Skip to content

Instantly share code, notes, and snippets.

Avatar

Kirk Sayre kirk-sayre-work

  • Walmart
View GitHub Profile
View gist:3aa33a776041a6710d0844b6e00856a3
Word PE Dropper Samples:
0b1b3f889461485e71868160f46aeb008d8dd68c44b7b2e2f6f2c3e8831aae8b
1630d71da594875c9aa1fd50a955a8adfe02a3bb54d1aa610873cec89ca32911
26f492c47084b37acb68702cafda4256054eb8b07dbed4d215ea7844827efd4d
297216dc24f4d311ab548ded700e850ed72aebcbff60e9a21574f9b651b33273
29764707bbe878fb00cd85bac9323de74328e33f48d34fbf2073c8ef4aded411
31a379b1373f69bea5ca9acdd5a908d787e3f6635ecf48a15f717e3ed7f30adc
38d1be9067da72a234a872f6a3734df25a7e5b147d862d96a83618e58b2a45f7
3e8d73987b1f9063b922aa66eed77d195d350e64fb99f1e3c7c24688ce94a09c
View gist:46377fa5ea20aec7e6c189e356e64f41
2nd Stage Powershell Command Domains:
bgtef.xyz
dfuy.fun
djue.fun
dygb.pl
ffzez.xyz
fiybe.top
fusep.xyz
fyef.fun
@kirk-sayre-work
kirk-sayre-work / gist:b6928dbf944065f542b487d723e216b7
Created Aug 25, 2022
NetSupport RAT JS Downloader Hashes 8/25/2022
View gist:b6928dbf944065f542b487d723e216b7
c72d3d477b8257bed9b36c239593deb2c8564dd27b05426cfc8929b3a2d699ac
73156fc3b354314f288e9a9352fb44a252e1265a8cd1ef4f568aa782107d510e
4c0f8ad88d51f685bd8d01d0f9de987d0b33324354212852fa77b2cfecd2ee08
45f00f912e1aa0579baca51de163867eff4f2b2d07b1021ef7a0d712beb48213
d9f3967096a5753c061403cffa8de64e40681a499339eaf30656d0974869cb1d
2755c705db3ec34dd71095863b11e637fa5bce094d553ba581a7fe8d0afd7e24
a7c720ca1cabc7bcb77b8708df63ea8a8efd99cd9e484b046d8c7454d1ca4450
b1aa9394f88cd6e9896b8fa8c6339ed8b067dccbe5cecfee429f1f81f53fe752
975d8e4a06c276905340da7513d3ad9b8989c7624a3fb5586b020b0e4ba58674
0765abf0feca80e89d4d454e0ff69a8a564feae9f3eb913fb3c642ff22f2369e
@kirk-sayre-work
kirk-sayre-work / gist:6e209397e2b2720edabd806513ddb226
Created Aug 23, 2022
Maybe (??) IcedID Maldocs/URLs 8/23/2022
View gist:6e209397e2b2720edabd806513ddb226
2nd Stage Download IPs:
138.124.183.52
138.124.184.133
138.124.184.63
138.124.184.75
45.144.29.248
45.8.146.224
45.8.146.226
45.8.146.227
@kirk-sayre-work
kirk-sayre-work / gist:dddce9790547f9ea8a8c0ba24a2b6d60
Created Aug 12, 2022
Canada Suspicious Business Process (Maybe?) 8/12/2022
View gist:dddce9790547f9ea8a8c0ba24a2b6d60
Excel Sample Hashes:
5b9182cd6ed42df457d74e0b4e163c030372770af722b5769ab637fff898a4c8
286a51cd8ed862851cf61958bbb422fbf95e6138b2f012d26d1a2d9a08d4f6af
2702c153b5a0464ce80d70a59d342f6c8fbac9babc757727cee77f10d5d1a02f
18d479332b0117e1dbd523481ea26b5c32ae64fbacbe33acd3d0f0138c92a9aa
2d3f7fa5325b6a344b0c98285dedcb737f12029cd9239134667d6c569c2be13d
9d5d1adceaccba6df68a6b52b7dbad55d52fb53d6d5a348acc0794f9fb6d7384
6fd2922e4e7eea2aef58597325de6606115a97b0e36259d80d882e47ea5298f4
a2c9b5254305666784a5d39c713ed91191901698e8351302b00f0eb5d59248e7
