levwu

## duplicated_keys
Key 1 ->
BwIAAACkAABSU0EyAAgAAAEAAQAJ6oOvBaFGyNrUE2Sx0SotEeoL3B2vBmU+nkVMV2iMoZWD+jVBfwmAEW2fVfke4QRy6FF2DDoBF6pOF2BYussfjlJTQS9Kd2QSOOTo3zukePzo19YFXqk0giNNoRZlZU7Ku0soQITuYV+Jv76yyzKIiq0Gush5s/p5F2OnwQfIJRk70R6/sa+bySUnaTR5ZgNdLP2CVvAA5CcZYYLaE7GJyD62OBjParXqYbNP4RZ9kCWBnsiJSf6V/E2EdU4p7EUgPB6AyRXGF99zLTduH02MJIj9ofrKec4bJnJF4skOS75680GmixmFOieWAFaDrsAVzLioWVa4hmiHL7/BI+enS2iueHTjEDfX1RPQMPtT+8Y5M/zLIukDvI5ExuI8Ho/W12VrgM1ndhFyWa2uAJbWICq/VJyxacOP+/J+Hg417FiAjlZGoj8a4Q6yvuJoTOP987YgHh/3kQhMJBHlhQDeH9Ffe7i8AQvGHBnY9NuPrzB0xPmg+ZP4dmjMxXCEbst7qqLJIcC/hyI1ahd02JIUldmyDnjsNGcFV3+SHGGw92Na79a2i8+E8wITCHkKJmlpUvGKcgnvI/phFBtfOn/QPJUk7kvmvSiuzmM1IAFSitulEu6044wwl0k426HwsPe/tA6foCivKIUId0wgdovNsPgAuMY+8V1BfLb81k5K0zWQnxZ4XoPNohNRHMi3nwV/sqj1IFNRj49fy7Sju3IeiEkOC3MMm2Pl95tm2RBWW7pToHmmxHFa+1Rz6nWb+qJBlNbSFWS0/C2nQlYWK2nMlmGKFC/LzSlbM1R2UMH8V3KsbyT1tzguAB8vkTN2Mfh5vwkb84t+Xm1HrVxNdF++f2qx08Ezi2y0x37UdydkjR3R6WeWupHR55iriyLbxcMstZWwQFbY5nDR0+ct9JJ0EIFqg4ScRn8B104KtaK01xv897w6VZgITiPIASvUZRC8KATxxIUAsof4qm2oy0E4JR5q8Gb

## validate_rsa.py
    def validate(self):
        if self.N != self.p*self.q:
            raise ValueError("Invalid RSA prime p & q")
        phi = (self.p-1)*(self.q-1)
        if ((self.e*self.d)%phi) != 1:
            raise ValueError("Invalid RSA e & d")

## result
└> python3 parse2.py
[!]Found same RSA Key!!!
First Key=>
size=2048
e=65537
N=21195776151183351269960353020472988477854690609720759677153736534457142742873144538351288253578698916526475736257820450831036346872013222213320300353345908480406117400636702464666655780297593538369815024116671678031126622111178710510460345503177616488484590397274696081664732066978924856549426185255122075896709754987898330852479458549446991378954010935136091589726588928181939537135718323845481833337405059984065115810907161321753420582127760351657428756756887284274037879179537461741737920000974538803493396552555804560836286128130321723882373591101558428026244662249142888724327741998564420382856391316639337146889
p=142854603738870400927086598234416131057932634323874331445714977196775033542635398190170989823582485498723777402549556783798846749392806974287103923002343571573486540909941532702301659575053363259009715681148864878986827244111792403149093546905129406214283754191236577992037325913646849970858871233649054738507
q=14837307021569

## main.py
with open('keys', 'rb') as f:
    for line in f.readlines():
        data = base64.b64decode(line.strip())
        rsa = RSAPrivKeyBlob()
        rsa.parse(data)
        if rsa in keys:
            print('Found same RSA Key!!!')
            print('First Key=>\n{}\n'.format(rsa))
            for k in keys:
                if rsa == k:

## compare_rsa.py
    def __eq__(self, other):
        return other.p == self.p and other.q == self.q

    def __hash__(self):
        return hash((self.p, self.q))

## emotet_payload_decryption.py
from struct import pack, unpack

with open('memdump_AF0_01C90000_19a00.bin', 'rb') as f:
    raw = f.read()

size = 0x19a00

plain = ""
i = 0
while i < size:

## emotet_decrypt_strings.py

from idaapi import get_func

decrypt_function_name = 'cryptDecryptSimple'

def key_int_to_array(key):
    key_arr = [0]*4
    mask = 0xff
    for i in range(0,4):
        k = key >> 8*i
	def validate(self):
	if self.N != self.p*self.q:
	raise ValueError("Invalid RSA prime p & q")
	phi = (self.p-1)*(self.q-1)
	if ((self.e*self.d)%phi) != 1:
	raise ValueError("Invalid RSA e & d")
	└> python3 parse2.py
	[!]Found same RSA Key!!!
	First Key=>
	size=2048
	e=65537
	N=21195776151183351269960353020472988477854690609720759677153736534457142742873144538351288253578698916526475736257820450831036346872013222213320300353345908480406117400636702464666655780297593538369815024116671678031126622111178710510460345503177616488484590397274696081664732066978924856549426185255122075896709754987898330852479458549446991378954010935136091589726588928181939537135718323845481833337405059984065115810907161321753420582127760351657428756756887284274037879179537461741737920000974538803493396552555804560836286128130321723882373591101558428026244662249142888724327741998564420382856391316639337146889
	p=142854603738870400927086598234416131057932634323874331445714977196775033542635398190170989823582485498723777402549556783798846749392806974287103923002343571573486540909941532702301659575053363259009715681148864878986827244111792403149093546905129406214283754191236577992037325913646849970858871233649054738507
	q=14837307021569
	with open('keys', 'rb') as f:
	for line in f.readlines():
	data = base64.b64decode(line.strip())
	rsa = RSAPrivKeyBlob()
	rsa.parse(data)
	if rsa in keys:
	print('Found same RSA Key!!!')
	print('First Key=>\n{}\n'.format(rsa))
	for k in keys:
	if rsa == k:
	def __eq__(self, other):
	return other.p == self.p and other.q == self.q

	def __hash__(self):
	return hash((self.p, self.q))
	from struct import pack, unpack

	with open('memdump_AF0_01C90000_19a00.bin', 'rb') as f:
	raw = f.read()

	size = 0x19a00

	plain = ""
	i = 0
	while i < size:

	from idaapi import get_func

	decrypt_function_name = 'cryptDecryptSimple'

	def key_int_to_array(key):
	key_arr = [0]*4
	mask = 0xff
	for i in range(0,4):
	k = key >> 8*i