Skip to content

Instantly share code, notes, and snippets.

@av-gantimurov
Created December 4, 2020 06:47
Show Gist options
  • Save av-gantimurov/4ef89b88b19b48174773789f0ef190bb to your computer and use it in GitHub Desktop.
Save av-gantimurov/4ef89b88b19b48174773789f0ef190bb to your computer and use it in GitHub Desktop.
Decrypted strings for AgentTesla 5eed7c82d9bfdc607a8aabbf5eacd72c
Found namespace 'A2135806-43C6-4A7D-80DD-C322D5C9F2B5'
Found class '5C3A5EFF-0EBA-40BD-AA04-F848E6988197'
Found 788 crypted strings
Found crypted array with 11982 bytes
Decrypted 788 strings
Extracted 788 strings
''
'\x00'
'\x00\x00\x00'
'\x02'
'\x03'
'\tINTEGER '
'\tOBJECTIDENTIFIER '
'\tOCTETSTRING '
'\n'
'\r'
'\r\n'
'\r\n\r\n'
'\r\n--'
'\r\n.\r\n'
'\r\nHost: '
' '
' -convert xml1 -s -o "'
' 1.85 (Hash, version 2, native byte-order)'
' <b>]</b> <font color="#000000">('
' MB'
' Recovered!'
'"'
'"encrypted_key":"(.*?)"'
'##BICxUw'
'%2B'
'%PostURL%'
'%ProgramW6432%'
'%chatid%'
'%ftphost%/'
'%ftppassword%'
'%ftpuser%'
'%hash%'
'%insregname%'
'%startupfolder%'
'%tordir%'
'%torpass%'
'%urlkey%'
'&'
'&H'
'&amp;'
'&gt;'
'&lt;'
'&quot;'
'('
')'
')</font></font>'
'*'
'+'
'+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
','
'-'
'--\r\n'
'---'
'---------------------------'
'-f '
'.'
'.*"password":"(.*?)"'
'.*"username":"(.*?)"'
'.dll'
'.html'
'.jpeg'
'.tmp'
'.zip'
'/'
"//setting[@name='Password']/value"
"//setting[@name='Username']/value"
'/log.tmp'
'00000000-0000-0000-0000-000000000000'
'00000002'
'00061561'
'10'
'11'
'12'
'127.0.0.1'
'13'
'14'
'144f8421-6371-4d06-be61-dc5d4874655a'
'15'
'154E23D0-C644-4E6F-8CE6-5069272F999F'
'16:'
'20'
'200 Connection established\r\nProxy-Agent: HToS5x\r\n\r\n'
'22'
'250'
'2F1A6504-0641-44CF-8BB5-3612D865F2E5'
'2a864886f70d010c050103'
'2a864886f70d0209'
'360 Browser'
'360Chrome\\Chrome\\User Data'
'3C886FF3-2669-4AA2-A8FB-3F6759A77548'
'3CCD5499-87A8-4B10-A215-608888DD3B55'
'3E0E35BE-1B77-43E7-B873-AED901B6275B'
'401\r\n\r\n'
'4BF4C442-9B8A-41A0-B380-DD4A704DDB28'
'500 '
'502 '
'5A'
'6d1e8a12-f1b2-4eda-a8f0-269ad7759a94'
'71'
'72905C47-F4FD-4CF7-A489-4E8121A155BD'
'77BC582B-F0A6-4E15-4E80-61736B6F3B29'
'7Star'
'7Star\\7Star\\User Data'
':'
': '
':Zone.Identifier'
';'
';Anonymous='
';Password='
';Port='
';Server='
';User='
'<'
'</Host>'
'</Name>'
'</Pass>'
'</Password>'
'</Port>'
'</User>'
'</b>'
'</data>'
'</font>'
'</html>'
'</name>'
'</password>'
'</protocol>'
'</server_ip>'
'</server_port>'
'</server_user_name>'
'</server_user_password>'
'</string>'
'<Host>'
'<Name>'
'<Pass encoding="base64">'
'<Pass>'
'<Password>'
'<Port>'
'<Server>'
'<User>'
'<a.+?href\\s*=\\s*(["\'])(?<href>.+?)\\1[^>]*>'
'<account>'
'<array>'
'<br>'
'<data>'
'<dict>'
'<font color="#00b1ba"><b>[ '
'<font color="#00ba66">&darr;</font>'
'<font color="#00ba66">&larr;</font>'
'<font color="#00ba66">&rarr;</font>'
'<font color="#00ba66">&uarr;</font>'
'<font color="#00ba66">{ALT+F4}</font>'
'<font color="#00ba66">{ALT+TAB}</font>'
'<font color="#00ba66">{BACK}</font>'
'<font color="#00ba66">{CAPSLOCK}</font>'
'<font color="#00ba66">{CTRL}</font>'
'<font color="#00ba66">{DEL}</font>'
