I hereby claim:
- I am pun1sh3r on github.
- I am pun1sh3r (https://keybase.io/pun1sh3r) on keybase.
- I have a public key whose fingerprint is 8D38 3337 AD32 0597 0796 A751 FD78 CCA9 CBDA 6ECC
To claim this, I am signing this object:
[ | |
{ | |
"operation": "default", | |
"spec": { | |
"source" : "https://bazaar.abuse.ch", | |
"itype" : "hash", | |
"ioc_index": "", | |
"attributes": { | |
"trt:threat_scraper": "malwareBazaar_scraper", | |
"trt:malware_name": "", |
import base64 | |
import requests | |
req = requests.get('https://pastebin.com/raw/Q1MSN9j9') | |
data = req.text | |
data = data.replace('.','*!(@* #( !@ #*') | |
data = data.replace('*!(@* #( !@ #*','0') | |
with open('pastebin_decoded.bin', 'wb') as fd: | |
fd.write(base64.b64decode(data[::-1])) |
import pandas as pd | |
import csv | |
from collections import defaultdict | |
data_dict = defaultdict(dict) | |
folio_df = pd.read_csv('folio_data.csv',usecols=['Folio_number','Name','Email']) | |
folio_df = folio_df.replace(to_replace='(b\'|\')', value='',regex=True) |
from pprint import pprint | |
import binascii | |
byte_array = [ i for i in range(255)] | |
first_hex_buffer = binascii.unhexlify('3fc05efced4c34d93f465921e18129c1') # suspicious buffer found at offset 417428 possible key? | |
hex_array = [] | |
possible_key = b'' | |
count = 0 | |
sum = 0 |
#arcane stealer config dumper | |
import binascii | |
import bitstring | |
import glob | |
src_files = glob.glob('/research/arcane_stealer/retrohunt/*.exe') | |
for f in src_files: | |
with open(f,'rb') as fh: |
import codecs | |
f = codecs.open('resource.bin', encoding='ISO-8859-1') | |
out_buffer = bytearray() | |
data = f.read() | |
key = bytearray('TfaryorHHrSn', 'utf-16') | |
key = key[2:] | |
data = bytearray(data, 'ISO-8859-1') | |
for i in range(0, len(data), 1): |
#azorult xor decoder | |
import binascii | |
import base64 | |
import bitstring | |
from pprint import pprint | |
import glob | |
def decode_url(ciphertext): | |
#ciphertext = binascii.unhexlify('68 b7 72 39 9c 64 66 89 6c3ba91068a811659c124389413bb9596b8615799d4930ce434ac6506b9272659a633c884141be1d') | |
key = binascii.unhexlify("09ff20") |
I hereby claim:
To claim this, I am signing this object:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).update: A minor variant of the viru