Clayton netadr

## sbz.py
"""
Deobfuscates log messages present in EQGRP StraitBizarre samples.
To use this plugin, you must label the logging function (0x7fff2a3f8d10 in
f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204) `sbz_log`.

Author: netadr
Date: 2024-06-30
"""

import binaryninja

## dump_resources.py
#!/usr/bin/env python
"""
Extracts "burned-in" virtual filesystem objects (including plugins and
configuration data) from an EQGRP StraitBizarre sample:
https://www.virustotal.com/gui/file/f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204

Author: netadr
Date: 2024-06-29
"""

## pub.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZPegPBYJKwYBBAHaRw8BAQdAMKlWOlG9MeDG4IatED/GI5De6tewXWBleWEK
G3y+Zjy0LENsYXl0b24gR2lsbWVyIDxjbGF5dG9uZ2lsbWVyMjRAb3V0bG9vay5j
b20+iJAEExYIADgWIQQnr6nva9Porksq8cOPaXFSqVb0/QUCZPegPAIbAQULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRCPaXFSqVb0/ZfMAQC65abLQPv78skfZpps
jhxlC3XtnmeUbeGRyqKh1KEbiwEAu/c755Ec9UCFKKtvAl0duRe8cUTQ+tL4sJcB
WDsyNw24MwRk96CKFgkrBgEEAdpHDwEBB0A1djrtGsaLLKm/yyPqgvmmOfJnU1UY
rq8UoNh6AcCLjYj1BBgWCAAmFiEEJ6+p72vT6K5LKvHDj2lxUqlW9P0FAmT3oIoC
GwIFCQHhM4AAgQkQj2lxUqlW9P12IAQZFggAHRYhBCTdAETGhVRk64BHPUaSUkZF

## revoke.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate

iQI2BCABCgAgFiEEY5As5K2vf8AY8UxkrAXSzQ4q2UkFAmTkJsoCHQAACgkQrAXS
zQ4q2UlhRxAAuNQ8O/ArbqnJtDrUA9X4KOSNc60z2rPygFHSp4/4qiTOFu7BDu3W
6ok3xotVWEoOiCkR89Dt2vq21nN/ViXPZc+qefni/eJ2PIFMc1miQryHr3YjUDX5
/4c0wiBuro7a7H/GvAyZBCygBBqBxxn4mIe6iJU7Yoa5WrOMFUsgQX77k/fq11qd
rF6yJ68k/xKRWAcwbZjQ331wLI3XRL6qCU+4BzIMnk1aBtn1h5das6WXe8enTLjL
bjTyISdllPmBjJo74GKCK5NhoMyzLkQYyxTR73m77G/X4s/jSy//n0C0mvkQcfeR
oWvLguomnWwlwO55g+zgoY1yn7cCvhn8LNGh7IgodnkZxM2LRADInNmwOf9m2Uae

## gist:6b5cc9703df5dd4639f89e5a530629c2
break *0x000338d4
commands
eval "dump binary memory mod_%x.bin 0x%x 0x%x+0x%x", $l4, $o1, $o1, $o2
cont
end

## boxstarter.ps1

# netsec_planes's boxstarter script

#---TEMPORARY---
Write-Host "Temporarily disabling User Account Control..."
Disable-UAC

#---WINDOWS SETTINGS---

# THUMBNAIL CACHE / EXPLORER PRIVACY OPTIONS
	"""
	Deobfuscates log messages present in EQGRP StraitBizarre samples.
	To use this plugin, you must label the logging function (0x7fff2a3f8d10 in
	f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204) `sbz_log`.

	Author: netadr
	Date: 2024-06-30
	"""

	import binaryninja
	#!/usr/bin/env python
	"""
	Extracts "burned-in" virtual filesystem objects (including plugins and
	configuration data) from an EQGRP StraitBizarre sample:
	https://www.virustotal.com/gui/file/f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204

	Author: netadr
	Date: 2024-06-29
	"""
	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mDMEZPegPBYJKwYBBAHaRw8BAQdAMKlWOlG9MeDG4IatED/GI5De6tewXWBleWEK
	G3y+Zjy0LENsYXl0b24gR2lsbWVyIDxjbGF5dG9uZ2lsbWVyMjRAb3V0bG9vay5j
	b20+iJAEExYIADgWIQQnr6nva9Porksq8cOPaXFSqVb0/QUCZPegPAIbAQULCQgH
	AgYVCgkICwIEFgIDAQIeAQIXgAAKCRCPaXFSqVb0/ZfMAQC65abLQPv78skfZpps
	jhxlC3XtnmeUbeGRyqKh1KEbiwEAu/c755Ec9UCFKKtvAl0duRe8cUTQ+tL4sJcB
	WDsyNw24MwRk96CKFgkrBgEEAdpHDwEBB0A1djrtGsaLLKm/yyPqgvmmOfJnU1UY
	rq8UoNh6AcCLjYj1BBgWCAAmFiEEJ6+p72vT6K5LKvHDj2lxUqlW9P0FAmT3oIoC
	GwIFCQHhM4AAgQkQj2lxUqlW9P12IAQZFggAHRYhBCTdAETGhVRk64BHPUaSUkZF
	-----BEGIN PGP PUBLIC KEY BLOCK-----
	Comment: This is a revocation certificate

	iQI2BCABCgAgFiEEY5As5K2vf8AY8UxkrAXSzQ4q2UkFAmTkJsoCHQAACgkQrAXS
	zQ4q2UlhRxAAuNQ8O/ArbqnJtDrUA9X4KOSNc60z2rPygFHSp4/4qiTOFu7BDu3W
	6ok3xotVWEoOiCkR89Dt2vq21nN/ViXPZc+qefni/eJ2PIFMc1miQryHr3YjUDX5
	/4c0wiBuro7a7H/GvAyZBCygBBqBxxn4mIe6iJU7Yoa5WrOMFUsgQX77k/fq11qd
	rF6yJ68k/xKRWAcwbZjQ331wLI3XRL6qCU+4BzIMnk1aBtn1h5das6WXe8enTLjL
	bjTyISdllPmBjJo74GKCK5NhoMyzLkQYyxTR73m77G/X4s/jSy//n0C0mvkQcfeR
	oWvLguomnWwlwO55g+zgoY1yn7cCvhn8LNGh7IgodnkZxM2LRADInNmwOf9m2Uae
	break *0x000338d4
	commands
	eval "dump binary memory mod_%x.bin 0x%x 0x%x+0x%x", $l4, $o1, $o1, $o2
	cont
	end

	# netsec_planes's boxstarter script

	#---TEMPORARY---
	Write-Host "Temporarily disabling User Account Control..."
	Disable-UAC

	#---WINDOWS SETTINGS---

	# THUMBNAIL CACHE / EXPLORER PRIVACY OPTIONS