This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r00tten@vti-cosplay VTI-Cosplay % python3 vti-cosplay.py -h | |
,(#* | |
,(#*. | |
*********(##* ,**********. | |
.%%#////////*, .,///////(%#, | |
.%%* *%#, | |
.%%* *%#, | |
.%%* *%#/,,,,,, | |
,(%%/. ,(((((((((. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import re | |
import sys | |
import subprocess | |
import glob | |
import base64 | |
import yaml | |
def dumpYaml(data): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Risk { | |
meta: | |
author = "Mert Degirmenci" | |
description = "YARA rule for the files whose hash is one of the below" | |
date = "12.11.2019" | |
hash1 = "c40d59f85e1b4bacf10643b535da804af2e99caba91ab860b221121e24a2a9bb" | |
hash2 = "11455bc66548fd161362d300d24c6539c36c7b236aafd4f457d8ee2d8b6c9262" | |
hash3 = "29659dd2cd05d0e3c97c2fd3687644a78622ad487178901cb67f14be314c168b" | |
hash4 = "3c3b311505b8a3b280024d05017ff9edcb19e193c1760cac099d09fb165e93d7" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule swift_copy { | |
meta: | |
author = "Mert Degirmenci" | |
description = "Agent Tesla phishing RTF document" | |
date = "22.10.2019" | |
hash1 = "f1a00cdd704475ee21e7a4fc38a7188868addcb681660eaa1b71f072e265fffd" | |
strings: | |
$s_rtf = "{\\rtf1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import sys | |
import struct | |
import re | |
from rijndael.cipher.crypt import new | |
from rijndael.cipher.blockcipher import MODE_CBC | |
encValues = [] | |
def readValues(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import r2pipe | |
file = open('importsNtdll', 'r') | |
#file = open('importsKernel32', 'r') | |
imports = file.read() | |
file.close() | |
imports = imports.split('\n') | |
file = open('hashes', 'r') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import sys | |
import re | |
def decryptor(z5ef583): | |
b9d4bc = "qaf669"; | |
vfc9c = "" | |
for i in xrange(0, len(z5ef583), 2): | |
s3c1193 = int(('0x' + z5ef583[i:i+2]), 16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
af @ 0xbe | |
afvb -52 sus.imp.VirtualProtectEx int32_t @ 0xbe | |
afvb -84 sus.imp.ResumeThread int32_t @ 0xbe | |
afvb -60 sus.imp.VirtualFree int32_t @ 0xbe | |
afvb -108 sus.imp.ReadProcessMemory int32_t @ 0xbe | |
afvb -112 sus.imp.SetThreadContext int32_t @ 0xbe | |
afvb -96 sus.imp.GetThreadContext int32_t @ 0xbe | |
afvb -88 sus.imp.TerminateProcess int32_t @ 0xbe | |
afvb -44 sus.imp.WriteProcessMemory int32_t @ 0xbe | |
afvb -104 sus.imp.VirtualAlloc int32_t @ 0xbe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f sus.copyToBuffer 0 0x100030df | |
f sus.lengthAsByte 0 0x10002b99 | |
f sus.internetReadFile_caller 0 0x10003621 | |
f sus.createMutex 0 0x10002cfc | |
f sus.mainRoutine 0 0x10005b94 | |
f sus.decrypterFunc 0 0x10002f3f | |
f sus.heapFree_un 0 0x10003f83 | |
f sus.multiByteToWideChar_caller 0 0x1000369a | |
f sus.base64Decode 0 0x10002d4b | |
f sus.base64Encode 0 0x10002d8f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import sys | |
import binascii | |
import struct | |
array = [] | |
# Hard coded XOR key | |
xorKey = [0x2d, 0x30, 0x71, 0x1b, 0x07, 0x0f, 0x43, 0x2d, 0x56, 0x2a] | |
# Sample encryptted string |
NewerOlder