Pierre Le Bourhis lbpierre

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                lbpierre
                / keybase.md
            
            
              Created
              January 18, 2023 16:38
            
          
    Keybase proof

I hereby claim:

I am lbpierre on github.
I am pierrelebourhis (https://keybase.io/pierrelebourhis) on keybase.
I have a public key ASAFYD9yNYtd2yhH3Rru7Z6dJigyClt_5NSErPxp12bhbwo

To claim this, I am signing this object:

  
## customerloader-extractor.py
import sys, struct, clr
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type

import string
import hashlib
from base64 import b64decode
from itertools import combinations
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

## darkgate-c2-communication-deobfuscator.py
import base64
import binascii
import urllib


def unhex(hex_string):
    """oalabs fonction copy from:
    https://github.com/OALabs/research/blob/master/_notebooks/2021-06-27-python3_examples.ipynb
    """

## AV_checked.txt
ByteFence
C:\Program Files (x86)\Avira
C:\Program Files (x86)\F-Secu
C:\Program Files (x86)\IObit
C:\Program Files (x86)\Sophos
C:\Program Files\Malwarebytes
C:\Program Files\Quick Heal
C:\ProgramData\Emsisoft
C:\ProgramData\Kaspersky Lab
Comodo

## darkgate-doc-action-id.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                lbpierre
                / darkgate-doc-action-id.md
            
            
              Created
              November 16, 2023 15:40
            
              
                DarkGate C2 communication action ID description
              
          
Action Id
Description


1052
search and delete log files


1053
self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)


1060
delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)


1072
kill rar process and remove traces of rar archive


1096
ntdll used to execute payload in memory as notepad.exe


1099
Spoof parent PID to execute a cmd.exe


1100
APC injection via NtTestAlert


1101
APC injection via NtTestAlert


## ReflectiveDLLInjection.h
#define DLL_QUERY_HMODULE		6

#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)


#define DLLEXPORT   __declspec( dllexport )

## diceloader-extractor.py
import sys
import pefile
from typing import List


def get_data_section_virtualAddress(pe: pefile.PE) -> int:
    """Return the .data section of a PE file."""

    data_va: int = 0

## tcp_server.py
import os
import sys
import time
import struct
import logging
import socket
import select
import argparse
import platform
from itertools import zip_longest

## SelfAU3-deobfusct.py
import re
from itertools import filterfalse
from collections import Counter
from typing import List, Tuple, Set

reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])")
reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})")


def dennis(string, diff):

## SW2_SyscallList_hex.dmp
00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700
	import sys, struct, clr
	clr.AddReference("System.Memory")
	from System.Reflection import Assembly, MethodInfo, BindingFlags
	from System import Type

	import string
	import hashlib
	from base64 import b64decode
	from itertools import combinations
	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
	import base64
	import binascii
	import urllib


	def unhex(hex_string):
	"""oalabs fonction copy from:
	https://github.com/OALabs/research/blob/master/_notebooks/2021-06-27-python3_examples.ipynb
	"""
	ByteFence
	C:\Program Files (x86)\Avira
	C:\Program Files (x86)\F-Secu
	C:\Program Files (x86)\IObit
	C:\Program Files (x86)\Sophos
	C:\Program Files\Malwarebytes
	C:\Program Files\Quick Heal
	C:\ProgramData\Emsisoft
	C:\ProgramData\Kaspersky Lab
	Comodo
Action Id	Description
1052	search and delete log files
1053	self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)
1060	delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)
1072	kill rar process and remove traces of rar archive
1096	ntdll used to execute payload in memory as notepad.exe
1099	Spoof parent PID to execute a cmd.exe
1100	APC injection via NtTestAlert
1101	APC injection via NtTestAlert
	#define DLL_QUERY_HMODULE 6

	#define DEREF( name )(UINT_PTR )(name)
	#define DEREF_64( name )(DWORD64 )(name)
	#define DEREF_32( name )(DWORD )(name)
	#define DEREF_16( name )(WORD )(name)
	#define DEREF_8( name )(BYTE )(name)


	#define DLLEXPORT __declspec( dllexport )
	import sys
	import pefile
	from typing import List


	def get_data_section_virtualAddress(pe: pefile.PE) -> int:
	"""Return the .data section of a PE file."""

	data_va: int = 0
	import os
	import sys
	import time
	import struct
	import logging
	import socket
	import select
	import argparse
	import platform
	from itertools import zip_longest
	import re
	from itertools import filterfalse
	from collections import Counter
	from typing import List, Tuple, Set

	reg_DENIS = re.compile(r"(dennis\(\")([0-9\]\"]{1,})(,)([0-9]{1,})([\/])([0-9]{1,})([\)])")
	reg_INT_VAR = re.compile(r"(\$)(?P<name>[a-zA-Z0-9]{1,})( )=( )([0-9]{1,})")


	def dennis(string, diff):