'<font color="#00ba66">{END}</font>'
'<font color="#00ba66">{ENTER}</font>'
'<font color="#00ba66">{ESC}</font>'
'<font color="#00ba66">{F10}</font>'
'<font color="#00ba66">{F11}</font>'
'<font color="#00ba66">{F12}</font>'
'<font color="#00ba66">{F1}</font>'
'<font color="#00ba66">{F2}</font>'
'<font color="#00ba66">{F3}</font>'
'<font color="#00ba66">{F4}</font>'
'<font color="#00ba66">{F5}</font>'
'<font color="#00ba66">{F6}</font>'
'<font color="#00ba66">{F7}</font>'
'<font color="#00ba66">{F8}</font>'
'<font color="#00ba66">{F9}</font>'
'<font color="#00ba66">{HOME}</font>'
'<font color="#00ba66">{Insert}</font>'
'<font color="#00ba66">{NumLock}</font>'
'<font color="#00ba66">{PageDown}</font>'
'<font color="#00ba66">{PageUp}</font>'
'<font color="#00ba66">{TAB}</font>'
'<font color="#00ba66">{Win}</font>'
'<hr>'
'<html>'
'<name>'
'<password>'
'<protocol>'
'<server>'
'<server_ip>'
'<server_port>'
'<server_user_name>'
'<server_user_password>'
'<string>'
'='
'>'
'A'
'ABCDEF'
'AES'
'ALLUSERSPROFILE'
'APPDATA'
'AUTHENTICATE "%torpass%"'
'Account'
'AccountConfiguration'
'AccountConfiguration+accountName'
'AccountConfiguration+password'
'AccountConfiguration+username'
'Accounts'
'Add'
'All Users'
'Amigo'
'Amigo\\User Data'
'Application:'
'Application: '
'Arguments'
'AuthTagLength'
'AvoidDiskWrites 1\r\nLog notice stdout\r\nDormantCanceledByStartup 1\r\nControlPort 9051\r\nCookieAuthentication 1\r\nrunasdaemon 1\r\nExtORPort auto\r\nhashedcontrolpassword %hash%\r\nDataDirectory %tordir%\\Data\\Tor\r\nGeoIPFile %tordir%\\Data\\Tor\\geoip\r\nGeoIPv6File %tordir%\\Data\\Tor\\geoip6\r\n'
'B'
'Backend=([A-z0-9\\/\\.-]+)'
'Becky!'
'Berkelet DB'
'BlackHawk'
'Bootstrapped 100%'
'Brave'
'Brave Browser'
'BraveSoftware\\Brave-Browser\\User Data'
'C'
'CO'
'CONNECTION'
'CO_'
'CPU: '
'CatalinaGroup\\Citrio\\User Data'
'CentBrowser'
'CentBrowser\\User Data'
'ChainingMode'
'ChainingModeGCM'
'Chedot'
'Chedot\\User Data'
'Chrome'
'Chromium'
'Chromium\\User Data'
'Citrio'
'ClawsMail'
'Close'
'CocCoc'
'CocCoc\\Browser\\User Data'
'Coccoc'
'Comodo Dragon'
'Comodo\\Dragon\\User Data'
'ComputeHash'
'Computer Name: '
'Connect'
'Contains'
'Content-Disposition: form-data; name="{0}"\r\n\r\n{1}'
'Content-Disposition: form-data; name="{0}"; filename="{1}"\r\nContent-Type: {2}\r\n\r\n'
'ControlPassword'
'Cookie'
'Cookies'
'Cool Novo'
'CoolNovo'
'Coowon'
'Coowon\\Coowon\\User Data'
'Copied Text: '
'Copy'
'CopyTo'
'CoreFTP'
'CreateDecryptor'
'CreateNoWindow'
'CyberFox'
'D'
'Data'
'DataDir'
'DecryptTripleDes'
'Dispose'
'DynDNS'
'DynDNS\\Updater\\config.dyndns'
'E'
'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC'
'Edge Chromium'
'Elements Browser'
'Elements Browser\\User Data'
'Email'
'EmailAddress'
'EncPassword'
'EncryptedPassword'
'EndOfStream'
'EndsWith'
'Epic Privacy'
'Epic Privacy Browser'
'Epic Privacy Browser\\User Data'
'Eudora'
'Executable'
'ExtractFile'
'F'
'FTP Navigator'
'FTPCommander'
'FTPGetter'
'Falkon Browser'
'False'
'Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer'
'FileName'
'FileZilla'
'Firefox'
'FlashFXP'
'Flock'
'Flock Browser'
'Folder.lst'
'Foxmail'
'FoxmailPath'
'Fragment'
'GET'
'GetBytes'