@kirk-sayre-work
kirk-sayre-work / gist:eda6edf57c820aaa7755c8ed401ede8b
Created Jul 20, 2022
Gootloader JS Hashes, Domains, URLs 7/20/2022
View gist:eda6edf57c820aaa7755c8ed401ede8b
Gootloader Domains:
www.lfbs.dk
www.liparicasa.it
www.location-atelier-garage.com
www.lohevisto.com
www.losgaucos.cz
Gootloader JS Samples/2nd Stage URLs:
@kirk-sayre-work
kirk-sayre-work / gist:39c739c0091cfc5045eef791c7963591
Created Jul 19, 2022
Socgholish Fake Update JS Sample Hashes
View gist:39c739c0091cfc5045eef791c7963591
3dbce10a6eb4b1af50d6f516f6657cd3cbb2a205644ccb3d15e64d01f2ccd5f1
dbc633fd9f36bd7892d7260f95d73ed87423bd75bc17110b6c4820454f50de40
bfde85624a6e5c32464fafcc2b12f77fafa73adaca771cc6b61dae100edaa20b
750719e4dae58dbc77ca01e28d00367ebc6ccf4b46320144deffb4b72547b0eb
98e2af09375dbdae54412daf5cabe1025e8bc8ed78b86eb61d6cf876ad5471f5
06d2d71bfe247031949d95ca7b6b5b6dff52541e3299946d9c51e45e781b2f32
0a8ddee0380cfd42676286feb96eb816d587929ece8147f369831aeae6aa9816
99f98b826ff1a20079c8dbf977e681b6e52b11a490e7528f47f2128e2ba0e764
c3099807c1980fd40d981b4cba7b2f1c3720b77696c699ceea3d9198bec7d34a
900f152414504d6db8238e88c6ebc62764c0f6f43d9c6a0d068320dbf5fdd8ad
View gist:193ba69b70380cca41be6f484240fc51
Unknown VBS Campaign 6/30/2022
2nd Stage Powershell URLs:
https://hgrtjutyik.eu/avatar/MBOODO/brand.jpeg
https://hgrtjutyik.eu/avatar/XP3UUW/static.jpeg
https://hgrtjutyik.eu/css/402378/color.jpeg
https://hgrtjutyik.eu/css/652578/orb-sprite.ico
https://hgrtjutyik.eu/css/89C32QH1/statndart.jpg
https://hgrtjutyik.eu/css/GSFLLT/pixel.jpg
View gist:d2e5c70ccdb0aa8cb0aada5ea492b222
Sample Hashes (Word, Excel, VBS):
05474aa19a99869c67cea1c37bcf5ddee82c15fb2d0a0b73388347bedf4106be
08ebbf530dc49af163ea1a218c2cf5a9d4502a3a2a8a7430b76eefd093791db0
1460c30c555e304e318d324b61b24583884497fd911051cf8303a851830a0f02
17406cabbb7ee30c881a4f16c1c9675e6340d45108bb08d4e586ea65911b92e9
20f13b617064d047dc28a43ad616bd146dcf2e0c8b390fd1dab8a42c292ea660
21b4f26a4c4a2a73917320efebeeb6b31dc7f67d7f1bdb50a949da1bcd6ca41b
242810b08ed1291c53ab238a9cab3e543ed604c989a3083443df4c0ae45baae1
2cfc77e558212e73c3882405221d2a5ff435de9a2452dffea5df4e3b7037d0c7
View gist:884e4ec0654b74b17a6e0a2cb0ee520c
VBS Sample Hashes:
7bb710d47c6465fc96f6dc509181d4917dca41fd9eecad8b2ccb2ae5c1f20b7f
e0ee635285327f027a52c5457bb0b100456ddc0895cade74a24bcf332ecf6dab
06af082c733068b0f1567f842f41f0aa76102e544d31a2efcd26f00454421f3f
d72ce49ebb4f2cd594373b8a7e147dc1ccdf195f7778acc251c7d7a6c533ab89
e2ec414d45d9ae40c9b2aa8ffe7e2c4c27a172d135a8b96736c3c85a77252b95
578690f790d3baa6a6dce7ad34240b412e0cd055026471735f25921a83e19956
fae5eeca675ddb88fe1a48717f6c01a12bc75c245ba8a9cecc72f0e6dcc3c92c
c0384883ea0df412ad7d90ac6b5f6a8c0ec3eeab84324c07be9b194d14141e6a