ProIntegritate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Trickbot #IOCs | |
| Source: https://blog.angadiworldtech.com/generalo/uptime.php | |
| 24551812877dbf813d57b3ac0cdb8ad1 | |
| 4e71930a812a2b5650e7e08eb2b10b34 | |
| 5a67a45742e13bbb8d03b52ec2b07275 | |
| 8ea57fb696fde17f2a6360728ad924a9 | |
| 9f1163b96f329b7607dc7d51f1adab68 | |
| a3de6c880d642c4b6f5c4df497d99fa2 | |
| d02f63798c1b2f7fe5858cda472fd09d |
ProIntegritate
/ Trickbot 2020-08-25
Created
August 25, 2020 11:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2020-08-25: Some #Trickbot hashes. | |
| Not all of them though, Ivan get annoyed when you scrape his PHP downloaders. | |
| Source: https://yektairon.com/brands/goodmanstory.php | |
| 006eb0704a4fb613b2a5c96e40dcfb4e | |
| 00f7dacbca2671c4d9c368affc369f19 | |
| 022ff5f2033d291b388c1cc42b583e10 | |
| 05b7dc52cd38b8a6fb03368571799e4f | |
| 05ed7eb8f3dc67605a3314be0d07815e |
ProIntegritate
/ Dridex IOCs 2020-09-07
Last active
September 8, 2020 14:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dridex IOCs 2020-09-07 IOCS. | |
| Payload hashes: | |
| 150f42ff16bd2ae9895532a7be6284a1 | |
| 2f3e7c9fb52e413577370c1cd1c4befa | |
| 5b4de46aee52cf976a7f5b417f58c04c | |
| 698e51bc1e2a4642c0ac6ee6eac9791e | |
| 6e6533fa01c0c32dac8c1cab8dc73dbc | |
| 740eee666d4306312e619a38914b8755 |
ProIntegritate
/ gist:b2d9be87837c97918a0f9ad939b87f74
Created
January 17, 2021 23:53
TimeToBiden in .NET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dim sOutput As String = "" | |
| Dim inaug As DateTime = Convert.ToDateTime("2021-01-20T17:00:00.000Z") ' Timestamp in ISO8601 format. | |
| Dim ttb As System.TimeSpan | |
| ttb = inaug - Convert.ToDateTime(Now.ToString) | |
| sOutput = "Seconds: " & ttb.TotalSeconds & vbCrLf ' Total seconds left | |
| sOutput = sOutput & "Time left: " & ttb.ToString & " Local" & vbCrLf ' Time in Local zone | |
| ttb = inaug - Convert.ToDateTime(Date.UtcNow.ToString) | |
| sOutput = sOutput & "Time left: " & ttb.ToString & " UTC" & vbCrLf ' Time in UTC zone |
ProIntegritate
/ PSDo
Created
May 28, 2021 11:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell -c "Set-ExecutionPolicy bypass" | |
| powershell -f %1 | |
| powershell -c "Set-ExecutionPolicy Restricted" |
ProIntegritate
/ gist:28dfc2c9380398ca3b24d78f4577fa95
Created
July 5, 2021 16:24
REvil IP-Infra as of 2021-07-05, 18:24 CET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Current (2021-07-05) IP Infra of Revil, taken from active domain list. | |
| - Seems like a number of them are using the same boxes to host domains (see top). | |
| - 5 of them pointed to localhost (removed) | |
| Count Adress | |
| 39 142.93.110.250 | |
| 32 47.75.130.171 | |
| 18 192.0.78.13 | |
| 18 192.0.78.12 |
ProIntegritate
/ gist:21654ec529cd2da27fd7079746459f8c
Created
July 5, 2021 20:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| echo Run as admin. | |
| netsh advfirewall firewall delete rule name="Audacity-in" | |
| netsh advfirewall firewall delete rule name="Audacity-out" | |
| pause | |
| echo Run your update now, then press any key to reactivate the firewall. | |
| pause | |
| netsh advfirewall firewall add rule name="Audacity-in" dir=in program="audacity.exe" action="block" enable="yes") | |
| netsh advfirewall firewall add rule name="Audacity-out" dir=out program="audacity.exe" action="block" enable="yes") | |
| echo Done. |
ProIntegritate
/ gist:a31524e1677088eefab51bb742c8440d
Last active
July 19, 2021 12:06
Resolved NSO Group DNS names as of 2021-07-19. (37% resolvable. No garantees that records are still true.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://github.com/AmnestyTech/investigations/blob/master/2021-07-18_nso/domains.txt | |
| 2021-07-19, ?, 14-tracking.com | |
| 2021-07-19, ?, 1minto-start.com | |
| 2021-07-19, ?, 2far1v4lv8.get1tn0w.free247downloads.com | |
| 2021-07-19, ?, 301-redirecting.com | |
| 2021-07-19, ?, 365redirect.co | |
| 2021-07-19, ?, 3driving.com | |
| 2021-07-19, ?, 456h612i458g.com | |
| 2021-07-19, ?, 4n3d9ca2st.php78mp9v.opposedarrangement.net | |
| 2021-07-19, ?, 7style.org |
ProIntegritate
/ gist:b97d7567d4d3c5a35e9cca21c25ef2f2
Created
July 24, 2021 12:15
Exploring WMI objects with Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Exploring WMI objects with Powershell: | |
| For this example on how to explore WMI classes, i've used Win32_ShadowCopy | |
| as an example. Some classes, like Win32_ShadowCopy, REQUIRES administrator | |
| privileges to work. | |
| Search for classes names *shadow* | |
| powershell -c "Get-CimClass -ClassName *shadow*" | |
| See if a class has Methods and Properties: |
ProIntegritate
/ .NET Cleanup
Created
July 28, 2021 09:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Specific object cleanup: | |
| Object.Dispose() ' Does not exist for all objects though. | |
| Object = Nothing ' This _will_ exist for all objects. | |
| The periodically run: | |
| GC.Collect() ' Init Garbage collector | |
| If you use performance counters (System.Diagnostic.*), you may want to clean them up too as you free things up: |
OlderNewer