'GuidMasterKey'
'HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites'
'HKEY_CURRENT_USER\\SOFTWARE\\Vitalwerks\\DUC'
'HKEY_CURRENT_USER\\Software\\Aerofox\\FoxmailPreview'
'HKEY_CURRENT_USER\\Software\\Aerofox\\Foxmail\\V3.1'
'HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites\\'
'HKEY_CURRENT_USER\\Software\\Paltalk\\'
'HKEY_CURRENT_USER\\Software\\Qualcomm\\Eudora\\CommandLine'
'HKEY_CURRENT_USER\\Software\\RimArts\\B2\\Settings'
'HKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC'
'HOST'
'HTTP Password'
'HTTP/1.1 '
'Hash'
'Host'
'HostName'
'Hostname'
'IE/Edge'
'IMAP Password'
"INSERT INTO CONFIG VALUES('AccountController','"
'IP Address: '
'IP='
'IPEnabled'
'IV'
'IceCat'
'IceDragon'
'Id'
'IncomingServer'
'IndexOf'
'InnerText'
'InstancesOf'
'Internet Download Manager'
'Iridium Browser'
'Iridium\\User Data'
'IterationCount'
'JDownloader'
'K-Meleon'
'KEEP-ALIVE'
'KL'
'KL_'
'Key'
'KeyDataBlob'
'Kometa'
'Kometa\\User Data'
'Length'
'Liebao Browser'
'Load'
'Log'
'Login Data'
'MM/dd/yyyy HH:mm:ss'
'MacAddress'
'MailAddress'
'MailClient.Accounts.ArchivingScope'
'MailClient.Accounts.CredentialsModelTypes'
'MailClient.Accounts.Mail.MailAccountConfiguration'
'MailClient.Accounts.TlsType'
'MailClient.Mail.MailAddress'
'MailClient.Protocols.Smtp.SmtpAccountConfiguration'
'Mailbird'
'Major'
'MapleStudio\\ChromePlus\\User Data'
'Microsoft Primitive Provider'
'Minor'
'Mode'
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0'
'MySQL Workbench'
'NO-IP'
'Name'
'Name='
'New '
'No Password'
'None'
'NordVPN'
'NordVPN directory not found!'
'NordVpn.exe*'
'OK'
'OSFullName'
'OSFullName: '
'ObjectLength'
'Open VPN'
'Opera'
'Opera Browser'
'Opera Mail'
'Opera Software\\Opera Stable'
'Orbitum'
'Orbitum\\User Data'
'Outlook'
'POP3 Password'
'POP3Host'
'POP3Password'
'POPPass'
'POST'
'PROXY-AUTHENTICATE'
'PROXY-AUTHORIZATION'
'PW'
'PWD'
'PWD='
'PW_'
'Padding'
'PaleMoon'
'Paltalk'
'PassWd'
'Password'
'Password:'
'Password: '
'PasswordViewOnly'
'Path=([A-z0-9\\/\\.\\-]+)'
'PathAndQuery'
'Pidgin'
'PocoMail'
'PopPassword'
'Port'
'PortNumber'
'Postbox'
'Private Internet Access'
'Private Internet Access\\data'
'Profile'
'ProgramFiles'
'ProgramFiles(x86)'
'Programfiles(x86)'
'Psi/Psi+'
'PublicKeyFile'
'QIP Surf'
'QIP Surf\\User Data'
'QQ Browser'
'RAM: '
'Read'
'ReadLine'
'RealVNC 3.x'
'RealVNC 4.x'
'RedirectStandardOutput'
'RegRead'
'Replace'
'ReturnAddress'
'SC'
'SC_'
'SELECT * FROM Win32_Processor'
'SEQUENCE {'
'SIGNAL NEWNYM'
'SMTP'
'SMTP Password'
'SMTP Server'
'SMTPHost'
'SMTPPass'
'SMTPServer'
'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run'
'SOFTWARE\\RealVNC\\WinVNC4'
'SOFTWARE\\RealVNC\\vncserver'
'SOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4'
'SOFTWARE\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions'
'SRWare Iron'
'STOR'
'Safari Browser'
'SavePasswordText'
'SchemaId'
'Screenshot'
'SeaMonkey'
'SelectSingleNode'
'SenderIdentities'
'SerialNumber'
'Server'
'Server_Host'
'Settings'
'Sleipnir 6'
'SmartFTP'
'SmtpPassword'
'SmtpServer'
'Software\\DownloadManager\\Passwords\\'
'Software\\IncrediMail\\Identities\\'
'Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676'
'Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676'
'Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676'
'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676'
'Software\\Microsoft\\Windows\\CurrentVersion\\Run'
'Software\\ORL\\WinVNC3'
'Software\\OpenVPN-GUI\\configs'
'Software\\OpenVPN-GUI\\configs\\'
'Software\\Paltalk'
'Software\\TigerVNC\\Server'
'Software\\TightVNC\\Server'
'Sputnik'
'Sputnik\\Sputnik\\User Data'
'StandardOutput'
'Start'
'StartInfo'
'Substring'
'System'
'SystemDrive'
'TE'
'TRAILER'
'TRANSFER-ENCODING'
'Tencent\\QQBrowser\\User Data'
'TheBat'
'Thunderbird'
'TigerVNC'
'TightVNC'
'TightVNC ControlPassword'
'Time: '
'Tor'
'Torch Browser'
'Torch\\User Data'
'TransformBlock'
'TransformFinalBlock'
'Trillian'
'Trim'
'TrimEnd'
'TrimStart'
'True'
'Type'
'UC Browser'
'UCBrowser\\'
'UID'
'UNIQUE'
'UPGRADE'
'URL:'
'URL: '
'USERPROFILE'
'USERname'
'UltraVNC'
'Unknow database format'
'Unknown'
'Uran'
'UseShellExecute'
'User'
'User Name'
'User Name: '
'UserName'
'Username'
'Username:'
'Username: '
'Value'
'Version'
'Version=4.0.0.0'
'Vivaldi'
'Vivaldi\\User Data'
'W'
'WS_FTP'
'WScript.Shell'
'WaterFox'
'Web Credentials'
'Win32_BaseBoard'
'Win32_NetworkAdapterConfiguration'
'WinMgmts:'
'WinSCP'
'Windows Credential Picker Protector'
'Windows Credentials'
'Windows Domain Certificate Credential'
'Windows Domain Password Credential'
'Windows Extended Credential'
'Windows RDP'
'Windows Secure Note'
'Windows Web Password Credential'
'Wr'
'Write'
'Yandex'
'Yandex Browser'
'Yandex\\YandexBrowser\\User Data'
'['
'[PRIVATE KEY LOCATION: "{0}"]'
'[^\\u0020-\\u007F]'
'\\'
'\\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"'
'\\%insfolder%\\'
'\\%insfolder%\\%insname%'
'\\.purple\\accounts.xml'
'\\360Chrome\\Chrome\\User Data'
'\\8pecxstudios\\Cyberfox\\'
'\\Account.CFN'
'\\Account.stg'
'\\Accounts\\Account.rec0'
'\\Accounts_New'
'\\Apple Computer\\Preferences\\keychain.plist'
'\\Claws-mail'
'\\Common Files\\Apple\\Apple Application Support\\plutil.exe'
'\\Comodo\\IceDragon\\'
'\\CoreFTP\\sites.idx'
'\\Data\\Tor\\torrc'
'\\Default\\'
'\\Default\\EncryptedStorage'
'\\Default\\Login Data'
'\\EncryptedStorage'
'\\FTP Navigator\\Ftplist.txt'
'\\FTPGetter\\servers.xml'
'\\FileZilla\\recentservers.xml'
'\\FlashFXP\\3quick.dat'
'\\Flock\\Browser\\'
'\\Google\\Chrome\\User Data'
'\\Google\\Chrome\\User Data\\'
'\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini'
'\\Iridium\\User Data'
'\\K-Meleon\\'
'\\Local State'
'\\Login Data'
'\\Mailbird\\Store\\Store.db'
'\\Mailbox.ini'
'\\Microsoft\\Credentials\\'
'\\Microsoft\\Edge\\User Data'
'\\Microsoft\\Protect\\'
'\\Moonchild Productions\\Pale Moon\\'
'\\Mozilla\\Firefox\\'
'\\Mozilla\\SeaMonkey\\'
'\\Mozilla\\icecat\\'
'\\MySQL\\Workbench\\workbench_user_data.dat'
'\\NETGATE Technologies\\BlackHawk\\'
'\\OpenVPN\\config\\'
'\\Opera Mail\\Opera Mail\\wand.dat'
'\\Pocomail\\accounts.ini'
'\\Postbox\\'
'\\Private Internet Access\\data'
'\\Psi+\\profiles'
'\\Psi\\profiles'
'\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\'
'\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml'
'\\Storage\\'
'\\The Bat!'
