Skip to content

Instantly share code, notes, and snippets.

Arnaud Delmas adelmas

Block or report user

Report or block adelmas

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View trickbot_1000064.xml
<mcconf>
<ver>1000064</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:451</srv>
<srv>46.237.117.193:449</srv>
<srv>85.221.243.6:449</srv>
<srv>79.170.7.139:449</srv>
<srv>41.57.103.218:449</srv>
<srv>196.202.194.202:449</srv>
View trickbot_1000059.xml
<mcconf>
<ver>1000059</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:449</srv>
<srv>89.231.13.38:449</srv>
<srv>94.75.77.162:449</srv>
<srv>75.107.84.190:449</srv>
<srv>187.232.150.175:449</srv>
<srv>46.237.117.193:449</srv>
@adelmas
adelmas / trickbot_1000048.xml
Created Sep 8, 2017
Trickbot ver. 1000048, gtag tt0002 - Decrypted configs
View trickbot_1000048.xml
<mcconf>
<ver>1000048</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:449</srv>
<srv>147.135.196.128:443</srv>
<srv>195.133.147.135:443</srv>
<srv>185.158.113.62:443</srv>
<srv>194.87.146.180:443</srv>
<srv>194.87.99.220:443</srv>
@adelmas
adelmas / trickbot_1000044.xml
Created Aug 30, 2017
Trickbot ver. 1000044, gtag tt0002 - Decrypted configs
View trickbot_1000044.xml
<mcconf>
<ver>1000044</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
<srv>51.254.164.249:443</srv>
<srv>188.165.62.15:443</srv>
<srv>67.21.84.23:443</srv>
@adelmas
adelmas / trickbot_1000042.xml
Created Aug 23, 2017
Trickbot ver. 1000042, gtag tt0002 - Decrypted configs
View trickbot_1000042.xml
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000042</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / trickbot_1000041.xml
Created Aug 22, 2017
Trickbot ver. 1000041, gtag tt0002 - Decrypted configs
View trickbot_1000041.xml
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000041</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / trickbot_1000040.xml
Created Aug 21, 2017
Trickbot ver. 1000040, gtag tt0002 - Decrypted configs
View trickbot_1000040.xml
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000040</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / flokibot32_deobf.py
Last active May 18, 2019
IDAPython script to deobfuscate statically the bot32 payload of the banking malware FlokiBot. Imports are fully resolved, hooks are identified and named and strings are decrypted and added in comments, without using any debugger. May take a few minutes to resolve imports. Works with FlokiBot dropper with some small changes.
View flokibot32_deobf.py
# coding: utf-8
# ====================================================== #
# #
# FLOKIBOT BOT32 DEOBFUSCATION IDA SCRIPT #
# #
# http://adelmas.com/blog/flokibot.php #
# #
# ====================================================== #
@adelmas
adelmas / ida_api_hooking.py
Last active Jun 21, 2017
IDAPython script showcasing API hooking on ssl functions. http://adelmas.com/blog/ida_api_hooking.php
View ida_api_hooking.py
# coding: utf-8
RunPlugin("python", 3)
AttachProcess(2892, -1) # PID
off_ssl_read = LocByName("_ssl3_read")
off_ssl_write = LocByName("_ssl3_write")
# - Hooks on _ssl3_write, _ssl3_read ---------------------------------------
cond_read = """
View reflective_loadlibrary.asm
; Reflective Loader shellcode loading a DLL
; ===============================================
; Posted on http://adelmas.com/blog/fileless_malwares.php by @ArnaudDlms
;
; Written in x86 ASM with Flat Assembler
; No junk code added so executable might be detected as malicious by AVs
; Host process must be 32-bit
;
; Inspired by the following C code by Stephen Fewer :
; https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c
You can’t perform that action at this time.