hoplight IOCs (Extras)
Created Apr 10, 2019
Additional Hoplight IOCs
View Hoplight IOCs (Extras)
Sourced from VT search, YARA rule provided by US-CERT, modified for VTGrep
content:fjiejffndxklfsdkfjsaadiepwn AND (content:google.co OR content:naver.co)
Ref: https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/
a1eb5a0f15cbe7cdd5eb84839f7490aecf38979467f549a9f9b0591e75d7fab6
b0284e9c4cba2bfd019436d4cbe8f1238fd3f6ed4cb79576057be8c4b74d95e0
741c0e5234c85c488f165d5248707436210f15a5c9a43003fec741da1ad05f98
797a23e0900113b23d468d0050cd0c05f15d3afb34eec4d0e27a6f06398dd849
5712e44c3083e394310042afaef6eb40fbe0c56e551433a6370b1f4b9ef0c0e9
889b744a81ccf1209d724798aa1ef1aa2212ba82007c942a6a8746b7b0c3d616
View lockergoga.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 3.
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9
@Blevene
Blevene / SHA256 Hashes
Created Feb 11, 2019
Feb9-11th, 2019: Emotet PDFs
View SHA256 Hashes
5ae51f890d8c99d4332dfed5e823bafc51f746dbe78de5663c724c97b29ab90f
c44653c5317b897ab9192fbaba95f6844221b3598a785733d98f76f67b19edb9
9690b0623ef3a29ed5ac20318afa2bed1d4da4da26350fd2265c5baa7173f9ac
fea7356239b18ee60184f844d563f2c35b6f5e5461baadd62e1c8a46e643c22d
e423f68c36c629b1160069303a87a926182ae6e1d60cd4d88cfb42198870a1ef
f5ed20002cccd20a5096fea1ce46febb6eaa677048c4b3a82ba5ae16319de4c1
c68b49f15b750abff169e855507dc0c5afc0dfa03a8f3136cbe7fd983258565a
1944deb7d7030d9984c7695607ccb842c239ac0438da4390167f8cb8b43d25c6
56e69d7ff0fa3212bb613654c862d1fe6087c6f6a4d107dc42b480082194bd12
9864893e31021debe9df71f6995e562ca46b3a32412ea6d0661f402110d99855
@Blevene
Blevene / Formbook hashes
Created Nov 20, 2018
Formbook, November19-20 2018
View Formbook hashes
a34fcd5496fab5dce127701c2edbeca41a2fdd9407ae1ecb2aaabbe7dcd51e5d
c0bd8ea4a5eb03c1c011694dc281e99f26fb4e6eb9dd1c5f51c174df5aad8b9a
d0ec1dccf63cc373b5799fd5a36be786aa1ad15b96b4688960a928a7d47cddc5
f5d3771c764945a091df5d49d8526acf4bc0b6deb8529c8e9263b1478f92a385
4c9ccbd475b0e44bb280052407f6724c33bfc8a837eabb9cc7821aa8b2bf30e3
d054a1207332dddc61fdec378763bc6db93c7337e76ab6847fc99b0f2193c7db
3776594e0978a844b5f0153ab9a348630f5cb85c1b2e9dc3006e7b639882554b
ad525b5f0e55e0275a092a3fc890066f5ebc1d03c4aae64af9ae326697fecec8
6dc3aa44055834b68b8d111f8fb1d46d8384c629eea18df6622b9ae0870f2d21
58b7e97f8dd79ad3d9ceb412e2e409130f493b6cca1ba1dd40000cb143542b48
@Blevene
Blevene / Emotet Indicators
Created Nov 16, 2018
Emotet Indicators: November 16th, 2018
View Emotet Indicators
0062692aa2341873911a34738d654dc2ef985620a3dc3b5b7a0733d531fe2038
01da5a902c26bf9aaf5b73f1b12d9ace6721f49e011c1746da4a856e2ee20315
079bcf1087e9dd2e1d63d15a784ee36aab95bf09c0f57c1ccdf69ef2348ea77b
0a07cfc820b9ff728dabb39d8295ce0efbb5390f86d1cd525879b64b56231aac
0a3f0bb71442c58ff7d83f42d4c17eaa6467048f9c551ae535ab7fdde93650c8
0bd37ceff94394828645a0cb4d43e363b1e12c516164d42187c2c1641bfa268d
0c2299de95c6449104d90410646ab19ab540d42ec19a74e28642dfac4be9782b
12eeb4d6ed06fdaa609b2bedb2c8433c5c1426cf8fec63aa0d9b62d53857656a
12f9a8c99798490cf35deaf4a33c1396fa295baa43703c09899a8c30c3e5a9d4
136ad986a085a7ac59c2bdea852972f44849d1f92264e88b3a59ba31df143771
View November 13th 2018
f887e50af1c99ba73f280e28c7b0581b392782dba0bf2effc72d1719d039152b,
http://www.xianjiaopi.com/41964H/PAY/US/,
http://agrarszakkepzes.hu/Q1iM9mt5a/,
http://agrarszakkepzes.hu/Q1iM9mt5a,
https://www.linktub.com/blog/wp-content/004444BN/com/Business/,
http://www.linktub.com/blog/wp-content/004444BN/com/Business,
http://bandarbola.net/4KMA/PAYMENT/Personal,
d8829e9c2929163f31b001419bb2f9bf88ebf9f92bc1783229ba42b8e1ba8029,
543beab4afdffb67c0b1cdc05a357404c7a9830b50f3e0125c0d57f2fcb8c19e,
7a142698e26899993b4d4b78276c26cde44d3a8fc724bd392e6eb7a5161e0b12,
@Blevene
Blevene / Emotet IOCs
Created Nov 9, 2018
Emotet Campaigns: November 9th, 2018
View Emotet IOCs
Emotet Campaign 1: https://www.virustotal.com/graph/g9c1d51be17da4d3d856dadb8ce07046e45da445e9dfa4304bc49880d90df381e
12b379ac95454c365edf299e087e861fbe8df739dcdb3d82b30dae3c4a201583
18d8a6f6bd307d67250eaccc4cc7b82f660a1923f6163c58666b969a5be18cd3
39942a00f9a77d75652b1c3911efdad8d8ff9f7c4f2b645418c54c5bb5074e32
6bd4b3f2072f67bb90832835c91a977dead10682a2a5f76b17993c73782179c0
6e7475b559f466986e6b33ff0c54896e3d85b3e6f7c04b75ca719433672eb1a4
7f52604743302a60f667bbcaddc4dc372a602862f41bf7a741f3676ebb3cbc6b
9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
9f874949de45411ab799b437564babfb14560b13383b8feb6dfad4944cf0a79d
You can’t perform that action at this time.