usualsuspect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Used in custom import table to lookup APIs via hash instead of name | |
| # | |
| def hash_str64(s): | |
| h = 0x1111111111111111 | |
| for i in range(len(s)): | |
| h = h*0xABFFF385ABFFF386 | |
| h &= 0xFFFFFFFFFFFFFFFF | |
| h += s[i] |
usualsuspect
/ pika_dns_cobaltstrike.txt
Created
November 29, 2023 15:04
https://twitter.com/Threatlabz/status/1729571130581934547
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - Hybrid HTTP DNS | |
| Port - 1 | |
| SleepTime - 5000 | |
| MaxGetSize - 2798028 | |
| Jitter - 45 | |
| MaxDNS - 247 | |
| PublicKey_MD5 - d94a9ed1b7edf342d1723b57a8485051 | |
| C2Server - dns.ionoslaba.com,/dev/coke/CQHL5IYQF | |
| UserAgent - Not Found | |
| HttpPostUri - Not Found |
usualsuspect
/ config.txt
Created
November 28, 2023 20:24
https://twitter.com/malwrhunterteam/status/1729559280292946394
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - Hybrid HTTP DNS | |
| Port - 1 | |
| SleepTime - 3000 | |
| MaxGetSize - 1048576 | |
| Jitter - 20 | |
| MaxDNS - 255 | |
| PublicKey_MD5 - 34aa5e72eba144f50c75d5ad3bb11d43 | |
| C2Server - ns1.data.microsoftdata.site,/ga.js,ns2.data.microsoftdata.site,/visit.js,ns3.data.microsoftdata.site,/IE9CompatViewList.xml,ns4.data.microsoftdata.site,/dpixel | |
| UserAgent - Not Found | |
| HttpPostUri - Not Found |
usualsuspect
/ config.txt
Created
November 23, 2023 13:30
"BreakPoint Software Inc." signed Cobalt Strike config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 45000 | |
| MaxGetSize - 2801745 | |
| Jitter - 37 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - 6b11b512dcbf5063bafcc82a0e1c2bc1 | |
| C2Server - www.tosoh.cloudns.ph,/jquery-3.3.1.min.js | |
| UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko | |
| HttpPostUri - /jquery-3.3.2.min.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 10000 | |
| MaxGetSize - 1398322 | |
| Jitter - 20 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - e516ca02d126b82ff30593ce45d9cba5 | |
| C2Server - 47.94.58.82,/api/v1/server/user/info | |
| UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 | |
| HttpPostUri - /api/v1/server/log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # | |
| # String decryption for unknown malware | |
| # | |
| # Author: @jaydinbas (2023-05-02) | |
| # | |
| # Reference sample: | |
| # | |
| # https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234 | |
| # |
usualsuspect
/ config.txt
Created
April 12, 2023 10:28
ShanghaiTrafficEngineeringSocietyCross-straitUrbanTransportationAcademicSeminar.zip
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 3000 | |
| MaxGetSize - 2097167 | |
| Jitter - 7 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - cb1063db5f2d3c4b16f03fcaa7bcc6cd | |
| C2Server - service-iwp4bo93-1308858055.bj.apigw.tencentcs.com,/jquery/2.0.1/jquery | |
| UserAgent - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM) | |
| HttpPostUri - /jquery/2.0.2/jquery |
usualsuspect
/ config.txt
Created
March 15, 2023 10:08
Cobalt Strike in ms_KB5023921_x64_install.iso
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 30000 | |
| MaxGetSize - 4194310 | |
| Jitter - 90 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - bf11f0c194c8a14fad097015ca064e80 | |
| C2Server - fc01np5u7i.execute-api.us-east-1.amazonaws.com,/api/v2/json/cluster/tasks | |
| UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4501.0 Safari/537.36 Edg/91.0.866.0 | |
| HttpPostUri - /1295648064/storage/tabs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 165000 | |
| MaxGetSize - 2097223 | |
| Jitter - 77 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - 59c484f9028a06073eb133568ef23de1 | |
| C2Server - content.api.nytimes.com,/caa09abd7511/XNc549Rf1p3VXb6h2g8q9ey6pp,csp.nytimes.com,/caa09abd7511/eXlTjaR3heoufbSNC-H4EJbCnOqpn | |
| UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 | |
| HttpPostUri - /921d522938b2/GmFoRGmqwNIbBmPUEKtJE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BeaconType - HTTPS | |
| Port - 443 | |
| SleepTime - 60000 | |
| MaxGetSize - 1398104 | |
| Jitter - 30 | |
| MaxDNS - Not Found | |
| PublicKey_MD5 - 4dbaa2821fcfa995554ad7612a869a6d | |
| C2Server - exdiy.com,/web/portal | |
| UserAgent - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 | |
| HttpPostUri - /logon/index.php |
NewerOlder