Skip to content

Instantly share code, notes, and snippets.

View adelmas's full-sized avatar

Arnaud Delmas adelmas

View GitHub Profile
<mcconf>
<ver>1000064</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:451</srv>
<srv>46.237.117.193:449</srv>
<srv>85.221.243.6:449</srv>
<srv>79.170.7.139:449</srv>
<srv>41.57.103.218:449</srv>
<srv>196.202.194.202:449</srv>
<mcconf>
<ver>1000059</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:449</srv>
<srv>89.231.13.38:449</srv>
<srv>94.75.77.162:449</srv>
<srv>75.107.84.190:449</srv>
<srv>187.232.150.175:449</srv>
<srv>46.237.117.193:449</srv>
@adelmas
adelmas / trickbot_1000048.xml
Created September 8, 2017 16:25
Trickbot ver. 1000048, gtag tt0002 - Decrypted configs
<mcconf>
<ver>1000048</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88.51:449</srv>
<srv>147.135.196.128:443</srv>
<srv>195.133.147.135:443</srv>
<srv>185.158.113.62:443</srv>
<srv>194.87.146.180:443</srv>
<srv>194.87.99.220:443</srv>
@adelmas
adelmas / trickbot_1000044.xml
Created August 30, 2017 21:27
Trickbot ver. 1000044, gtag tt0002 - Decrypted configs
<mcconf>
<ver>1000044</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
<srv>51.254.164.249:443</srv>
<srv>188.165.62.15:443</srv>
<srv>67.21.84.23:443</srv>
@adelmas
adelmas / trickbot_1000042.xml
Created August 23, 2017 20:42
Trickbot ver. 1000042, gtag tt0002 - Decrypted configs
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000042</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / trickbot_1000041.xml
Created August 22, 2017 20:31
Trickbot ver. 1000041, gtag tt0002 - Decrypted configs
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000041</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / trickbot_1000040.xml
Created August 21, 2017 22:51
Trickbot ver. 1000040, gtag tt0002 - Decrypted configs
--------------------
Main conf :
--------------------
<mcconf>
<ver>1000040</ver>
<gtag>tt0002</gtag>
<servs>
<srv>84.238.198.166:449</srv>
<srv>91.139.236.92:449</srv>
<srv>84.40.65.85:449</srv>
@adelmas
adelmas / flokibot32_deobf.py
Last active September 28, 2021 03:29
IDAPython script to deobfuscate statically the bot32 payload of the banking malware FlokiBot. Imports are fully resolved, hooks are identified and named and strings are decrypted and added in comments, without using any debugger. May take a few minutes to resolve imports. Works with FlokiBot dropper with some small changes.
# coding: utf-8
# ====================================================== #
# #
# FLOKIBOT BOT32 DEOBFUSCATION IDA SCRIPT #
# #
# http://adelmas.com/blog/flokibot.php #
# #
# ====================================================== #
@adelmas
adelmas / ida_api_hooking.py
Last active March 25, 2022 02:08
IDAPython script showcasing API hooking on ssl functions. http://adelmas.com/blog/ida_api_hooking.php
# coding: utf-8
RunPlugin("python", 3)
AttachProcess(2892, -1) # PID
off_ssl_read = LocByName("_ssl3_read")
off_ssl_write = LocByName("_ssl3_write")
# - Hooks on _ssl3_write, _ssl3_read ---------------------------------------
cond_read = """
; Reflective Loader shellcode loading a DLL
; ===============================================
; Posted on http://adelmas.com/blog/fileless_malwares.php by @ArnaudDlms
;
; Written in x86 ASM with Flat Assembler
; No junk code added so executable might be detected as malicious by AVs
; Host process must be 32-bit
;
; Inspired by the following C code by Stephen Fewer :
; https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c