'\\Thunderbird\\'
'\\Tor\\tor.exe'
'\\Trillian\\users\\global\\accounts.dat'
'\\UltraVNC\\ultravnc.ini'
'\\VirtualStore\\Program Files (x86)\\Foxmail\\mail\\'
'\\VirtualStore\\Program Files\\Foxmail\\mail\\'
'\\Waterfox\\'
'\\\\'
'\\account.json'
'\\accountrc'
'\\accounts.xml'
'\\browsedata.db'
'\\cftp\\Ftplist.txt'
'\\clawsrc'
'\\eM Client'
'\\falkon\\profiles\\'
'\\fixed_keychain.xml" '
'\\jDownloader\\config\\database.script'
'\\jjR'
'\\mail\\'
'\\passwordstorerc'
'\\settings.ini'
'\\tmpG'
'\\tor.zip'
'\\uvnc bvba\\UltraVNC\\ultravnc.ini'
']'
'_'
'a102'
'a11'
"abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=\r\n "
'account'
'address'
'appdata'
'application/x-www-form-urlencoded'
'application/zip'
'auth-data'
'autofill'
'blob'
'blob0'
'c677820a-78cf-4079-9c20-8e5144d84b6e'
'caption'
'category'
'chat_id'
'chrome'
'control'
'cookies.sqlite'
'created='
'credential'
'current'
'document'
'eM Client'
'eM Client\\accounts.dat'
'encryptedPassword'
'encryptedUsername'
'entries'
'entropy'
'ftp'
'g'
'global-salt'
'host'
'hostname'
'href'
'http://127.0.0.1:'
'http://DynDns.com'
'http://unhnbF.com'
'https://api.ipify.org'
'https://api.telegram.org/bot%telegramapi%/sendDocument'
'https://www.theonionrouter.com/dist.torproject.org/torbrowser/'
'https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip'
'id'
'image/jpeg'
'image/jpg'
'incredimail'
'info'
'item1'
'item2'
'jid'
'journal'
'[email protected]'
'key3.db'
'key4.db'
'liebao\\User Data'
'logins'
'logins.json'
'mail.tereza.sk'
'master_passphrase_pbkdf2_rounds=(.+)'
'master_passphrase_salt=(.+)'
'metaData'
'moz_logins'
'mscorlib'
'multipart/form-data; boundary='
'n'
'name'
'nssPrivate'
'o6806642kbM7c5'
'objects'
'opera:'
'origin_url'
'p='
'pAuthenticatorElement'
'pIdentityElement'
'pPackageSid'
'pResourceElement'
'pass='
'passkey0'
'passwd'
'passwd2'
'password'
'password-check'
'password='
'password_value'
'policy'
'port='
'processorID'
'profiles.ini'
'programfiles'
'programfiles(x86)'
'providerNam'
'pwd'
'rdg'
'remote '
'sha256'
'sha512'
'signons.sqlite'
'signons3.txt'
'smtp'
'smtp_server'
'sq'
'startProfile="([A-z0-9\\/\\.]+)"'
'startProfile=([A-z0-9\\/\\.]+)'
'str2'
'str3'
't'
't6KzXhCh'
'table'
'text/html'
'tor'
'tor-win32-'
'uCozMedia'
'uCozMedia\\Uran\\User Data'
'uninstall'
'use_master_passphrase=(.+)'
'user.config'
'user='
'username'
'username='
'username_value'
'v10'
'v11'
'version=2.0.0.0'
'webpanel'
'win32_processor'
'wow_logins'
'x'
'x2'
'xt'
'yyyy-MM-dd HH:mm:ss'
'yyyy-MM-dd hh-mm-ss'
'yyyy_MM_dd_HH_mm_ss'
'zzz'
'{(.*),(.*)}(.*)'
'{0:X2}'
'{0}'
'{{{0}}}'
'}'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment