Copy disabled (too large)
Showing preview only (31,120K chars total). The displayed content is truncated. Use the JSON API for full output.
Repository: SEKOIA-IO/Community
Branch: main
Commit: dbaed6680107
Files: 1016
Total size: 47.2 MB
Directory structure:
gitextract_q2gxq5e7/
├── Configuration_extractors/
│ ├── ChaosRat.py
│ ├── ConnectBack.py
│ ├── Ddostf.py
│ ├── Gafgyt.py
│ ├── Njrat.py
│ ├── QuasarRAT.py
│ ├── README.md
│ ├── SNOWLIGHT.py
│ ├── TShVariant.py
│ ├── XWorm.py
│ ├── XenoRAT.py
│ ├── kaiji.py
│ └── requirements.txt
├── IOCs/
│ ├── 8220Gang/
│ │ └── 8220_Gang_iocs_20242409.csv
│ ├── CVE-2023-46805_CVE-2024-21887/
│ │ └── Ivanti_iocs_20240124.csv
│ ├── DDoSia/
│ │ └── 20240229_DDoSia_IOC.csv
│ ├── DarkGate/
│ │ └── scripts/
│ │ ├── AV_checked.txt
│ │ ├── DarkGate-C2-communication-deobfuscator.py
│ │ └── action-id-documentations.md
│ ├── DiceLoader/
│ │ └── scripts/
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── extractor.py
│ │ └── fake_c2_tcp_server.py
│ ├── Doppelgänger/
│ │ └── DoppelGänger-observables.csv
│ ├── I2PRAT/
│ │ ├── I2PRAT_iocs_20250211.csv
│ │ └── scripts/
│ │ ├── ida_hashes_extraction.py
│ │ └── resolve_hashes.py
│ ├── Interlock/
│ │ ├── interlock.yar
│ │ └── interlock_IOCs.txt
│ ├── Lycantrox/
│ │ ├── Lycantrox_domains_high_confidence.txt
│ │ └── Lycantrox_domains_medium_confidence.txt
│ ├── MuddyWater/
│ │ └── yara/
│ │ ├── apt_MuddyWater_MuddyRot_strings.yar
│ │ └── apt_MuddyWater_malicious_pdf.yar
│ ├── README.md
│ ├── ScatteredSpider/
│ │ └── 20240220_ScatteredSpider_IOC.csv
│ ├── acrstealer/
│ │ ├── acrstealer_iocs_20240429.md
│ │ └── infostealer_acrstealer_apr24.yar
│ ├── activemq/
│ │ └── activemq_iocs_20231206.csv
│ ├── apt31/
│ │ ├── 2021-11-10 APT31 - STIX2.jsonl
│ │ ├── 2021-11-10 APT31 IOCs.csv
│ │ └── yara_rules/
│ │ ├── apt_misp_apt31_orb_2021.yar
│ │ └── unk_apt31_tsh_2021.yar
│ ├── aurora/
│ │ ├── aurora_iocs_20221121.csv
│ │ └── yara_rules/
│ │ └── infostealer_aurora.yar
│ ├── bananasulfate/
│ │ └── SEKOIAIO_Banana_Sulfate_infrastructure.csv
│ ├── bluefox/
│ │ ├── bluefox_iocs_20221102.csv
│ │ └── yara_rules/
│ │ └── infostealer_bluefox.yar
│ ├── calisto/
│ │ ├── Domains already known related to CALISTO.txt
│ │ ├── SSL Certificates SHA1, emails and IPs.csv
│ │ ├── calisto_infrastructure_20220622
│ │ └── calisto_infrastructure_20221205
│ ├── clearfake/
│ │ ├── clearfake_iocs_20231016.csv
│ │ ├── clearfake_iocs_20250318.csv
│ │ └── clearfake_malicious_script_content.md
│ ├── clickfix_fake_google_meet/
│ │ └── clickfix_fake_google_meet_iocs_20241017.csv
│ ├── compromised_chrome_extensions_dec24/
│ │ └── compromised_chrome_extensions_iocs_20250122.csv
│ ├── cs2nginx/
│ │ └── cs2nginx_C2.csv
│ ├── customerloader/
│ │ └── customerloader_iocs_20230712.csv
│ ├── emotet/
│ │ └── 2021-01-20_Emotet_Campaign.csv
│ ├── evilnum/
│ │ └── 20220721_EvilNum_domains_list.txt
│ ├── eviltokens/
│ │ ├── eviltokens_iocs_20260330.csv
│ │ └── yara_rules/
│ │ └── phishing_eviltokens_phishing_pages.yar
│ ├── fakebat/
│ │ ├── fakebat_iocs_20240702.csv
│ │ ├── loader_fakebat_initial_powershell_may24.yar
│ │ └── loader_fakebat_powershell_fingerprint_may24.yar
│ ├── gamaredon/
│ │ └── yara.yar
│ ├── global-analysis-aitm-phishing-threats/
│ │ ├── README.md
│ │ ├── cephas/
│ │ │ ├── 1_loading-page_beautified.html
│ │ │ ├── 2_phishing-page_decoded.html
│ │ │ ├── cephas-stripped.har
│ │ │ ├── cephas.har
│ │ │ └── urlscan_io.txt
│ │ ├── evilginx/
│ │ │ ├── 1_loading-page_reformatted.html
│ │ │ ├── evilginx-ywnjb-stripped.har
│ │ │ ├── evilginx-ywnjb.har
│ │ │ └── urlscan_io.txt
│ │ ├── evilproxy/
│ │ │ ├── 1_page.html
│ │ │ ├── 2.1_phishing-form_script1-deobfuscated.js
│ │ │ ├── 2.2_phishing-form_script2-deobfuscated.js
│ │ │ ├── 2_phishing-form.html
│ │ │ ├── evilproxy-stripped.har
│ │ │ ├── evilproxy.har
│ │ │ └── urlscan_io.txt
│ │ ├── gabagool/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2.1_loading-page_scripts-deobfuscated.js
│ │ │ ├── 2_loading-page.html
│ │ │ ├── 3_phishing-page_decoded.html
│ │ │ ├── gabagool-stripped.har
│ │ │ ├── gabagool.har
│ │ │ └── urlscan_io.txt
│ │ ├── greatness/
│ │ │ ├── 1.1_loading-page_decoded.html
│ │ │ ├── 1_loader-script_deobfuscated.js
│ │ │ ├── 2_captcha-page_rendered.html
│ │ │ ├── 3_phishing-page_deobfuscated.html
│ │ │ ├── greatness-stripped.har
│ │ │ ├── greatness.har
│ │ │ └── urlscan_io.txt
│ │ ├── mamba-2fa/
│ │ │ ├── 1_antibot-page.html
│ │ │ ├── 2_loader-page.html
│ │ │ ├── 3.1_phishing-page_rendered.html
│ │ │ ├── 3_phishing-page_deobfuscated.html
│ │ │ ├── mamba-2fa-stripped.har
│ │ │ ├── mamba-2fa.har
│ │ │ └── urlscan_io.txt
│ │ ├── nakedpages/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2_loading-page_beautified.html
│ │ │ ├── nakedpage-stripped.har
│ │ │ ├── nakedpage.har
│ │ │ └── urlscan_io.txt
│ │ ├── saiga-2fa/
│ │ │ └── urlscan_io.txt
│ │ ├── sneaky-2fa/
│ │ │ ├── 1_initial-page.html
│ │ │ ├── 2_captcha-page.html
│ │ │ ├── 3.1_autograb-page_script-deobfuscated.js
│ │ │ ├── 3_autograb-page.html
│ │ │ ├── 4_phishing-form.html
│ │ │ ├── sneaky-2fa-stripped.har
│ │ │ ├── sneaky-2fa.har
│ │ │ └── urlscan_io.txt
│ │ ├── storm-1167/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2.1_loading-page_decoded-skeleton.html
│ │ │ ├── 2.2_phishing-page_full-script-deobfuscated.js
│ │ │ ├── 2.3_phishing-page_script-stripped.js
│ │ │ ├── 2.4_phishing-page_rendered.html
│ │ │ ├── 2_loading-page.html
│ │ │ ├── storm-1167-stripped.har
│ │ │ ├── storm-1167.har
│ │ │ └── urlscan_io.txt
│ │ └── tycoon-2fa/
│ │ ├── 1.1_captcha-page_scripts-decoded.js
│ │ ├── 1_captcha-page.html
│ │ ├── 2.1_decoy-page_script-decoded.html
│ │ ├── 2_decoy-page.html
│ │ ├── 3_loading-page.html
│ │ ├── 4.1_phishing-form_script1-decoded.js
│ │ ├── 4.2_phishing-form_script2-deobfuscated.js
│ │ ├── 4_phishing-form.html
│ │ ├── tycoon-2fa-stripped.har
│ │ ├── tycoon-2fa.har
│ │ └── urlscan_io.txt
│ ├── hermeticwiper/
│ │ └── yara_rules/
│ │ └── wiper_HermeticWiper_variants.yar
│ ├── i_paid_twice/
│ │ └── i_paid_twice_iocs_20251106.csv
│ ├── iclickfix/
│ │ ├── iclickfix_iocs_20260129.csv
│ │ └── yara_rules/
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_html_lure.yar
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_js_javascript1.yar
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_js_javascript2.yar
│ │ └── infrastructure_iclickfix_cluster_ic_tracker_js_wordpress.yar
│ ├── infra_seo_crack_stealers/
│ │ └── infra_seo_crack_stealers_iocs_20230106.csv
│ ├── mallox/
│ │ └── mallox_purecrypter_iocs_20240513.csv
│ ├── marsstealer/
│ │ ├── mars_stealer_iocs_20220407.csv
│ │ └── yara_rules/
│ │ ├── infostealer_marsstealer_early_version.yar
│ │ ├── infostealer_marsstealer_llcppc.yar
│ │ └── infostealer_marsstealer_xor_routine.yar
│ ├── nobelium/
│ │ ├── 2022_01_06_C2 Nobelium.csv
│ │ ├── 2022_01_06_NOBELIUM_MD5
│ │ └── yara_rules/
│ │ ├── apt_nobelium_b64_to_Uint8Array.yar
│ │ ├── apt_nobelium_cs_loader_obfuscation.yar
│ │ ├── apt_nobelium_hta_in_iso.yar
│ │ ├── apt_nobelium_html_smuggling_iso.yar
│ │ ├── apt_nobelium_powsershell_reg_loader_decoded.yar
│ │ └── rule apt_nobelium_hta_reg_dropper.yar
│ ├── pikabot/
│ │ └── pikabot_iocs_20240603.csv
│ ├── privateloader/
│ │ └── 20220914_privateloader_IOC.csv
│ ├── qnapworm/
│ │ └── 20220704_QNAP_Worm_Infrastructure
│ ├── raccoonstealer/
│ │ └── raccoon_stealer_iocs_20220628.csv
│ ├── roamingmantis/
│ │ └── roaming_mantis_iocs_20220718.csv
│ ├── ryuk/
│ │ └── 2020-10-29 C2 Ryuk.csv
│ ├── sneaky2fa/
│ │ └── sneaky2fa_iocs_20250116.csv
│ ├── stealc/
│ │ ├── scripts/
│ │ │ ├── IDA_strings_deobfuscator.py
│ │ │ └── stealc_stealer_c2_extractor.py
│ │ ├── stealc_iocs_20230220.csv
│ │ ├── suricata_rules/
│ │ │ └── infostealer_stealc.rules
│ │ └── yara_rules/
│ │ ├── infostealer_stealc_behavior.yar
│ │ └── infostealer_stealc_standalone.yar
│ └── tycoon2fa/
│ └── tycoon2fa_iocs_20240325.csv
├── LICENSE.md
├── MaltegoTransforms/
│ ├── LICENSE.md
│ ├── README.md
│ ├── export.mtz
│ ├── requirements.txt
│ └── transforms/
│ ├── config.yaml
│ ├── libs/
│ │ ├── config.py
│ │ └── transform.py
│ ├── openwith.py
│ ├── virustotal-behaviour.py
│ └── virustotal.py
├── README.md
├── events/
│ ├── README.md
│ ├── lookups.json
│ └── smart-descriptions.json
├── playbooks/
│ └── templates/
│ ├── Alerts_Shodan_Enrichment.json
│ ├── CrowdSec_alert_enrichment.json
│ ├── Crowdstrike_dissemination.json
│ ├── DigitalShadows_SearchLight_fetch_alerts.json
│ ├── Enrich_alerts_with_AbuseIPDB.json
│ ├── Enrich_alerts_with_VirusTotal_Hash.json
│ ├── Enrich_alerts_with_hostnames.json
│ ├── Enrich_with_IKnow_What_You_Download.json
│ ├── HTTP_request_Remediation.json
│ ├── OSINT_to_observables.json
│ ├── Reject_old_alerts.json
│ ├── Shodan_search_to_observables.json
│ ├── Tranco_top_domains_to_observables.json
│ ├── URL_scan_VirusTotal_Enrichement.json
│ ├── VirusTotal_Enrichement.json
│ ├── add_destination_ips_to_ioc_collection.json
│ ├── add_domains_to_ioc_collection.json
│ ├── add_source_ips_to_ioc_collection.json
│ ├── alert_webhook_internet_scan.json
│ ├── cascade_alert_status_on_harfang.json
│ ├── create_alert_on_the_hive_automatic.json
│ ├── create_alert_on_the_hive_manual.json
│ ├── create_incident_on_cortex_xsoar.json
│ ├── create_jira_ticket_on_alert.json
│ ├── email_notification_on_alert_webhook.json
│ ├── forward_google_pubsub_events.json
│ ├── forward_panda_security_events.json
│ ├── forward_vadesecure_records.json
│ ├── get_additional_harfang_telemetry.json
│ ├── get_data_and_enrich_with_cloudflare.json
│ ├── imperva_waf_fetch_logs.json
│ ├── mattermost_notification_on_alert.json
│ ├── msteams_notification.json
│ ├── playbook_adware.json
│ ├── playbooks.json
│ ├── push_iocs_to_xsiam.json
│ ├── send_alert_to_nybble_hub.json
│ ├── slack_notification_on_alert.json
│ └── urgency_to_0_on_rejected.json
├── scripts/
│ ├── mars_stealer_c2_extractor.py
│ ├── raccoon_stealer_v2_c2_extrator.py
│ └── test_forwarder.bash
├── sigma_rules/
│ ├── README.md
│ ├── cloud/
│ │ ├── aws_ec2_enable_serial_console_access.yml
│ │ ├── aws_ec2_subnet_deleted.yml
│ │ ├── aws_iam_password_policy_updated.yml
│ │ ├── aws_route53_transfer_lock_disabled.yml
│ │ └── aws_s3_bucket_replication.yml
│ ├── host/
│ │ ├── attrib_hiding_files.yml
│ │ ├── correlation_html_smuggling.yml
│ │ ├── correlation_iso-lnk_chain.yml
│ │ ├── correlation_iso-lnk_infection_chain.yml
│ │ ├── correlation_lnk-hta_infection_chain.yml
│ │ ├── data_compressed_with_rar_with_password.yml
│ │ ├── disable_windows_defender.yml
│ │ ├── impacket_wmiexec.yml
│ │ ├── mdav_disable_base64_encoded.yml
│ │ ├── mdav_disable_base64_encoded_setmppreference.yml
│ │ ├── mdav_disable_services.yml
│ │ ├── mdav_signatures_removed_mpcmdrun.yml
│ │ ├── mdav_threat_detected.yml
│ │ ├── mshta_suspicious_child.yml
│ │ ├── non_legit_use_eula_parameter.yml
│ │ ├── powershell_amsi_bypass.yml
│ │ ├── powershell_amsi_deactivation_bypass_using_net_reflection.yml
│ │ ├── powershell_exchange_snapin_mailbox.yml
│ │ ├── powershell_suspicious_keywords.yml
│ │ ├── procdump_args.yml
│ │ ├── socks_tunneling_tool.yml
│ │ ├── win_powershell_load_regkey.yml
│ │ └── wmic_process_call_create.yml
│ └── network/
│ ├── dynamic_dns_domain.yml
│ └── email_suspicious_attachment_received.yml
└── yara_rules/
├── apt37_rokrat_macho.yar
├── apt_37_chinotto.yar
├── apt_3cx_payload_stealer.yar
├── apt_agent_racoon_strings.yar
├── apt_andariel_dorarat_strings.yar
├── apt_andariel_keylogger_strings.yar
├── apt_andariel_nestdoor_variants_strings.yar
├── apt_andariel_siennablue.yar
├── apt_apt10_hui_loader.yar
├── apt_apt28_document_phishing_webpage.yar
├── apt_apt28_htmlsmuggling.yar
├── apt_apt28_htmlsmuggling_disclosing_ip.yar
├── apt_apt28_powershell_ntlm_stealer.yar
├── apt_apt28_susp_graphite_downloader.yar
├── apt_apt28_ukrnet_phishing_page.yar
├── apt_apt28_wayzgoose_exploit_string.yar
├── apt_apt29_malicious_rdp_file.yar
├── apt_apt29_quarterrig.yar
├── apt_apt29_wineloader_malicious_hta.yar
├── apt_apt29_wineloader_malicious_pdf.yar
├── apt_apt31_pakdoor.yar
├── apt_apt31_rekoobe.yar
├── apt_apt33_falsefont.yar
├── apt_apt33_tickler.yar
├── apt_apt35_iisraid_strings.yar
├── apt_apt37_chinotto_powershell_variant.yar
├── apt_apt37_malicious_hta_file.yar
├── apt_apt41_javascript_dropper.yar
├── apt_apt41_keyplug_dropper.yar
├── apt_apt41_powershell_collection_script.yar
├── apt_apt41_powershell_exfiltration_script.yar
├── apt_apt_k_47_orpcbackdoor.yar
├── apt_apt_k_47_walkershell.yar
├── apt_aptc36_vbs_maldoc.yar
├── apt_aptc60_downloader_strings.yar
├── apt_aptk47_asyncshell.yar
├── apt_aptk47_maliciouslnk.yar
├── apt_aridviper_rustsysjoker.yar
├── apt_backdoordiplomaty_custommerlinagent_strings.yar
├── apt_backdoordiplomaty_phantomnet.yar
├── apt_badmagic_commonmagic_generic_1.yar
├── apt_badmagic_commonmagic_generic_2.yar
├── apt_badmagic_commonmagic_main.yar
├── apt_badmagic_commonmagic_screenshot_module.yar
├── apt_badmagic_commonmagic_usbstealer.yar
├── apt_badmagic_generic_pshscript.yar
├── apt_badmagic_installpzz_pshscript.yar
├── apt_badmagic_ld_dll_loader_pshscript.yar
├── apt_badmagic_listfiles_pshscript.yar
├── apt_badmagic_malicious_lnk.yar
├── apt_badmagic_modules.yar
├── apt_badmagic_reco_pshscript.yar
├── apt_badmagic_startngrok_pshscript.yar
├── apt_badmagic_startrevsocks_pshscript.yar
├── apt_blackwood_nspx30_plugin.yar
├── apt_boldmove_strings.yar
├── apt_buhtrap_maldocx.yar
├── apt_cerana_keeper_dropboxflop.yar
├── apt_cerana_keeper_yk0130.yar
├── apt_cloudatlas_init_module_virtualalloc.yar
├── apt_cloudatlas_powershower_clean.yar
├── apt_cloudatlas_powershower_module.yar
├── apt_cloudatlas_powershower_obfuscated.yar
├── apt_cloudatlas_powershower_variant.yar
├── apt_cloudatlas_powertunnel.yar
├── apt_cloudatlas_powertunnel_loader.yar
├── apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
├── apt_cloudatlas_stagescalldllmainafterexec.yar
├── apt_cloudmensis_downloader_strings.yar
├── apt_cloudmensis_spyagent_strings.yar
├── apt_coathanger_beacon.yar
├── apt_coathanger_files.yar
├── apt_cottonsandstorm_win_implant.yar
├── apt_dark_pink_pdb_path.yar
├── apt_darkpink_kamikakabot_strings.yar
├── apt_darkpink_loader_decryptionroutine.yar
├── apt_darkpink_sample.yar
├── apt_emberbear_credpump_strings.yar
├── apt_emissarypanda_sysupdate_removing_tool.yar
├── apt_emissarypanda_web_auto_attack_tool.yar
├── apt_evasive_panda_downloader_certificate_exe.yar
├── apt_evasive_panda_rphost_dll.yar
├── apt_flightnight_malicious_lnk.yar
├── apt_gamaredon_ddrdoh_powershell_backdoor.yar
├── apt_gamaredon_ddrdoh_vbs_downloader.yar
├── apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
├── apt_gamaredon_doc_external_template.yar
├── apt_gamaredon_flash_infostealer.yar
├── apt_gamaredon_gamaredon_lnk_usb_spreader.yar
├── apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
├── apt_gamaredon_gammaload_malicioushta.yar
├── apt_gamaredon_gammaload_maliciouslnk.yar
├── apt_gamaredon_getlogicaldrive_hunting.yar
├── apt_gamaredon_htmlsmuggling_2024.yar
├── apt_gamaredon_htmlsmuggling_attachment.yar
├── apt_gamaredon_htmlsmuggling_attachment_stage2.yar
├── apt_gamaredon_lnk.yar
├── apt_gamaredon_lnk_spreader.yar
├── apt_gamaredon_lnks_farl139_hostname.yar
├── apt_gamaredon_powerrevshell.yar
├── apt_gamaredon_stealer_obfuscation_1.yar
├── apt_gamaredon_stealer_obfuscation_2.yar
├── apt_gamaredon_subtle_paws.yar
├── apt_gamaredon_vbs_downloader.yar
├── apt_gelsemium_firewood_backdoor.yar
├── apt_gelsemium_wolfsbane_backdoor.yar
├── apt_gelsemium_wolfsbane_launcher.yar
├── apt_gelsemium_wolfsbane_rootkit.yar
├── apt_globalshadow.yar
├── apt_gobrat_2.yar
├── apt_granitetyphoon_pingpulllinux_strings.yar
├── apt_granitetyphoon_sword2023_strings.yar
├── apt_icepeony_icecache.yar
├── apt_icepeony_iceevent.yar
├── apt_implant_xdealer_linux_variant_strings.yar
├── apt_implant_xdealer_stealer_strings.yar
├── apt_implant_xdealer_strings.yar
├── apt_implant_xdealer_vbs_launcher_strings.yar
├── apt_ir_sugarush_implant.yar
├── apt_ivanti_krustyloader.yar
├── apt_kimsuky_fpspy.yar
├── apt_kimsuky_klogexe.yar
├── apt_kimsuky_malicious_gotopwsh_lnk.yar
├── apt_kimsuky_malicious_vba.yar
├── apt_kimsuky_powershell.yar
├── apt_kimsuky_powershell_dropper_strings.yar
├── apt_kimsuky_sharpext_compromised_securepreferences.yar
├── apt_kimsuky_sharpext_devps1_strings.yar
├── apt_kimsuky_sharpext_devtoolmodule_strings.yar
├── apt_kimsuky_sharpext_jsexfil_strings.yar
├── apt_kimsuky_sharptongue_c2_source.yar
├── apt_kimsuky_sharptongue_strings.yar
├── apt_kimsuky_sharptongue_vbslauncher_strings.yar
├── apt_kimsuky_toddlershark_obfuscated.yar
├── apt_kimsuky_toddlershark_strings.yar
├── apt_kimsuky_validator_strings.yar
├── apt_kimsuky_vbs.yar
├── apt_kimsuky_vbs_powershell_downloader.yar
├── apt_konni.yar
├── apt_konni_check_bat.yar
├── apt_konni_dropper.yar
├── apt_lazarus_backdoored_jslib.yar
├── apt_lazarus_blindingcan_rtti.yar
├── apt_lazarus_dangerouspassword_lnk.yar
├── apt_lazarus_dll_c2_comms.yar
├── apt_lazarus_gopuram_backdoor.yar
├── apt_lazarus_lambload_timecheck.yar
├── apt_lazarus_pondrat.yar
├── apt_lazarus_vhd_ransomware_downloader.yar
├── apt_lazarus_vhd_ransomware_loader.yar
├── apt_luckymouse_compromised_electronapp.yar
├── apt_luckymouse_rshell_strings.yar
├── apt_luckymouse_rshell_strings_all_platform.yar
├── apt_luckymouse_sysupdate_removing_tool.yar
├── apt_malware_pocoproxy.yar
├── apt_menupass_maliciouslibvlc_dll.yar
├── apt_micdown_encrypted_configuration.yar
├── apt_muddywater_manifestation_backdoor.yar
├── apt_muddywater_manifestation_backdoor_obfuscated.yar
├── apt_muddywater_moriagent.yar
├── apt_muddywater_muddyc2go_dll_launcher_strings.yar
├── apt_muddywater_powershell_reverse_secure_proxy.yar
├── apt_muddywater_powgoop_decode_loop.yar
├── apt_muddywater_powgoop_decoded.yar
├── apt_muddywater_powgoop_loader.yar
├── apt_muddywater_rotrot_strings.yar
├── apt_mustang_panda_nupakage.yar
├── apt_mustang_panda_toneins.yar
├── apt_mustang_panda_toneshell.yar
├── apt_mustangpanda_coolclient.yar
├── apt_mustangpanda_decrypt_payload.yar
├── apt_mustangpanda_downloader.yar
├── apt_mustangpanda_malicious_lnk_worm.yar
├── apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
├── apt_mustangpanda_mqsttang_qmagent.yar
├── apt_mustangpanda_payload.yar
├── apt_mustangpanda_tinynote.yar
├── apt_mustangpanda_tonedrop.yar
├── apt_mustangpanda_windows_remoteshell.yar
├── apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
├── apt_mustangpanda_xoreddll.yar
├── apt_mustangpanda_zpakage.yar
├── apt_nobelium_acrobox_downloader_apr2022.yar
├── apt_nobelium_nativezone_gen.yar
├── apt_oilrig_clipog_strings.yar
├── apt_oilrig_maliciousdocument_may2022.yar
├── apt_oilrig_odagent_strings.yar
├── apt_oilrig_oilbooster_strings.yar
├── apt_oilrig_powerexchange.yar
├── apt_oilrig_saitama_backdoor_may2022.yar
├── apt_oilrig_saitama_backdoor_may2022_2.yar
├── apt_oilrig_sc5kv3_strings.yar
├── apt_oilrig_webshell.yar
├── apt_polonium_deepcreep_strings.yar
├── apt_polonium_megacreep_strings.yar
├── apt_polonium_powershell_creepydrive_strings.yar
├── apt_polonium_technocreep_strings.yar
├── apt_qnapworm_loader_may2022.yar
├── apt_queueseed.yar
├── apt_reaper_2fa_phishing_webpage.yar
├── apt_reaper_malicious_lnk.yar
├── apt_redhotel_maliciouslnk_strings.yar
├── apt_rusticweb_stealer.yar
├── apt_sandworm_awfulshred_obfuscation_apr2022.yar
├── apt_sandworm_caddywiper_stacked_strings.yar
├── apt_sandworm_notpetya_strings.yar
├── apt_sandworm_olympicdestroyer.yar
├── apt_sandworm_orcshred_apr2022.yar
├── apt_sandworm_powergap_apr2022.yar
├── apt_scanbox_framework_not_obfuscated.yar
├── apt_scanbox_obfuscated_versions.yar
├── apt_shadowpad_first_called_function.yar
├── apt_sidecopy_actionrat_packer_strings.yar
├── apt_sidecopy_cheex.yar
├── apt_sidecopy_malicious_macro.yar
├── apt_sidecopy_reverserat_strings.yar
├── apt_sofacy_graphitemalware_generic.yar
├── apt_spikedwine_malicious_hta.yar
├── apt_spikedwine_wineloader.yar
├── apt_spynote_android_dex_strings.yar
├── apt_stripedfly.yar
├── apt_sugardump_credentials_stealer_http.yar
├── apt_sugardump_credentials_stealer_smtp.yar
├── apt_sugargh0stcampaign_malicious_lnk.yar
├── apt_susp_apt28_uac0063_hatvibe.yar
├── apt_susp_apt28_uac0063_hta_loader.yar
├── apt_susp_apt28_uac0063_malicious_doc.yar
├── apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
├── apt_susp_apt28_uac0063_malicious_doc_vba.yar
├── apt_susp_lazarus_dangerous_password.yar
├── apt_suspected_sandworm_sdelete_wiper.yar
├── apt_ta410_driver_keylogger.yar
├── apt_ta410_flowcloud_loader.yar
├── apt_ta410_flowcloud_rtti.yar
├── apt_ta428_tmanger_strings.yar
├── apt_tealkurma_snappytcp_reverse_shell_strings.yar
├── apt_tealkurma_snappytcp_strings.yar
├── apt_toddycat_toddybox_strings.yar
├── apt_toddycat_tomberbil_strings.yar
├── apt_toddycat_waexp_strings.yar
├── apt_toneshell_loader.yar
├── apt_toneshell_shellcode.yar
├── apt_tortoiseshell_imaploader.yar
├── apt_tortoiseshell_wateringhole_script.yar
├── apt_turla_comlook.yar
├── apt_turla_kazuar_variant_2023.yar
├── apt_uac0099_lonepage.yar
├── apt_uac0154_malicious_html_smuggling.yar
├── apt_uac0154_powershell_infection_chain_1.yar
├── apt_uac0154_powershell_infection_chain_2.yar
├── apt_unc3524_quietexit_strings.yar
├── apt_unc4990_emptyspace_pyc.yar
├── apt_unc4990_explorer_ps1.yar
├── apt_unc4990_explorer_ps1_reverse_b64.yar
├── apt_unk_batcopier_strings.yar
├── apt_unk_dex_china_freedom_trap_spyware.yar
├── apt_unk_hrserv_memory_commands_strings.yar
├── apt_unk_hrserv_webshell_strings.yar
├── apt_unk_malicious_lnk.yar
├── apt_unknown_sessionmanageriis_strings.yar
├── apt_uta0178_javascript_inclusion_strings.yar
├── apt_uta0218_upstyle_backdoor_strings.yar
├── apt_win_disabledefender.yar
├── apt_windows_wip19_screencap.yar
├── apt_yemen_apk_guardzoo.yar
├── backdoor_blueshell.yar
├── backdoor_lin_bifrost.yar
├── backdoor_lin_bpfdoor.yar
├── backdoor_lin_sysupdate.yar
├── backdoor_mul_sparkrat.yar
├── backdoor_mul_supershell_client.yar
├── backdoor_opensource_northstar_strings.yar
├── backdoor_oyster.yar
├── backdoor_powershellempire_batlauchers.yar
├── backdoor_powershellempire_csharp.yar
├── backdoor_powershellempire_gen.yar
├── backdoor_powershellempire_python.yar
├── backdoor_powershellempire_sharpire.yar
├── backdoor_sandman_strings.yar
├── backdoor_win_andardoor.yar
├── backdoor_win_blackrat.yar
├── backdoor_win_feedload.yar
├── backdoor_win_foresttiger.yar
├── backdoor_win_headertip.yar
├── backdoor_win_ketrum2.yar
├── backdoor_win_kimsuky.yar
├── backdoor_win_mgbot_main.yar
├── backdoor_win_minibike.yar
├── backdoor_win_minibus.yar
├── backdoor_win_nukesped_andariel.yar
├── backdoor_win_rokrat.yar
├── backdoor_win_rollsling.yar
├── backdoor_win_sidewinder_cobaltstrike_2022_09.yar
├── backdoor_win_spacecolon.yar
├── backdoor_win_sponsor.yar
├── backdoor_win_volgmer.yar
├── backdoor_win_warhawk.yar
├── backdoor_win_winordll64.yar
├── backdoor_xploitspy_strings.yar
├── backoor_win_gobear.yar
├── backoor_win_tinyturla_ng.yar
├── bot_lin_enemybot_april22.yar
├── bot_lin_kinsing_strings.yar
├── bot_lin_lucifer_strings.yar
├── bot_lin_xorddos_strings.yar
├── bot_lin_zerobot_dec22.yar
├── bot_win_yamabot.yar
├── botnet_lin_tsunami.yar
├── builder_win_royalroad_rtf.yar
├── bumblebee_loader.yar
├── bumblebee_vhd.yar
├── clipper_win_atlas_strings.yar
├── clipper_win_cryptoclippy.yar
├── clwiper_strings.yar
├── crime_sload_mainpowershellimplant.yar
├── crime_sload_powershellarchiveexfiltrator_strings.yar
├── crime_sload_scheduledtask_dropper_strings.yar
├── crime_sload_vbs_downloader_strings_1.yar
├── crime_sload_vbs_downloader_strings_2.yar
├── crime_sload_vbs_wsf_downloader.yar
├── crime_sload_zip_archives.yar
├── crimeware_njrat_strings.yar
├── crybercrime_prophetspider_proxy.yar
├── crypter_vbs_to_exe.yar
├── crypter_win_dotrunpex.yar
├── darkriver_encodedurl.yar
├── dotnet_injector_new_payload.yar
├── downloader_kimsuky_lnk.yar
├── downloader_mac_rustbucket.yar
├── downloader_mac_rustbucket_swiftloader.yar
├── downloader_mac_smooth_operator.yar
├── downloader_win_andarloader.yar
├── downloader_win_apt33_tickler.yar
├── downloader_win_cobianrat.yar
├── downloader_win_curl_agent.yar
├── downloader_win_donot.yar
├── downloader_win_fake_tor_browser.yar
├── downloader_win_newsterminal.yar
├── downloader_win_search.yar
├── dropper_mac_lazarus_manuscrypt.yar
├── dropper_win_konni_cab.yar
├── dropper_win_ninerat.yar
├── dropper_win_romcom_dropper.yar
├── dropper_win_selfau3.yar
├── emmenhtal_strings_hta_exe.yar
├── evilnumpayload_fmtstr.yar
├── exploit_cve20191458_strings.yar
├── exploit_ez_pwnkit_strings.yar
├── exploit_linux_eop_cve20177308_strings.yar
├── exploit_linux_eop_cve202121974_exploit_strings.yar
├── exploit_linux_eop_dirtyc0w_strings.yar
├── exploit_linux_eop_dirtypipe_strings.yar
├── exploit_linux_eop_polkit_pkexec_strings.yar
├── exploit_linux_eop_pwnkit_strings.yar
├── exploit_linux_eop_rationallove_strings.yar
├── exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
├── exploit_win_cloudatlas_cve_2018_0798.yar
├── gen_empire_onedrive_stager.yar
├── generic_bat_script_mock_http_services.yar
├── generic_perl_reverse_shell.yar
├── generic_php_webshell.yar
├── generic_python_reverse_shell.yar
├── generic_sharpshooter_payload_1.yar
├── generic_sharpshooter_payload_10.yar
├── generic_sharpshooter_payload_11.yar
├── generic_sharpshooter_payload_12.yar
├── generic_sharpshooter_payload_13.yar
├── generic_sharpshooter_payload_2.yar
├── generic_sharpshooter_payload_3.yar
├── generic_sharpshooter_payload_4.yar
├── generic_sharpshooter_payload_5.yar
├── generic_sharpshooter_payload_6.yar
├── generic_sharpshooter_payload_7.yar
├── generic_sharpshooter_payload_8.yar
├── generic_sharpshooter_payload_9.yar
├── generic_tor_hidden_service_leading_to_winports.yar
├── guerrilla_lemongroup.yar
├── guloader_lnk_file.yar
├── guloader_powershell_1.yar
├── guloader_unpacker.yar
├── guloader_unpacker_decoded.yar
├── guloader_vbscript.yar
├── hacktool_credentialkatz.yar
├── hacktool_defendercontrol_strings.yar
├── hacktool_dnscat2_strings.yar
├── hacktool_duplicatedump_strings.yar
├── hacktool_earthworm_strings.yar
├── hacktool_fscan_strings.yar
├── hacktool_gtunnel_strings.yar
├── hacktool_impacket_compiled_binary.yar
├── hacktool_iox_tunneling.yar
├── hacktool_ipmipwner_strings.yar
├── hacktool_lazagne_strings.yar
├── hacktool_ligolo_relay_strings.yar
├── hacktool_ligolo_strings.yar
├── hacktool_microsocks_strings.yar
├── hacktool_mimikat_ssp_strings.yar
├── hacktool_mimikatz_obfuscated.yar
├── hacktool_mimilite.yar
├── hacktool_nbtscan_strings.yar
├── hacktool_ntdsdumpex_strings.yar
├── hacktool_ntospy_strings.yar
├── hacktool_pplblade_strings.yar
├── hacktool_rubeus_strings.yar
├── hacktool_sharpview_strings.yar
├── hacktool_socat_strings.yar
├── hacktool_stowaway_strings.yar
├── hacktool_win_cookiekatz.yar
├── hacktool_win_gmer.yar
├── hacktool_win_powertool.yar
├── hacktool_win_processhacker.yar
├── hacktool_win_uknowseckeylogger.yar
├── hafnium_tarrask_malware.yar
├── icebot_exported_function.yar
├── icedid_chm_ttp.yar
├── implant_any_sliver.yar
├── implant_any_sliver_not_stripped.yar
├── implant_lin_geacon.yar
├── implant_lin_lightning.yar
├── implant_mac_rustbucket.yar
├── implant_mac_smoothoperator_update_agent.yar
├── implant_macos_geacon.yar
├── implant_mul_alchimist.yar
├── implant_win_apt29_2022_10.yar
├── implant_win_flagpro.yar
├── implant_win_geacon.yar
├── implant_win_graphiron_downloader.yar
├── implant_win_havoc_default_strings.yar
├── implant_win_incontroller.yar
├── implant_win_knotweed_jumplump.yar
├── implant_win_lyceum.yar
├── implant_win_magicrat.yar
├── implant_win_mysterysnail.yar
├── implant_win_pingpull.yar
├── implant_win_quantum_builder_lnk.yar
├── implant_win_quasarrat.yar
├── implant_win_sliver_dll.yar
├── in2al5d_p3in4er_loader.yar
├── infostealer_mac_realst.yar
├── infostealer_win_44caliber.yar
├── infostealer_win_acridrain_mar23.yar
├── infostealer_win_acrstealer_str.yar
├── infostealer_win_agrat.yar
├── infostealer_win_aurora.yar
├── infostealer_win_aurora_str.yar
├── infostealer_win_banditstealer.yar
├── infostealer_win_bebra.yar
├── infostealer_win_blackcap.yar
├── infostealer_win_blackguard_mar23.yar
├── infostealer_win_blustealer.yar
├── infostealer_win_cinoshistealer.yar
├── infostealer_win_daolpu_str.yar
├── infostealer_win_doenerium_str.yar
├── infostealer_win_ducklogs.yar
├── infostealer_win_edgeguard.yar
├── infostealer_win_enigma_initial_loader.yar
├── infostealer_win_enigma_loader_module.yar
├── infostealer_win_enigma_stealer_module.yar
├── infostealer_win_eternity.yar
├── infostealer_win_fwit_strings.yar
├── infostealer_win_ginzostealer_str.yar
├── infostealer_win_gomorrah.yar
├── infostealer_win_grmsk_strings.yar
├── infostealer_win_irontiger_chrome_stealer.yar
├── infostealer_win_leaf.yar
├── infostealer_win_lighting.yar
├── infostealer_win_lumma_strings_aug23.yar
├── infostealer_win_lumma_strings_sept23.yar
├── infostealer_win_mars_stealer.yar
├── infostealer_win_mars_stealer_variant_llcppc1.yar
├── infostealer_win_mars_stealer_xor_routine.yar
├── infostealer_win_meduzastealer.yar
├── infostealer_win_metastealer_strings.yar
├── infostealer_win_monster_stub.yar
├── infostealer_win_nekostealer.yar
├── infostealer_win_nemesis_in_memory.yar
├── infostealer_win_nosu.yar
├── infostealer_win_pennywise_mar23.yar
├── infostealer_win_phoenix.yar
├── infostealer_win_phoenixwave.yar
├── infostealer_win_raccoon_str_takemypainback.yar
├── infostealer_win_redline_strings.yar
├── infostealer_win_solarmarker_dll.yar
├── infostealer_win_solarmarker_powershell.yar
├── infostealer_win_spacestealer.yar
├── infostealer_win_stealc.yar
├── infostealer_win_stealc_str_oct24.yar
├── infostealer_win_stealerium.yar
├── infostealer_win_stormkitty.yar
├── infostealer_win_stormkitty_exfil_urls.yar
├── infostealer_win_titan.yar
├── infostealer_win_vidar_str_jul22.yar
├── infostealer_win_vidar_strings_nov23.yar
├── infostealer_win_vulturi.yar
├── infostealer_win_whitesnake_loader_feb23.yar
├── infostealer_win_whitesnake_stealer_feb23.yar
├── infostealer_win_whitesnake_xor_rc4_july12.yar
├── infostealer_win_xehook_str.yar
├── infostealer_win_xenostealer_strings.yar
├── infostealer_win_xfiles.yar
├── installer_win_minibus.yar
├── keylogger_win_donot.yar
├── killfloor_avkiller_strings.yar
├── kimsuky_konni_dll.yar
├── koi_koiloader.yar
├── koi_netstealer.yar
├── koi_powershell_loading_obfuscatednet.yar
├── koiloader_lnk.yar
├── koiloader_powershell_reflective_loading.yar
├── latrodectus_br4_js_dropper.yar
├── latrodectus_exports.yar
├── launcher_win_bluehaze.yar
├── launcher_win_mistcloak.yar
├── launcher_win_romcom_launcher.yar
├── launcher_win_stealthmutant_bat_launcher.yar
├── lnk_astaroth.yar
├── loader_amadey_clipper_plugin.yar
├── loader_amadey_standalone_may23.yar
├── loader_amadey_stealer_plugin.yar
├── loader_fakebat_initial_powershell_may24.yar
├── loader_fakebat_powershell_fingerprint_may24.yar
├── loader_latrodectus_dll.yar
├── loader_win_abcloader.yar
├── loader_win_aresloader.yar
├── loader_win_batloader_scripts.yar
├── loader_win_bumblebee.yar
├── loader_win_dodgebox.yar
├── loader_win_doppeldridex.yar
├── loader_win_erbium.yar
├── loader_win_fudloader.yar
├── loader_win_gcleaner.yar
├── loader_win_goshellcode.yar
├── loader_win_jennlog.yar
├── loader_win_jinxloader_strings.yar
├── loader_win_konni_bat.yar
├── loader_win_konni_wpnprv.yar
├── loader_win_ninerat.yar
├── loader_win_operationmagalenha_vbs.yar
├── loader_win_piccassoloader.yar
├── loader_win_purecrypter.yar
├── loader_win_red0044_powershell_may24.yar
├── loader_win_revil_loader.yar
├── loader_win_squirrelwaffle.yar
├── loader_win_squirrelwaffle_doc.yar
├── loader_win_stealthvector.yar
├── loader_win_svcready_imports.yar
├── luckymouse_sysupdate_loader.yar
├── luckymouse_sysupdate_payload.yar
├── malicious_lnk_exploiting_webdav_share_generic.yar
├── malware_httpshell_strings.yar
├── malware_remcom_strings.yar
├── malware_sugargh0st_strings.yar
├── malware_swordldr.yar
├── malware_tinyshell_strings.yar
├── malware_valleyrat_1ststage_strings.yar
├── malware_valleyrat_downloader_strings.yar
├── malware_valleyrat_strings_config.yar
├── malware_venom_admin_strings.yar
├── malware_venom_agent_strings.yar
├── malware_win_lyceum_maldoc_macro_20220613.yar
├── malware_win_mex.yar
├── malware_win_passlib.yar
├── manjusaka_samples.yar
├── merlin_crossplatform.yar
├── merlin_linux_elf.yar
├── merlin_win_dll.yar
├── merlin_win_exe.yar
├── miner_lin_xmrig_strings.yar
├── miner_win_xmrig_strings.yar
├── nomercy.yar
├── observerstealer.yar
├── pe_princeransomware_strings.yar
├── pe_stealer_axilestealer_strings.yar
├── pe_stealer_scarletstealer_strings.yar
├── platypus_winlinmac_strings.yar
├── plugx_final_payload.yar
├── radx_stealer.yar
├── ransomware_lin_avoslocker_sections.yar
├── ransomware_lin_avoslocker_strings.yar
├── ransomware_linux_icefire_2023.yar
├── ransomware_mallox.yar
├── ransomware_win_agenda.yar
├── ransomware_win_avoslocker.yar
├── ransomware_win_blackcat.yar
├── ransomware_win_blackmatter.yar
├── ransomware_win_chaos.yar
├── ransomware_win_dodo_2023.yar
├── ransomware_win_eking_rich_header.yar
├── ransomware_win_fonix.yar
├── ransomware_win_honkai_jan2023.yar
├── ransomware_win_karma.yar
├── ransomware_win_lorenz.yar
├── ransomware_win_masons_jan2023.yar
├── ransomware_win_raworld.yar
├── ransomware_win_redeemer.yar
├── ransomware_win_scransom.yar
├── ransomware_win_shrinklocker.yar
├── ransomware_win_voidcrypt.yar
├── ransomware_win_wing.yar
├── rat_darkvision_string.yar
├── rat_lin_gobrat_2023.yar
├── rat_win_arrow_str.yar
├── rat_win_asbit.yar
├── rat_win_asyncrat.yar
├── rat_win_atharvan.yar
├── rat_win_babylon.yar
├── rat_win_borat.yar
├── rat_win_dcrat_qwqdanchun.yar
├── rat_win_hiddenz.yar
├── rat_win_konni_rat.yar
├── rat_win_lilith.yar
├── rat_win_millenium.yar
├── rat_win_nighthawk.yar
├── rat_win_ninerat.yar
├── rat_win_ratel_strings.yar
├── rat_win_remcos.yar
├── rat_win_reverserat.yar
├── rat_win_romcom_payload.yar
├── rat_win_tutclient.yar
├── rat_win_xeno_rat.yar
├── rat_win_xworm_v2.yar
├── rat_win_xworm_v3.yar
├── recotool_adfind_strings.yar
├── reverseshell_win_1st_troy.yar
├── rootkit_diamorphine_strings.yar
├── rootkit_lin_winnti.yar
├── rootkit_win_purplefox_360_tct.yar
├── rootkit_win_purplefox_kernel_driver.yar
├── rootkit_win_purplefox_svchost_txt.yar
├── rule_lazarus_generic_downloader_7c3f94702fa7.yar
├── shell_win_danfuan.yar
├── spyware_and_bahamut.yar
├── spyware_and_fastfire.yar
├── spyware_and_strongpity_mobile_backdoor.yar
├── stealer_win_demotryspy.yar
├── stealer_win_luca.yar
├── stealer_win_mgbot_credential_stealer.yar
├── stealer_win_strela.yar
├── storm_1811_files_dat.yar
├── storm_1811_screenconnect_update.yar
├── strongpity_malware.yar
├── suspicious_users_dev.yar
├── ta410_control_flow_obfuscation.yar
├── technique_csv_dde_exec_regex.yar
├── tinyfluff_nodejs.yar
├── tool_3proxy_strings.yar
├── tool_advancedrun_strings.yar
├── tool_bore_rust_any_platform.yar
├── tool_bypassgodzilla.yar
├── tool_cheat_engine.yar
├── tool_chisel_strings.yar
├── tool_dogtunnel_strings.yar
├── tool_dynamicwrapper_strings.yar
├── tool_edrsandblast_api_strings.yar
├── tool_edrsandblast_cli_strings.yar
├── tool_edrsandblast_kernelcallbacks.yar
├── tool_edrsandblast_strings.yar
├── tool_efspotato.yar
├── tool_ehole.yar
├── tool_enum4linux_strings.yar
├── tool_execit_obfuscator_strings.yar
├── tool_exploit_badpotato_strings.yar
├── tool_exploit_comahawk_strings.yar
├── tool_exploit_rottenpotato_strings.yar
├── tool_generic_python_reverse_shell_strings.yar
├── tool_godpotato.yar
├── tool_gost_tunnel_strings.yar
├── tool_gsocket_strings.yar
├── tool_htran_strings.yar
├── tool_impersonate_strings.yar
├── tool_inswor_strings.yar
├── tool_iodine_strings.yar
├── tool_juicypotato_exploit_strings.yar
├── tool_juicypotatong_strings.yar
├── tool_koblas_server_strings.yar
├── tool_ladon_strings.yar
├── tool_lsass_dump_strings.yar
├── tool_masky_strings.yar
├── tool_multidump_strings.yar
├── tool_nping_strings.yar
├── tool_nssm_strings.yar
├── tool_paexec_strings.yar
├── tool_pchunter_and_related_certificate.yar
├── tool_petitpotato.yar
├── tool_pivotnacci.yar
├── tool_pivotnacci_webshell.yar
├── tool_powershell_unicorn.yar
├── tool_printnotifypotato.yar
├── tool_quarkspwdump.yar
├── tool_rathole_strings.yar
├── tool_realblindingedr_strings.yar
├── tool_reversessh_strings.yar
├── tool_revsocks_strings.yar
├── tool_rsockstun_strings.yar
├── tool_rubeus_strings.yar
├── tool_runpeinmemory_strings.yar
├── tool_safetykatz.yar
├── tool_scanline_strings.yar
├── tool_sharpefspotato_strings.yar
├── tool_sharphoundexecutable_strings.yar
├── tool_sharphoundpowershell_strings.yar
├── tool_sharpnbtscan_strings.yar
├── tool_sharpsecdump.yar
├── tool_soaphound_strings.yar
├── tool_ssf_strings.yar
├── tool_swor.yar
├── tool_sy_runas.yar
├── tool_tacticalrmm_installer_strings.yar
├── tool_tokenplayer_strings.yar
├── tool_webshell_b374k_strings.yar
├── tool_win_blackfly_proxy_config.yar
├── tool_win_driverjack.yar
├── tool_win_forkplayground.yar
├── tool_win_gosecretsdump.yar
├── tool_win_lightrail.yar
├── tool_win_sharpshares.yar
├── tool_win_snap2html.yar
├── tool_xiebroc2_strings.yar
├── tool_yasso_strings.yar
├── trojan_and_keepspy.yar
├── trojan_android_brata.yar
├── trojan_android_cerberus.yar
├── trojan_android_xenomorph.yar
├── trojan_win_bbtok_dll1_sep23.yar
├── trojan_win_bbtok_iso_sep23.yar
├── trojan_win_bbtok_lnk_sep23.yar
├── trojan_win_grandoreiro.yar
├── truesightkiller_avkiller_strings.yar
├── typhon_reborn_stealer.yar
├── unk_quad7_fsynet_strings.yar
├── unk_quad7_netd_strings.yar
├── unk_quad7_updtae_reverse_shell_strings.yar
├── unknown_7777_xlogin.yar
├── unknown_quad7_wildcard_login.yar
├── ursnif.yar
├── ursnif_ldr4.yar
├── vpn_mul_softether.yar
├── water_sigbin_group.yar
├── webshell_icesword_strings.yar
├── webshell_wso_webshell_strings.yar
├── weevely_webshell_payload.yar
├── win_clipper_generic.yar
├── win_infostealer_serpent_strings.yar
├── win_loader_astasialoader_strings.yar
├── win_malware_agnianestealer.yar
├── win_malware_janelarat_strings.yar
├── win_malware_statc_downloader.yar
├── wiper_hermeticwiper_variants.yar
├── wiper_win_caddywiper.yar
├── wiper_win_dnwipe.yar
├── wiper_win_isaacwiper.yar
├── wiper_win_nominatus_toxicbattery.yar
├── wiper_win_ruransom.yar
├── xworm_dotnet_injector.yar
├── yara_runascs.yar
└── zip_win_abcloader.yar
================================================
FILE CONTENTS
================================================
================================================
FILE: Configuration_extractors/ChaosRat.py
================================================
import re
import base64
import json
import logging
from floss import strings
from io import BytesIO
from typing import Dict, List, Optional
from collections import namedtuple
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import ConnUsageEnum
from maco.model import CategoryEnum
from maco import yara
from ipaddress import IPv4Address, AddressValueError
CommandAndControl = namedtuple("CommandAndControl", ["ip", "port", "token"])
def check_ip(ioc: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address
"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
def is_base64(value: str) -> bool:
"""
base64 pattern validation
try to decode a str, return true
- if decode works
- if len of decoded > 152 decoded string contains a JWT token
"""
try:
if not isinstance(value, str):
return False
decoded = base64.b64decode(value, validate=True)
return len(decoded) > 152 # JWT token len
except Exception:
return False
def parse_config(raw: str) -> CommandAndControl | None:
"""
Function to extract config data from json
check if the data is a valid json file and contains 3 keys
extract and identify values
"""
try:
conf = json.loads(raw)
except:
return
if len(conf) != 3:
return
token = None
port = None
c2 = None
ukn = []
for val in conf.values():
val = str(val)
# eyJ JWT b64 pattern -> {"alg":....}
if val.startswith("eyJ") and "." in val and len(val) > 100:
token = val
elif val.isdigit() and 1 <= int(val) <= 65535:
port = val
else:
ukn.append(val)
if len(ukn) == 1:
c2 = ukn[0]
else:
return
config = CommandAndControl(c2, port, token)
return config
def extract(all_str: list) -> Optional[CommandAndControl]:
b64_pattern = r"([A-Za-z0-9+/]{40,}={0,2})"
for str in all_str:
match = re.search(b64_pattern, str.string)
if match:
raw = match.group(1)
if is_base64(raw):
try:
data = base64.b64decode(raw).decode("utf-8")
conf = parse_config(data)
return conf
except Exception as e:
continue
class ChaosRat(Extractor):
family = "Chaos"
author = "Sekoia.io"
last_modified = "06-02-2026"
category = [CategoryEnum.rat]
yara_rule = """
rule chaos_bot_win
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "ChaosRAT"
creation_date = "2026-02-03"
modification_date = "2026-02-03"
description = "Catch open source ChaosRat based on strings"
hash = "88ea0ddda0efabd6b0cf4dc3feca563b8f69e0471cda0ba65b1da3fd5d49fba9"
strings:
$chaos = "tiagorlampert/CHAOS" ascii
$go = "golang" ascii
$dep1 = "github.com/kbinani/screenshot" ascii
$dep2 = "github.com/gorilla/websocket" ascii
condition:
uint16be(0) == 0x4d5a and all of ($dep*) and #chaos > 10 and #go > 5 and filesize > 2MB and filesize < 10MB
}
rule chaos_bot_lin
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "ChaosRAT"
creation_date = "2026-02-03"
modification_date = "2026-02-03"
description = "Catch open source ChaosRat based on strings"
hash = "50d56dff0c531b9b5c2e80af66ec8a8d95e61ca1ed02cda05b802798262366be"
strings:
$chaos = "tiagorlampert/CHAOS" ascii
$go = "golang" ascii
$dep1 = "github.com/kbinani/screenshot" ascii
$dep2 = "github.com/gen2brain/shm" ascii
condition:
uint32be(0) == 0x7f454c46 and all of ($dep*) and #chaos > 10 and #go > 5 and filesize > 2MB and filesize < 10MB
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if hit.rule == "chaos_bot_win":
ret = ExtractorModel(
family=self.family, version="Window", category=self.category
)
elif hit.rule == "chaos_bot_lin":
ret = ExtractorModel(
family=self.family, version="Linux", category=self.category
)
else:
logging.error("no yara match")
return
try:
all_str = list(strings.extract_ascii_strings(data))
c2 = extract(all_str)
if c2:
connection_kwargs = {
"server_port": c2.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(c2.ip):
connection_kwargs["server_ip"] = c2.ip
else:
connection_kwargs["server_domain"] = c2.ip
ret.tcp.append(ret.Connection(**connection_kwargs))
else:
logging.error("no C2 extraction")
return
return ret
except Exception as e:
logging.error(f"error on run - {e}")
else:
return
================================================
FILE: Configuration_extractors/ConnectBack.py
================================================
import struct
from io import BytesIO
import re
import logging
from typing import List, Optional
from ipaddress import IPv4Address, AddressValueError
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco import yara
def check_ip(ioc: str) -> bool:
"""Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address (it exclude local address)
>>> assert check_ip('127.0.0.1') is False
>>> assert check_ip('183.123.11.1') is True
>>> assert check_ip('This is not an IP') is False"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
class ConnectBack(Extractor):
family = "ConnectBack"
author = "Sekoia.io"
last_modified = "30-01-2025"
category = [CategoryEnum.backdoor]
yara_rule = """
rule ConnectBack_x64
{
meta:
author = "Sekoia IO"
malware = "ConnectBack"
description = "Catch ConnectBack64 on common instruction and pattern"
hash = "639b3e01d2d885f4a2b0c66d92c73957"
hash = "8646ba08e924bbfb8cbcc70e17ff72c1"
hash = "93d6a0a4e6ff89f4430ed4bd80e5fa71"
strings:
$syscall = { 0F 05 }
$sock1 = { 6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 } //syscall socket
$sock2 = { 48 89 D6 4D 31 C9 6A 22 41 5A 6A 07 5A 0F 05 } //syscall connet
condition:
uint32(0)==0x464c457f and uint8(4) == 2 and filesize >= 250 and filesize <= 250 and #syscall == 6 and all of ($sock*)
}
rule ConnectBack_x86
{
meta:
author = "Sekoia IO"
malware = "ConnectBack"
description = "Catch ConnectBack32 on common instruction and pattern"
hash = "57d47068c6ec56834466859f273be2da"
hash = "33e34d4cf0c3da2095f7a4419f6aade6"
strings:
$syscall = { CD 80 } // interrupt 0x80
$sock = { 68 ?? ?? ?? ?? 68 02 00 ?? ?? ?? ?? ?? 66 } // 0x68 push ip and 0x68 push padding byte and 0x66 sys_connect
condition:
uint32(0)==0x464c457f and uint8(4) == 1 and filesize > 150 and filesize < 210 and $sock and #syscall >= 4 and #syscall <= 6
}
"""
def run(self, stream: BytesIO, matches: List[yara.Match]) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error(f"no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("ConnectBack"), matches)):
c2: tuple = ()
ret = ExtractorModel(family=self.family, version="Linux", category=self.category)
try:
if matches[0].rule == "ConnectBack_x64":
pattern = b'\x48\xB9\x02\x00'
index = data.find(pattern)
if index != -1:
port_bytes = data[index + 4: index + 6] # 2 octets pour le port
ip_bytes = data[index + 6: index + 10] # 4 octets pour l'IP
port = struct.unpack(">H", port_bytes)[0] # postulat Big endian - x64
ip = ".".join(map(str, ip_bytes))
if check_ip(str(ip)):
c2 = (str(ip), str(port))
if matches[0].rule == "ConnectBack_x86":
raw_c2 = re.search(rb"(\x68)(?P<ipaddr>(..){2})(\x68\x02\x00)(?P<port>(..){1})", data) # 68 PUSH 4 octets IP 68 push 2 octets padding 2 octets port
if raw_c2:
raw_c2 = raw_c2.groupdict()
ip = IPv4Address(struct.unpack(">L", raw_c2.get('ipaddr'))[0])
port = struct.unpack(">h", raw_c2.get('port'))[0]
if check_ip(str(ip)):
c2 = (str(ip), str(port))
if c2:
ret.tcp.append(
ret.Connection(
server_ip=c2[0],
server_port=int(c2[1]),
usage=ConnUsageEnum.c2,
)
)
return ret
except Exception as e:
logging.error(f"error during extraction: {e}")
return None
else:
return None
================================================
FILE: Configuration_extractors/Ddostf.py
================================================
import re
import socket
import logging
from io import BytesIO
from typing import List, Optional
from collections import namedtuple
from ipaddress import IPv4Address, AddressValueError
from maco import yara
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
import lief
from lief.ELF import ARCH
from lief.ELF import Header
from capstone import *
from capstone.x86 import *
from capstone.arm import *
from capstone.arm64 import *
CommandAndControl = namedtuple("CommandAndControl", ["ip", "port"])
def check_ip(ioc: str) -> bool:
"""Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
class Disassembler:
def __init__(self, binary: lief.ELF.Binary):
self.binary = binary
self.arch = binary.header.machine_type
self.entry = binary.entrypoint
self.md = self._init_capstone()
def _init_capstone(self):
if self.arch == lief.ELF.ARCH.I386:
return Cs(CS_ARCH_X86, CS_MODE_32)
elif self.arch == lief.ELF.ARCH.AARCH64:
return Cs(CS_ARCH_ARM64, CS_MODE_ARM)
elif self.arch == lief.ELF.ARCH.ARM:
# 32-bit ARM
# CS_MODE_ARM: standard 32-bit instructions (4 bytes)
# CS_MODE_THUMB: 16-bit compressed instructions (Thumb mode)
mode = CS_MODE_THUMB if self.entry & 1 else CS_MODE_ARM
return Cs(CS_ARCH_ARM, mode)
elif self.arch == lief.ELF.ARCH.X86_64:
return Cs(CS_ARCH_X86, CS_MODE_64)
else:
raise ValueError(f"unsupport arch: {self.arch}")
def _get_step(self) -> int:
if self.arch in [ARCH.ARM, ARCH.MIPS, ARCH.AARCH64]:
# Fixed-size instructions: 4 bytes
# If disassembly fails, we can safely skip 4 bytes
return 4
elif self.arch in [ARCH.X86_64, ARCH.I386]:
# Variable-length instructions (1 to 15 bytes)
# If disassembly fails, advance byte by byte to avoid missing any valid instruction
return 1
else:
# generic fallback
return 2
def disasm(self, code: bytes, base_addr: int) -> List[CsInsn]:
offset = 0
step = self._get_step()
end = len(code)
results = []
self.md.detail = True
while offset < end:
try:
instr = list(self.md.disasm(code[offset:], base_addr + offset, count=1))
if not instr:
offset += step
continue
instr = instr[0]
results.append(instr)
offset += instr.size
except Exception as e:
offset += step
return results
class ConfigExtractor:
def __init__(self, binary: lief.ELF.Binary):
self.binary = binary
self.arch = binary.header.machine_type
@classmethod
def from_binary(cls, binary):
"""
Main interface to find the address/offset passed to a function call.
Dispatches to architecture-specific implementation.
"""
arch = binary.header.machine_type
if arch in [ARCH.I386, ARCH.X86_64]:
return ConfigExtractorX86(binary)
elif arch in [ARCH.ARM, ARCH.AARCH64]:
return ConfigExtractorARM(binary)
else:
raise ValueError(f"Unsupported architecture: {arch}")
def find_symbol(self, func: str) -> Optional[int]:
"""
Searches the ELF binary for a symbol with the specified name and returns its
address if found.
"""
try:
for sym in self.binary.symbols:
if sym.name == func:
addr = sym.value
return addr
except Exception as e:
logging.error(f"error on symbol {func} search : {e}")
return
def extract_data(self, addr: int, offset: int) -> Optional[bytes]:
try:
raw = self.binary.get_content_from_virtual_address(addr, offset)
data = bytes(raw).split(b"\x00")[0]
except Exception as e:
print(f"error dans extract {e}")
return
else:
return data
def run(self) -> Optional[CommandAndControl]:
try:
if self.arch in [ARCH.X86_64, ARCH.ARM, ARCH.I386]:
# init step: search functions address to use as reference point
ServerConnectCli_addr = self.find_symbol("ServerConnectCli")
c2_resolv_func_addr = self.find_symbol("send_dns_request")
inet_addr = self.find_symbol("inet_addr")
htons_addr = self.find_symbol("htons")
if not (ServerConnectCli_addr and htons_addr):
print("Missing some reference functions address")
logging.error("Missing some reference functions address")
return
# disas binary and build instruction list
text = self.binary.get_section(".text")
disasm = Disassembler(self.binary)
instructions = disasm.disasm(bytes(text.content), text.virtual_address)
# search c2 and port var address on asm instr by looking close to ref functions address
# case 1: IP address is pass as arg on inet_addr on ServerConnectCli function
c2_addr = self.find_addr(instructions, inet_addr, ServerConnectCli_addr)
raw_c2 = self.extract_data(c2_addr, 16)
if not raw_c2:
# case 2: fallback - IP adress is acceed by dns resolving function
c2_addr = self.find_addr(instructions, c2_resolv_func_addr)
raw_c2 = self.extract_data(c2_addr, 16)
if not raw_c2:
print("Missing c2 IP/Dom value")
logging.error("Missing c2 IP/Dom value")
return
port_addr = self.find_addr(
instructions, htons_addr, ServerConnectCli_addr
)
raw_port = self.extract_data(port_addr, 4)
if not raw_port:
print("Missing c2 Port value")
logging.error("Missing c2 Port value")
return
ip = bytes(raw_c2).decode("utf-8", errors="ignore")
port = bytes(raw_port).split(b"\x00")[0]
if self.binary.header.identity_data == lief.ELF.Header.ELF_DATA.MSB:
indian = "big"
else:
indian = "little"
c2 = CommandAndControl(ip=ip, port=int.from_bytes(port, indian))
return c2
except Exception as e:
print(f"Extraction error : {e}")
logging.error(f"Extraction error : {e}")
return
class ConfigExtractorX86(ConfigExtractor):
def find_addr(
self, instructions: List[CsInsn], func_addr: int, start_addr: int = None
) -> Optional[int]:
return self.find_addr_x86(instructions, func_addr, start_addr)
def find_addr_x86(
self, instructions: List[CsInsn], func_addr: int, start_addr: int = None
) -> Optional[int]:
"""
Scans a list of disassembled instructions to locate a CALL to a specific function
(identified by its immediate operand) and extracts the argument passed to that call.
The function performs a backward analysis limited to the 5 instructions
preceding the CALL. It attempts to resolve the argument in two cases:
1. The argument is an immediate value directly present in the instruction
before the CALL.
2. The argument is stored in a register, and a preceding MOV instruction
assigns that register either an immediate value or a memory displacement.
Parameters
----------
instructions : List[CsInsn]
A list of Capstone instruction objects to analyze.
func_addr : int
The target function address we want to identify CALL instructions for.
start_addr : int, optional
If provided, only instructions located after this address are considered.
"""
try:
for idx, insn in enumerate(instructions):
if start_addr is not None and insn.address < start_addr:
continue
if insn.id == X86_INS_CALL:
op = insn.operands[0]
if op.type == X86_OP_IMM and op.imm == func_addr:
prev_idx_start = max(0, idx - 5)
prev_insts = instructions[prev_idx_start:idx]
for prev in reversed(prev_insts):
if len(prev.operands) == 2:
dst, src = prev.operands[0], prev.operands[1]
if src.type == X86_OP_IMM:
return src.imm
if src.type == X86_OP_REG:
reg = src.reg
for mov_prev in reversed(prev_insts):
if mov_prev.id == X86_INS_MOV:
dst2, src2 = (
mov_prev.operands[0],
mov_prev.operands[1],
)
if (
dst2.type == X86_OP_REG
and dst2.reg == reg
):
if src2.type == X86_OP_IMM:
return src2.imm
if (
src2.type == X86_OP_MEM
and src2.mem.base == 0
and src2.mem.index == 0
):
return src2.mem.disp
elif prev.id == X86_INS_PUSH:
op = prev.operands[0]
if op.type == X86_OP_IMM:
return op.imm
if op.type == X86_OP_REG:
reg = op.reg
for mov_prev in reversed(prev_insts):
if mov_prev.id == X86_INS_MOV:
dst2, src2 = (
mov_prev.operands[0],
mov_prev.operands[1],
)
if (
dst2.type == X86_OP_REG
and dst2.reg == reg
):
if src2.type == X86_OP_IMM:
return src2.imm
if (
src2.type == X86_OP_MEM
and src2.mem.base == 0
and src2.mem.index == 0
):
return src2.mem.disp
else:
continue
except Exception as e:
print(f"Error in X86 search C2 config : {e}")
logging.error(f"Error in X86 search C2 config : {e}")
return None
class ConfigExtractorARM(ConfigExtractor):
def find_addr(
self, instructions: List[CsInsn], func_addr: int, start_addr: int = None
) -> Optional[int]:
return self.find_addr_arm(instructions, func_addr, start_addr)
def find_addr_arm(
self, instructions: List[CsInsn], func_addr: int, start_addr: int = None
):
"""
ARM version of find_addr_x86
Easy way :
- look 5 instructions before BL/BLX to func_addr
- extract LDR
- if 1 LDR : PC-relative -> load literal
- if 2 LDR : pattern base + offset : (ldr base, ldr [base,#offset])
"""
try:
for idx, insn in enumerate(instructions):
if start_addr is not None and insn.address < start_addr:
continue
if insn.id in (ARM_INS_BL, ARM_INS_BLX):
op = insn.operands[0]
if op.type != ARM_OP_IMM or op.imm != func_addr:
continue
prev = instructions[max(0, idx - 5) : idx]
# Extract LDR
ldrs = []
for ins in prev:
if ins.id == ARM_INS_LDR and len(ins.operands) >= 2:
ldrs.append(ins)
if not ldrs:
logging.error("No LDR found")
return None
# CASE 1 : LDR (PC-relative literal)
if len(ldrs) == 1:
ins = ldrs[0]
src = ins.operands[1]
if src.type == ARM_OP_MEM and src.mem.base == ARM_REG_PC:
literal_addr = ins.address + 8 + src.mem.disp
try:
data = self.binary.get_content_from_virtual_address(
literal_addr, 4
)
val = int.from_bytes(data, "little")
return val
except Exception as e:
logging.error(f"acceed data error {e}")
return
logging.error("Single LDR but not PC-relative")
return None
# CASE 2 : 2 LDR (base + offset)
if len(ldrs) == 2:
base_ins = ldrs[0]
off_ins = ldrs[1]
# base = ldr rX, [pc,#imm]
base_src = base_ins.operands[1]
if (
base_src.type != ARM_OP_MEM
or base_src.mem.base != ARM_REG_PC
):
logging.error(
"First LDR is not PC-relative, cannot process pattern"
)
return None
literal_addr = base_ins.address + 8 + base_src.mem.disp
data = self.binary.get_content_from_virtual_address(
literal_addr, 4
)
base_val = int.from_bytes(data, "little")
# offset = ldr rX, [rX,#offset]
off_src = off_ins.operands[1]
if (
off_src.type == ARM_OP_MEM
and off_src.mem.base != ARM_REG_PC
):
offset = off_src.mem.disp
return base_val + offset
logging.error("Second LDR is not base+offset")
return None
logging.error("More than 2 LDRs, unsupported pattern")
return None
except Exception as e:
logging.error(f"Error in ARM search C2 config : {e}")
return None
class Ddostf(Extractor):
family = "ddostf"
author = "Sekoia.io"
last_modified = "04-12-2025"
category = [CategoryEnum.ddos]
yara_rule = """
rule ddostf_bot_lin
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "ddostf"
creation_date = "2024-02-09"
modification_date = "2025-04-12"
description = "catch Ddostf DDoS bot based on "
hash = "b00d41d30b0a7b289607e19367893688664d907a9d04b48feb6d88bc449ed423" // X86
hash = "db9fceb84052afb3dc5d3ba109d1e20506a195867cc6bd319fcc47d166345129" // X86
hash = "d2f2271938f895d5383a6ca9e2170da7545314eb234da1f72eb2bd58f027dfbe" // X86
hash = "b4bd3605548d0768de3c60dc9ff47ce326395a6ed80e936a4f173e32f75e4144" // ARM
hash = "6abfea326919bc9e8191e8f87a8242107be49c00a6bf6348e84d1f2ccdbc5a61" // ARM
hash = "a3cb71e5f8e6417e5c0dcec0547dbfe5db5551f6e98bbd32910ff6e6b05e7be6" // MIPS - Unsupported
strings:
$dos = "_Flood" ascii
$s = "ddos.tf" ascii fullword
$att1 = "GETFT_Flood" ascii
$att2 = "WZTCP_Flood" ascii
$att3 = "WZUDP_Flood" ascii
$att4 = "ICMP_Flood" ascii
$att5 = "POST_Flood" ascii
$att6 = "GET_Flood" ascii
condition:
uint32be(0) == 0x7f454c46 and #dos > 10 and 4 of ($att*) and $s and filesize > 300KB and filesize < 2MB
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("ddostf_bot_lin"), matches)):
ret = ExtractorModel(
family=self.family, version="Linux", category=self.category
)
try:
binary = lief.parse(raw=data)
config_extract = ConfigExtractor.from_binary(binary)
c2 = config_extract.run()
if c2:
connection_kwargs = {
"server_port": c2.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(c2.ip):
connection_kwargs["server_ip"] = c2.ip
else:
connection_kwargs["server_domain"] = data.c2
ret.tcp.append(ret.Connection(**connection_kwargs))
else:
logging.error(f"no C2 extraction")
return
return ret
except Exception as e:
logging.error(f"error on run - {e}")
else:
return
================================================
FILE: Configuration_extractors/Gafgyt.py
================================================
from io import BytesIO
import logging
import lief
from lief.ELF import ARCH, Header
import struct
from typing import List, Optional
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco import yara
from collections import namedtuple
from ipaddress import IPv4Address, AddressValueError
CommandAndControl = namedtuple("CommandAndControl", ["ip", "port"])
BannerInfo = namedtuple("BannerInfo", ["raw", "fixed_middle", "has_ansi"])
def check_ip(ioc: str) -> bool:
"""Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
class ConfigExtractor:
SUPPORTED_ARCHS = {ARCH.X86_64, ARCH.ARM, ARCH.I386, ARCH.SH, ARCH.MIPS}
def __init__(self, elf: lief.ELF.Binary):
self.elf = elf
self.arch = elf.header.machine_type
self.indian = (
"big"
if elf.header.identity_data == lief.ELF.Header.ELF_DATA.MSB
else "little"
)
def find_symbol(self) -> Optional[int]:
"""Locate the symbol 'commServer' and return its virtual address."""
for sym in self.elf.symbols:
if sym.name == "commServer":
return sym.value
logging.error("commServer symbol not found")
return None
def extract_addr(self, comm_addr: int) -> Optional[int]:
"""Extract the pointer stored at commServer."""
try:
data = self.elf.get_content_from_virtual_address(comm_addr, 4)
if len(data) != 4:
raise ValueError("Unexpected size for commServer pointer")
return int.from_bytes(data, byteorder=self.indian)
except Exception as e:
logging.error(f"error on c2 address extraction : {e}")
return None
def extract_c2(self, inst_addr: int) -> Optional[str]:
"""Extract C2 string located at inst_addr."""
try:
content = self.elf.get_content_from_virtual_address(inst_addr, 40)
return bytes(content).split(b"\x00", 1)[0].decode("utf-8")
except Exception as e:
logging.error(f"c2 extraction error : {e}")
return None
def parse_c2(self, raw_data: str) -> Optional[CommandAndControl]:
"""Parse <ip>:<port> format."""
try:
ip, port_str = raw_data.split(":")
return CommandAndControl(ip=ip, port=int(port_str))
except Exception as e:
logging.error(f"c2 parsing error : {e}")
return None
def extract_banner(self) -> Optional[BannerInfo]:
"""
Localise le template banner dans .rodata en cherchant
la string null-terminée contenant exactement deux '%s'.
Utilise le parsing ELF lief, pas de regex sur le raw.
"""
for section in self.elf.sections:
if section.name not in (".rodata", ".data"):
continue
content = bytes(section.content)
# Split on null bytes
for candidate in content.split(b"\x00"):
if candidate.count(b"%s") == 2:
has_ansi = b"\x1b[" in candidate
parts = candidate.split(b"%s")
# parts[0] = prefix, parts[1] = fixed_middle, parts[2] = suffix
fixed_middle = parts[1] if len(parts) == 3 else None
return BannerInfo(
raw=candidate.decode("utf-8"),
fixed_middle=fixed_middle.decode("utf-8"),
has_ansi=has_ansi,
)
logging.warning("banner template not found in .rodata/.data")
return None
def run(self) -> tuple[CommandAndControl, BannerInfo]:
if self.arch not in self.SUPPORTED_ARCHS:
raise ValueError(f"Unsupported architecture : {self.arch}")
comm_addr = self.find_symbol()
if comm_addr is None:
logging.error("Missing commServer Addr")
return None
c2_addr = self.extract_addr(comm_addr)
if c2_addr is None:
logging.error("no c2 found")
return None
raw_c2 = self.extract_c2(c2_addr)
if not raw_c2:
logging.error("c2 extraction failed or empty")
return None
c2 = self.parse_c2(raw_c2)
banner = self.extract_banner()
return (c2, banner)
class Gafgyt(Extractor):
author = "Sekoia.io"
last_modified = "28-03-2025"
category = [CategoryEnum.bot, CategoryEnum.ddos]
family = "Gafgyt"
yara_rule = """
rule Gafgyt
{
meta:
author = "Sekoia IO"
malware = "Gafgyt"
description = "Catch Gafgyt malware on common instruction and pattern"
hash = "bc0e5283242cb483a4b22ab26b7206bd"
hash = "06e67cc210daff5323aa18fab7b1cc92"
hash = "a7c20be31ae57de59b15e09c12342812"
hash = "ec41d70c25a970b437752df86d45ca2f"
hash = "f318180361a32856f9b3827f96baf8ad"
hash = "b0100f50a771e7ce719a6565235289ec"
strings:
$s0 = { 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F }
$s1 = "commServer" ascii
$s2 = "mainCommSock" ascii
$s3 = "currentServer" ascii
condition:
uint32be(0) == 0x7f454c46 and all of them and filesize > 40KB and filesize < 160KB
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("Gafgyt"), matches)):
ret = ExtractorModel(
family=self.family, version="Linux", category=self.category
)
try:
elf = lief.parse(data)
config_extract = ConfigExtractor(elf)
config = config_extract.run()
c2 = config[0]
banner = config[1]
if c2:
connection_kwargs = {
"server_port": c2.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(c2.ip):
connection_kwargs["server_ip"] = c2.ip
else:
connection_kwargs["server_domain"] = c2.ip
ret.tcp.append(ret.Connection(**connection_kwargs))
else:
logging.error("no C2 extraction")
if banner:
other = {}
other["raw_banner"] = banner.raw
other["sep_field"] = banner.fixed_middle
ret.other = other
return ret
except Exception as e:
logging.error(f"error during extraction: {e}")
return None
else:
logging.error("no Yara match")
return None
================================================
FILE: Configuration_extractors/Njrat.py
================================================
import sys, struct, clr
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type
import logging
import os
MODULES_DIR_PATH = os.path.dirname(os.path.realpath(__file__))
DNLIB_PATH = os.path.join(MODULES_DIR_PATH, "dnlib.dll")
clr.AddReference(DNLIB_PATH)
import dnlib
from dnlib.DotNet import *
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet import ModuleDef, ModuleDefMD
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet.Writer import ModuleWriterOptions
from dnlib.DotNet.Emit import OpCodes
from typing import Dict, List, Optional
from io import BytesIO
from maco.extractor import Extractor
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco.model import ExtractorModel
from maco import yara
from ipaddress import IPv4Address, AddressValueError
import base64
def is_base64(s: str) -> bool:
"""
Try to decode b64 str to check if it's a valid b64 string or not
"""
try:
decoded = base64.b64decode(s, validate=True)
except Exception:
return False
else:
return True
def parse_port(port_str: str) -> int:
"""
Check if the port is base64 encoded string otherwise try to decode and then cast it to int
"""
try:
if not port_str.isdigit() and is_base64(port_str):
decoded = base64.b64decode(port_str).decode("utf-8")
port = int(decoded)
else:
port = int(port_str)
except (ValueError, base64.binascii.Error):
raise ValueError(f"Port invalide : {port_str}")
return port
def check_ip(ip: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ip`
is a valid IPv4 address
"""
try:
IPv4Address(ip)
except AddressValueError:
return False
else:
return True
def extract_setting(data: bytes) -> Optional[Dict[str, str]]:
try:
modctx = ModuleDef.CreateModuleContext()
module = dnlib.DotNet.ModuleDefMD.Load(data, modctx)
config = {
"H": None,
"P": None,
"RG": None,
"EXE": None,
"sf": None,
"VN": None,
"VR": None,
"Mutex": None,
}
for type in module.GetTypes():
if type.Name == "OK":
for method in type.Methods:
if method.Name == ".cctor":
instructions = list(method.Body.Instructions)
for inst_1, inst_2 in zip(instructions, instructions[1:]):
if (
inst_1.OpCode == OpCodes.Ldstr
and inst_2.OpCode == OpCodes.Stsfld
):
field_name = str(inst_2.Operand.Name)
if field_name in config:
config[field_name] = str(inst_1.Operand)
except Exception as e:
logging.error(f"erreur in extract setting {e}")
else:
return config
class Njrat(Extractor):
family = "njRAT"
author = "Sekoia.io"
last_modified = "02-12-2025"
category = [CategoryEnum.rat, CategoryEnum.worm]
yara_rule = """
rule Njrat_rat_win
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "njRAT"
creation_date = "2022-08-22"
modification_date = "2022-08-22"
description = "Catch njRAT based on strings"
hash = "76790ab79dc46fa3cc4a78220ed337d4"
hash = "b99bb526dc4b60bd79f1cfd074161f09"
hash = "5256b09761417d2b4b20b7a6714b9f6b"
strings:
$ = "set cdaudio door closed" wide
$ = "set cdaudio door open" wide
$ = "ping 0" wide
$ = "[endof]" wide
$ = "TiGeR-Firewall" wide
$ = "NetSnifferCs" wide
$ = "IPBlocker" wide
$ = "Sandboxie Control" wide
condition:
uint16be(0) == 0x4d5a and filesize < 1MB and 5 of them
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("Njrat_rat_win"), matches)):
try:
other = {}
settings = extract_setting(data)
hosts, port = (
settings.get("H"),
settings.get("P"),
)
if not (hosts and port):
logging.error("no C2 extraction")
return
ret = ExtractorModel(
family=self.family, version="Windows", category=self.category
)
port = parse_port(port)
conn_kwargs = {"server_port": port, "usage": ConnUsageEnum.c2}
if check_ip(hosts):
conn_kwargs["server_ip"] = hosts
else:
conn_kwargs["server_domain"] = hosts
ret.tcp.append(ret.Connection(**conn_kwargs))
rg = settings.get("RG")
if rg is not None:
ret.mutex = [rg]
vr = settings.get("VR")
if vr is not None:
ret.version = vr
sf = settings.get("sf")
exe = settings.get("EXE")
if sf and exe is not None:
other["persist_key"] = f"{sf}\\{exe}"
y = settings.get("Y")
if y is not None:
other["seperator_field"] = y
vn = settings.get("VN")
if vn is not None:
other["botnet"] = (
base64.b64decode(vn).decode("utf-8")
if is_base64(vn)
else vn
)
ret.other = other
return ret
except Exception as e:
logging.error(f"error on run - {e}")
else:
return
================================================
FILE: Configuration_extractors/QuasarRAT.py
================================================
import clr
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type
import os
MODULES_DIR_PATH = os.path.dirname(os.path.realpath(__file__))
DNLIB_PATH = os.path.join(MODULES_DIR_PATH, "dnlib.dll")
clr.AddReference(DNLIB_PATH)
import dnlib
from dnlib.DotNet import *
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet import ModuleDef, ModuleDefMD
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet.Writer import ModuleWriterOptions
from dnlib.DotNet.Emit import OpCodes
import string
import base64
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Util.Padding import unpad
import logging
from io import BytesIO
from typing import List, Optional, Dict, Tuple
from collections import defaultdict, Counter
from maco.extractor import Extractor
from maco.model import ExtractorModel, Encryption
from maco.model import ConnUsageEnum, CategoryEnum
from maco import yara
from ipaddress import IPv4Address, AddressValueError
def check_ip(ioc: str) -> bool:
"""Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
def custom_uri_extraction(uri: str) -> Tuple[str, int]:
"""Clean up a bit the URI, some decryption uncorrectly
unpad the plaintext and there are some remaing character,
afterward the function split the uri (ip:potr) to return
each part separately"""
# remove the trailing character
while not uri.endswith(tuple(string.digits)) and len(uri) > 0:
uri = uri[:-1]
ip, port = uri.split(":")
return ip, int(port)
class ExtractionError(Exception):
"""Raised when the config extraction fails or a required value is missing."""
pass
class QuasarRAT(Extractor):
family: str = "QuasarRAT"
author: str = "Sekoia.io"
last_modified: str = "27-03-2025"
yara_rule = r"""
rule QuasarRAT {
meta:
author = "JPCERT/CC Incident Response Group"
hash = "8c198d22b42dc34b2689c12563ec76eb63d0e08c282e29f9648ed87aafe01ee7"
hash = "538e70eaa3bd3c9dbcff9c1291e40c251585f8164254853d3dd2f11c9c824177"
strings:
$quasarstr1 = "Client.exe" wide
$quasarstr2 = "({0}:{1}:{2})" wide
$sql1 = "SELECT * FROM Win32_DisplayConfiguration" wide
$sql2 = "{0}d : {1}h : {2}m : {3}s" wide
$sql3 = "SELECT * FROM FirewallProduct" wide
$net1 = "echo DONT CLOSE THIS WINDOW!" wide
$net2 = "freegeoip.net/xml/" wide
$net3 = "http://api.ipify.org/" wide
$resource = { 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 73 00 00 17 69 00 6E 00 66 00 6F 00 72 00 6D 00 61 00 74 00 69 00 6F 00 6E 00 00 }
condition: ((all of ($quasarstr*) or all of ($sql*)) and $resource) or all of ($net*)
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
return
if not any(map(lambda hit: hit.rule.startswith("QuasarRAT"), matches)):
return
ret = ExtractorModel(family=self.family)
ret.category.append(CategoryEnum.rat)
configuration = self.extract(data)
if not configuration:
return None
ip, port = custom_uri_extraction(configuration.get("c2_server"))
if ip:
connection_kwargs = {
"server_port": port,
"usage": ConnUsageEnum.c2,
}
if check_ip(ip):
connection_kwargs["server_ip"] = ip
else:
connection_kwargs["server_domain"] = ip
ret.tcp.append(ret.Connection(**connection_kwargs))
logging.debug(configuration)
if configuration.get("version"):
ret.version = configuration.get("version")
if configuration.get("botnet"):
ret.campaign_id = configuration.get("botnet")
ret.mutex = [configuration.get("mutex")]
ret.campaign_id = [configuration.get("botnet")]
ret.encryption = [
Encryption(
algorithm="AES",
mode="CBC",
seed=configuration.get("seed"),
key=configuration.get("AES_key"),
usage=Encryption.UsageEnum.config,
)
]
ret.paths = [
ExtractorModel.Path(
path=f"%APPDATA%\\{configuration.get('install_name')}",
usage=ExtractorModel.Path.UsageEnum.install,
)
]
ret.registry = [
ExtractorModel.Registry(
key=rf"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{configuration.get('startup_key')}",
usage=ExtractorModel.Registry.UsageEnum.persistence,
)
]
return ret
def extract(self, blob: bytes) -> Optional[dict]:
"""main function used to extract QuasarRAT configuration,
this is based on dnlib"""
try:
ext = DotNetQuasarRAT(blob)
configuration = ext.extract_configuration()
except Exception as err:
self.logger.error(
f"Error occured during QuasarRAT configuration extraction, error is: {err}"
)
else:
return configuration
class DotNetQuasarRAT:
"""Use another class to ensure all the dotnet stuff is erased properly"""
def __init__(self, blob: bytes):
self.blob = blob
self.module = dnlib.DotNet.ModuleDefMD.Load(blob)
self.crypto_class = None # .NET class that contains the crypto function (AES decrypt, key derivation, etc.)
self.configuration = {
"version": "",
"c2_server": "",
"subdirectory": "",
"install_name": "",
"mutex": "",
"startup_key": "",
"botnet": "",
"logs": "",
}
self.BLOCK_SIZE = 16
def extract_configuration(self) -> Dict:
"""main function of the extractor, all the logic goes here"""
crypto_class = self.search_crypto_class()
seed = self.search_seed_value(crypto_class)
logging.debug(f"The seed for PBKF2 key derivation is: {seed.hex()}")
xref_init = self.search_init_crypt(crypto_class)
settings = self.search_caller(xref_init[0], xref_init[1])
logging.debug(f"Settings ref are: {settings[0]}, {settings[1]}")
settings_class = self.get_class_by_name(settings[0])
aes_key = self.search_aes_key(settings_class)
logging.debug(f"AES done: {aes_key}")
encrypted_configuration = self.extract_all_encrypted_configuration(
settings_class
)
logging.debug(f"extract encrypted configuration : {encrypted_configuration}")
encrypted_configuration.remove(aes_key)
plaintexts = []
for encrypted_string in encrypted_configuration:
try:
plaintexts.append(
self.decrypt(aes_key, seed, encrypted_string).decode()
)
except Exception as er:
logging.debug(f"error during decryption: {er}")
logging.error(
f"[-] error decrypting {encrypted_string}, error is: {er}"
)
self.configuration = dict(zip(self.configuration.keys(), plaintexts))
self.configuration["AES_key"] = aes_key
self.configuration["seed"] = seed.hex()
return self.configuration
def decrypt(self, key: str, salt: bytes, ciphertext: bytes) -> bytes:
"""QuasarRAT string decryption routine.
Each obfuscated string is stored in base64 after decoding,
the string have this structure:
. - The 32 first bytes are this the HMAC of the encrypted part of the string
- The 16 following bytes defined the Initial Vector (IV)
- The remaining bytes are the ciphertext
"""
ciphertext = base64.b64decode(ciphertext)
aes_key = PBKDF2(key, salt, 16, 50000)
cipher = AES.new(aes_key, AES.MODE_CBC, ciphertext[32 : 32 + 16])
plaintext = cipher.decrypt(ciphertext[48:])
return unpad(plaintext, self.BLOCK_SIZE)
def search_crypto_class(self):
"""This function iterate over all class and methods
of the module for the creation of the AesCryptoServiceProvider
"""
for mtype in self.module.GetTypes():
if not mtype.HasMethods:
continue
for method in mtype.Methods:
if not method.HasBody:
continue
if not method.Body.HasInstructions:
continue
if len(method.Body.Instructions) < 20:
continue
for ptr in method.Body.Instructions:
# Verify that a crypto provider is contructed
if (
ptr.OpCode == OpCodes.Newobj
and ptr.Operand.FullName
== "System.Void System.Security.Cryptography.AesCryptoServiceProvider::.ctor()"
):
logging.debug(
f"Crypto class found {method.FullName} in {mtype.Name}"
)
return mtype
raise ExtractionError(
"cannot locate crypto class based on `System.Security.Cryptography.AesCryptoServiceProvider::.ctor()`"
)
def get_field_from_struct(self, struct_name: str) -> Optional[bytes]:
"""becareful the variable module must be global,
this function returns as bytes the requested field from the given
structure `struct_name`."""
for typeDef in self.module.Types:
for field in typeDef.Fields:
if field.Name == struct_name:
logging.debug(f"Found struct: {field.Name}")
# Extract raw data
if field.HasFieldRVA:
return bytes(field.InitialValue)
def get_constant_from_class(self, mclass, variable_name: str) -> str:
"""Get the value of a variable args: @variable_name
defined in the given class args: @mclass"""
for m in mclass.Methods:
prev_instr = None # Track previous instruction
if m.IsStatic and m.Name == ".cctor":
# Scan the IL instructions to find the constant assignment
for instr in m.Body.Instructions:
if instr.OpCode == OpCodes.Stsfld and instr.Operand is not None:
field = instr.Operand
if field.Name == variable_name:
# Get the previous instruction that loads the constant
if prev_instr is not None:
if (
prev_instr.OpCode == OpCodes.Ldc_I4
): # Integer constant
return prev_instr.GetLdcI4Value()
elif (
prev_instr.OpCode == OpCodes.Ldc_R4
): # Float constant
return prev_instr.Operand
elif (
prev_instr.OpCode == OpCodes.Ldstr
): # String constant
return prev_instr.Operand
prev_instr = instr
raise ExtractionError(
f"failed to read {variable_name} constant from class {mclass.FullName}"
)
def extract_all_encrypted_configuration(self, mclass) -> list:
"""extract the raw encrypted string of the
settings class of QuasarRAT, all this strings
are built in the constructor method `.cctor`
"""
constants = []
static_ctor = next(
(m for m in mclass.Methods if m.IsStatic and m.Name == ".cctor"), None
)
if not static_ctor or not static_ctor.HasBody:
logging.error(
f"Static constructor (.cctor) not found in class '{mclass.FullName}'."
)
return constants
prev_instr = None # Track previous instruction
for instr in static_ctor.Body.Instructions:
if instr.OpCode == OpCodes.Stsfld and instr.Operand is not None:
if prev_instr is not None:
# Extract the constant value from the previous instruction
if prev_instr.OpCode == OpCodes.Ldstr: # String constant
constants.append(prev_instr.Operand)
prev_instr = instr # Update previous instruction
return constants
def search_seed_value(self, c_crypto) -> bytes:
"""Search the seed value that is defined as a constante in the crypto class,
as it is an array and a static member of the crypto class, and by chance
this is the only constant of the class we search for a method with the
static constructor attribut. Due to .NET object/compilation this array
is built as follow:
1. In the .cctor of the class there is a ldtoken (Load Token) the token is defined
in another static class within a structure
2. call void <redacted path> RuntimeHelpers::InitialzeArray(<redacted>)
3. stsfld unit8[] CryptoClass::seed_member (stsfld stands for Store Static Field
"""
for i in c_crypto.Fields:
if i.IsPublic:
logging.debug(f"found salt variable name: {i.FullName}")
if i.constant is None and i.initialValue is None:
logging.debug(
f"{i.FullName} is a static variable built in the cctor of {c_crypto.Name} class"
)
for m in c_crypto.Methods:
if m.IsStaticConstructor:
# the seed is always a byte array -> System.Byte[]
for instr in m.Body.Instructions:
if instr.OpCode.Name == "ldtoken":
init_var_name = (
instr.Operand.get_Name()
) # <- we get the name of the static field here
seed = self.get_field_from_struct(
init_var_name
) # <- simply retrieve the structure member value
if seed:
return seed
raise ExtractionError("no seed found in the sample")
def search_caller(self, class_name: str, method_name: str) -> Tuple[str, str]:
# Iterate over all types in the assembly
for typeDef in self.module.Types:
for method in typeDef.Methods:
if not method.HasBody:
continue # Skip methods without a body
# Scan IL instructions for calls to A::func1
for instr in method.Body.Instructions:
if instr.OpCode == OpCodes.Call and instr.Operand is not None:
if (
instr.Operand.Name == method_name
and instr.Operand.DeclaringType.Name == class_name
):
return typeDef.Name, method.Name
raise ExtractionError(f"Failed to get {method_name} from {class_name}")
def search_init_crypt(self, crypto_class) -> Tuple[str, str]:
"""This function used the class that does the cryptographic operation
base64 decode > AES decrypt etc. to look for the function that initialize
the AES key, PS: the key derivation using PBKF2. To do this it search over the different
method until it finds one that call Security.Cryptography.Rfc2898DeriveBytes object constructor
"""
for m in crypto_class.Methods:
if len(m.Body.Instructions) > 30:
continue
for instr in m.Body.Instructions:
if (
instr.OpCode == OpCodes.Newobj
and instr.Operand.FullName.startswith(
"System.Void System.Security.Cryptography.Rfc2898DeriveBytes::.ctor("
)
):
logging.debug(
f"method {m.FullName} call the Cryptography.Rfc2898DeriveBytes function {instr.Operand.FullName}"
)
xref_crypto_init_class_method = (crypto_class.FullName, str(m.Name))
return xref_crypto_init_class_method
raise ExtractionError(
"no ref to System.Void System.Security.Cryptography.Rfc2898DeriveBytes::.ctor found, cannot extract init crypto class caller "
)
def get_class_by_name(self, target_class: str):
""" "Simply iterate over all the class of the module until
it finds the class by its name"""
for mtype in self.module.GetTypes():
if mtype.FullName == target_class:
return mtype
def search_aes_key(self, mclass) -> str:
"""The initialize function of the Settings class
before some call, the second one is the one that pass the
AES key to the derivation function, so this function built
a sort of dict that contains the number of time a function
is call"""
for m in mclass.Methods:
ldsfld, calls = 0, defaultdict(int)
for instr in m.Body.Instructions:
if instr.OpCode == OpCodes.Ldsfld:
ldsfld += 1
elif instr.OpCode == OpCodes.Call:
calls[str(instr.Operand.Name)] += 1
if any(filter(lambda x: x > 2, calls.values())):
# Here we search the function that initialize the AES key (PBKF2)
# There is only one call to this function and the only arg is the
# ref token to the AES key that is going to be derived
callers = self.get_func_parameter(m)
counting = [n for v in callers.values() for n in v]
values_counting = Counter(counting)
unique = {
num
for values in callers.values()
if all(values_counting[n] == 1 for n in values)
for num in values
}
AES_key_variable = unique.pop()
logging.debug(f"The AES key is located in {AES_key_variable.FullName}")
aes_key = self.get_constant_from_class(mclass, AES_key_variable.Name)
logging.debug(f"The AES key value is: {aes_key}")
return aes_key
raise ExtractionError("no AES key found")
def get_func_parameter(self, method) -> defaultdict:
"""This only work in this context of func that take only ONE parameter"""
is_call = None
callers_with_args = defaultdict(list)
reversed_instructions = list(method.Body.Instructions)[::-1]
# read the function instruction backward
# because the instruction in charge of passing
# the argument are executed first, the function
# requires to known which function is call before
# saving the argument
# this technique only works because here the function
# only have ONE parameters
for instr in reversed_instructions:
if instr.OpCode == OpCodes.Call:
is_call = instr.Operand
if instr.OpCode == OpCodes.Ldsfld and is_call:
callers_with_args[is_call].append(instr.Operand)
logging.debug(f"{is_call} args: {instr.Operand}")
is_call = None
return callers_with_args
if __name__ == "__main__":
# Here is a version that does not need AL4 context to extract QuasarRAT configuration
# becareful it does not test any YARA rule on the submitted sample
import argparse
parser = argparse.ArgumentParser("QuasarRAT extractor")
parser.add_argument(
"-f",
"--file",
type=argparse.FileType("rb"),
help="Path to the QuasarRAT sample",
required=True,
)
args = parser.parse_args()
blob = args.file.read()
ext = DotNetQuasarRAT(blob)
configuration = ext.extract_configuration()
print(configuration)
================================================
FILE: Configuration_extractors/README.md
================================================
# Configuration_Extractors
## Description
This repo contains various Python scripts for extracting malware configurations, especially made for AssemblyLine4 with their meta-service [ConfigExtractor](https://github.com/CybercentreCanada/assemblyline-service-configextractor)
## Usage
Natively, this repo is used by the ASL4 configuration extraction service, but it is also possible to use these scripts through CLI or in different python scripts without AL4 using [configextractor-py](https://github.com/CybercentreCanada/configextractor-py) `cx </path/to/extractor_dir> </path/to/samples>`.
## Test
To test the extractors, we used the hashes contained in the YARA rules of each extractor.
## References
- [Advent of Configuration Extraction – Part 1: Pipeline Overview – First Steps with Kaiji Configuration Unboxing](https://blog.sekoia.io/advent-of-configuration-extraction-part-1-pipeline-overview-first-steps-with-kaiji-configuration-unboxing/)
- [Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration](https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/)
- [Advent of Configuration Extraction – Part 3: Mapping GOT/PLT and Disassembling the SNOWLIGHT Loader](https://blog.sekoia.io/advent-of-configuration-extraction-part-3-mapping-got-plt-and-disassembling-the-snowlight-loader/)
- [Advent Of Configuration Extraction – Part 4: Turning capa Into A Configuration Extractor For TinyShell variant](https://blog.sekoia.io/advent-of-configuration-extraction-part-4-turning-capa-into-a-configuration-extractor-for-tinyshell-variant/)
================================================
FILE: Configuration_extractors/SNOWLIGHT.py
================================================
import re
import socket
import logging
from io import BytesIO
from typing import List, Optional
from collections import namedtuple
from ipaddress import IPv4Address, AddressValueError
from maco import yara
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
import lief
from lief import ELF
from capstone import *
from capstone import Cs, CS_ARCH_X86, CS_MODE_64
from capstone.x86_const import (
X86_INS_CALL,
X86_INS_RET,
X86_OP_IMM,
)
REG_MAGIC = re.compile(rb"(l|a)(32|64)")
CommandAndControl = namedtuple("CommandAndControl", ["address", "port", "magic"])
def check_ip(ip: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ip`
is a valid IPv4 address
"""
try:
IPv4Address(ip)
except AddressValueError:
return False
else:
return True
class SNOWLIGHTDisassembler:
"""
Capstone emulator configured for SNOWLIGHT downloader (EFL)
"""
def __init__(self, malware_raw_content: bytes):
self.malware_raw_content: bytes = malware_raw_content
self.elf: Optional[ELF] = None
self.got_map = {}
self.plt_map = {}
self.ro_data: List[bytearray] = []
def setup(self):
self.elf = lief.parse(self.malware_raw_content)
self.manage_gotplt()
self.parse_rodata()
def parse_rodata(self):
"""The C2 is stored at the end of the rodata"""
for sec in self.elf.sections:
if sec.fullname.startswith(b".rodata"):
logging.debug(
f"found read only data section @ 0x{sec.virtual_address:x}"
)
ro_data = bytearray(sec.content)
self.ro_data = list(
filter(lambda x: x, ro_data.split(b"\x00"))
) # here threat data as strings
def extract_c2_from_rodata(self) -> Optional[bytes]:
for data in self.ro_data:
try:
if check_ip(data.decode()):
return data
except Exception:
pass
# if no c2 found this is probably a domain
# by default it is stored after the [kworker/0:2] string
for idx, data in enumerate(self.ro_data):
if data == b"[kworker/0:2]":
return self.ro_data[idx + 1]
def extract_magic_from_ro_data(self) -> Optional[bytes]:
"""SNOWLIGHT magic is send to the C2 to ask for the next payload
it is an identifier of the type of infected machine:
- `l64` means Intel arch on 64 bits proc
- `l32` means Intel arch on 32 bits proc
- `a32` mean ARM arch on 32 bits proc
- `a64` mean ARM arch on 64 bits proc
"""
for match in map(REG_MAGIC.match, self.ro_data):
if match:
return match.string
def get_main_raw_data(self):
"""Search the main function in the exported functions
it raise a ValueError if it does not found the `main` function,
if main is found it returns it content as raw bytes"""
main_addr: int = 0
for exp in self.elf.exported_functions:
if "main" in exp.name:
main_addr = exp.address
if main_addr == 0:
raise ValueError("main function not found")
sec = self.elf.section_from_virtual_address(main_addr)
base = sec.virtual_address
offset = main_addr - base
data = bytearray(sec.content)
chunk = data[offset:]
return chunk, main_addr
def disasm_buffer(self, buf, offset) -> List[CsInsn]:
"""Disassemble a given buffer of a x86_64 architecture
and return a list of instructions"""
md = Cs(CS_ARCH_X86, CS_MODE_64)
md.detail = True
instructions = []
for insn in md.disasm(bytes(buf), offset):
instructions.append(insn)
# stop at RET
if insn.id == X86_INS_RET:
logging.debug("Hit RET, stopping disassembly main function.")
break
return instructions
def manage_gotplt(self):
"""
Resolve the .gotplt sections to retrives name of symbol's
to further identify in the disassembly which imported functions
are called (in SNOWLIGHT case's we required to resolve `gethostname`
to extract the TCP port of the payload)
.1 Build a map of GOT-slot => symbol.name for JUMP_SLOT relocs
.2 Build a map of PLT-entry => symbol.name (for direct PLT calls)
"""
# LIEF exposes your PLT‐GOT relocations via `elf.pltgot_relocations`
for rel in self.elf.pltgot_relocations:
# rel.address is the VA of the GOT slot that will be patched
symname = rel.symbol.name if rel.symbol else "<no-name>"
self.got_map[rel.address] = symname
plt_sec = self.elf.get_section(".plt")
if plt_sec and len(self.elf.pltgot_relocations) > 0:
plt_va = plt_sec.virtual_address
plt_size = plt_sec.size
# On x86_64 the first entry (.plt0) is 16 bytes, the rest are each 16 bytes
PLT0_SZ = 16
nentries = len(self.elf.pltgot_relocations)
entry_sz = (plt_size - PLT0_SZ) // nentries
for idx, rel in enumerate(self.elf.pltgot_relocations):
entry_addr = plt_va + PLT0_SZ + idx * entry_sz
self.plt_map[entry_addr] = rel.symbol.name
def run(self) -> Optional[CommandAndControl]:
"""run the emulator to extract the command and control
1. extract the ip from the rodata section
2. extract raw bytes of the main function
3. resolve the gotplt sections to identify a required imported function
4. extract first parameter of gethostbyname (e.g.: port)
"""
port: int = 0
c2: Optional[bytes] = b""
magic: Optional[bytes] = b"" # the magic is the broadcasted data to the c2
main, offset = self.get_main_raw_data()
instructions = self.disasm_buffer(main, offset)
c2 = self.extract_c2_from_rodata()
magic = self.extract_magic_from_ro_data()
if not c2 or not magic:
return
for idx, insn in enumerate(instructions):
logging.debug(f"0x{insn.address:08x}:\t{insn.mnemonic}\t{insn.op_str}")
if insn.id == X86_INS_CALL:
op = insn.operands[0]
if op.type == X86_OP_IMM:
tgt = op.imm
sym = self.plt_map.get(tgt)
if sym:
logging.debug(
f"0x{insn.address:08x}: call 0x{tgt:08x} <{sym}@plt>"
)
if sym.startswith("gethostbyname"):
# now retrieve the first parameter (sockaddr_in->port)
# get the previous instruction that old the func parameter
_, op1 = instructions[idx - 1].operands
if op1.type == X86_OP_IMM:
imm = op1.imm
port = socket.htons(imm)
logging.debug(f"found SNOWLIGHT tcp port: {port}")
return CommandAndControl(c2, port, magic)
class SNOWLIGHT(Extractor):
author = "Sekoia.io"
last_modified = "28-08-2025"
category = [CategoryEnum.downloader]
family = "SNOWLIGHT"
yara_rule = """
import "elf"
rule SNOWLIGHT {
meta:
author = "Sekoia IO"
malware = "SNOWLIGHT"
instrusion_set = "UNC5174"
description = "Detect SNOWLIGHT ELF downloader based on broadcasted string and file checker"
strings:
$s_1 = "/tmp/log_de.log"
$s_2 = "[kworker/0:2]"
$dl_arch = { (6c | 61) ( 36 34 | 33 32 ) } // string for arch l32 or l64 for intel arch and a32 or a64 for ARM
$elf_magic = { 7F 45 4C 46 }
condition:
1 of ($s_*) and $dl_arch and $elf_magic at 0 and filesize<20KB and elf.machine == elf.EM_X86_64
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error(f"no data")
return None
if any(filter(lambda hit: hit.rule.startswith("SNOWLIGHT"), matches)):
ret = ExtractorModel(
family=self.family, version="Linux", category=self.category
)
try:
c2: Optional[CommandAndControl] = None
disass = SNOWLIGHTDisassembler(data)
disass.setup()
c2 = disass.run()
if c2:
connection_kwargs = {
"server_port": c2.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(c2.address.decode()):
connection_kwargs["server_ip"] = c2.address.decode()
else:
connection_kwargs["server_domain"] = c2.address.decode()
ret.tcp.append(ret.Connection(**connection_kwargs))
ret.other = {"magic": c2.magic.decode()}
else:
return None
except Exception as err:
logging.error(f"failed to disass, error: {err}")
else:
logging.info("extraction ends successfuly")
return ret
================================================
FILE: Configuration_extractors/TShVariant.py
================================================
import logging
import textwrap
import tempfile
from io import BytesIO
from typing import List, Optional
from pathlib import Path
from collections import defaultdict
from collections import namedtuple
from ipaddress import IPv4Address, AddressValueError
from maco import yara
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
import lief
import capa.main
import capa.rules
import capa.loader
import capa.engine
import capa.features.common
import capa.features.address
from capstone import Cs, CS_ARCH_X86, CS_MODE_64, CsInsn
from capstone.x86_const import X86_INS_CALL, X86_OP_IMM, X86_INS_MOV, X86_OP_MEM
from malduck import rc4
CommandAndControl = namedtuple("CommandAndControl", ["address", "port", "rc4_key"])
def check_ip(ip: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ip`
is a valid IPv4 address
"""
try:
IPv4Address(ip)
except AddressValueError:
return False
else:
return True
class TShVariantDecompiler:
rc4_capa_rules = [
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: contain loop
authors:
- moritz.raabe@mandiant.com
lib: true
scopes:
static: function
dynamic: unsupported # requires characteristic features
examples:
- 08AC667C65D36D6542917655571E61C8:0x406EAA
features:
- or:
- characteristic: loop
- characteristic: tight loop
- characteristic: recursive call
"""
)
),
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: encrypt data using RC4 PRGA
namespace: data-manipulation/encryption/rc4
authors:
- moritz.raabe@mandiant.com
scopes:
static: function
dynamic: unsupported
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Cryptography::Encrypt Data::RC4 [C0027.009]
- Cryptography::Generate Pseudo-random Sequence::RC4 PRGA [C0021.004]
examples:
- 34404A3FB9804977C6AB86CB991FB130:0x403DB0
- 34404A3FB9804977C6AB86CB991FB130:0x403E50
- 9324D1A8AE37A36AE560C37448C9705A:0x4049F0
- 73CE04892E5F39EC82B00C02FC04C70F:0x4064C6
features:
- and:
# TODO: maybe add characteristic for nzxor reg size
- count(characteristic(nzxor)): 1
- or:
- match: calculate modulo 256 via x86 assembly
# compiler may do this via zero-extended mov from 8-bit register
- count(mnemonic(movzx)): 4 or more
# should not call (many) functions
- count(characteristic(calls from)): (0, 4)
# should not be too simple or too complex (50 is picked by intuition)
- count(basic blocks): (4, 50)
- match: contain loop
- optional:
- or:
- number: 0xFF
- number: 0x100
"""
)
),
capa.rules.Rule.from_yaml(
textwrap.dedent(
"""
rule:
meta:
name: calculate modulo 256 via x86 assembly
authors:
- moritz.raabe@mandiant.com
lib: true
scopes:
static: instruction
dynamic: unsupported # requires mnemonic features
mbc:
- Data::Modulo [C0058]
examples:
- 9324D1A8AE37A36AE560C37448C9705A:0x4049A9
features:
# and ecx, 800000FFh
# and ecx, 0FFh
- and:
- or:
- arch: i386
- arch: amd64
- mnemonic: and
- or:
- number: 0x800000FF
- number: 0xFF
"""
)
),
]
def __init__(self, path):
self.path: str = path
self.elf: Optional[lief.ELF] = None
self.text: Optional[bytes] = b""
self.instructions: List[CsInsn] = []
self.rc4_function_address: int = 0
self.rc4_key: bytes = b""
self.blobs: List[bytes] = []
self.rules = capa.rules.RuleSet(self.rc4_capa_rules)
self.command_and_control: Optional[CommandAndControl] = None
def decompile(self):
"""build the list of instruction using Capstone engine,
correlated with Lief to manipulate the ELF structure"""
md = Cs(CS_ARCH_X86, CS_MODE_64)
md.detail = True
self.elf = lief.ELF.parse(self.path)
self.text = self.elf.get_section(".text")
if not self.text:
return
for insn in md.disasm(self.text.content, self.elf.imagebase + self.text.offset):
self.instructions.append(insn)
def search_rc4_function(self):
"""This function search the RC4 encryption function address using CAPA library"""
extractor = capa.loader.get_extractor(
Path(self.path),
"auto",
"auto",
capa.main.BACKEND_VIV,
[],
should_save_workspace=False,
disable_progress=True,
)
capabilities = capa.capabilities.common.find_capabilities(
self.rules, extractor, disable_progress=True
)
meta = capa.loader.collect_metadata(
[], Path(self.path), "auto", "auto", [], extractor, capabilities
)
meta.analysis.layout = capa.loader.compute_layout(
self.rules, extractor, capabilities.matches
)
for name, value in capabilities.matches.items():
if name == "encrypt data using RC4 PRGA":
for match in value:
self.rc4_function_address = match[0]
def search_rc4_key(self):
"""Search the RC4 key, the key is stack string, the strategy of the function
is to search for rc4 function xref, and search for stack string construction in
the previous instructions of the decryption call"""
potential_rc4_keys = defaultdict(bytes)
for offset, insn in enumerate(self.instructions):
if insn.id == X86_INS_CALL:
if (
insn.operands[0].type == X86_OP_IMM
and insn.operands[0].imm == self.rc4_function_address
):
# this is the equivalent of searching for x-refs to the RC4 function
for index, prev in enumerate(self.instructions[offset::-1]):
if prev.id == X86_INS_MOV:
if len(prev.operands) != 2:
continue
op1, op2 = prev.operands
if op1.type == X86_OP_MEM and op2.type == X86_OP_IMM:
if op2.imm >= 0 and op2.imm <= 255:
# ensure its is a valide key
potential_rc4_keys[
op1.mem.base
] += op2.imm.to_bytes()
if index > 50:
# this is purely arbitrary value to reach previous instruction to build the RC4 key
break
if any(
map(
lambda x: x.startswith(b"\x00"), potential_rc4_keys.values()
)
):
# we already found a key, no need to re-analyze another RC4 call
break
for candidate in potential_rc4_keys.values():
if candidate.startswith(b"\x00"):
self.rc4_key = candidate[::-1].rstrip(b"\x00")
logging.debug(f"found the RC4 key: {self.rc4_key}")
break
def extract_encrypted_blobs(self):
"""
Extract the encrypted blobs to a list
the blob are the first argument of the RC4 function, their
addresses are push on the stack using a mov instruction with
a direct address mov [ebp + offset], 0x<addr>
In the memory structure, the size of the blob is stored two bytes
prior to the encrypted blob (eg: the size_addr = mov_dst.imm - 2)
"""
data = self.elf.get_section(".data")
for d in filter(lambda x: len(x) > 5, data.content.tobytes().split(b"\x00")):
self.blobs.append(d)
def extract_c2(self):
"""Search if the C2 is in the decrypted blob, if yes, set the find_c2 to True"""
for blob in self.blobs:
cleartext = rc4(self.rc4_key, blob)
data = cleartext.split(b";")
if len(data) > 0:
try:
data = data[0].decode()
data = data.split(":")
if len(data) > 1:
self.command_and_control = CommandAndControl(
address=data[0], port=data[1], rc4_key=self.rc4_key
)
break
except Exception:
pass
class TShVariant(Extractor):
author: str = "Sekoia.io"
last_modified = "09-09-2025"
category = [CategoryEnum.rat]
family = "TShVariant"
yara_rule = r"""rule TShVariant {
meta:
malware = "TShVariant"
description = "Detects TSH via the PEL challenge hardcoded key"
source = "Sekoia.io"
hash = "14f9a20356fc0e1806524057e8366d994831e3568cf438694a5c4d5463c25010"
strings:
$ = { 58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D }
condition:
uint32be(0) == 0x7f454c46 and
filesize < 10MB and
all of them
}"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error(f"no data")
return None
if any(filter(lambda hit: hit.rule.startswith("TShVariant"), matches)):
ret = ExtractorModel(family=self.family, category=self.category)
with tempfile.NamedTemporaryFile() as fd:
fd.write(data)
try:
decompiler = TShVariantDecompiler(fd.name)
decompiler.decompile()
decompiler.search_rc4_function()
decompiler.search_rc4_key()
decompiler.extract_encrypted_blobs()
decompiler.extract_c2()
except Exception as err:
logging.error(
f"failed to work with TShVariant decompiler to extract c2, error: {err}"
)
else:
if decompiler.command_and_control:
connection_kwargs = {
"server_port": decompiler.command_and_control.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(decompiler.command_and_control.address):
connection_kwargs["server_ip"] = (
decompiler.command_and_control.address
)
else:
connection_kwargs["server_domain"] = (
decompiler.command_and_control.address
)
ret.tcp.append(ret.Connection(**connection_kwargs))
return ret
================================================
FILE: Configuration_extractors/XWorm.py
================================================
import sys, struct, clr
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type
import logging
import os
MODULES_DIR_PATH = os.path.dirname(os.path.realpath(__file__))
DNLIB_PATH = os.path.join(MODULES_DIR_PATH, "dnlib.dll")
clr.AddReference(DNLIB_PATH)
import dnlib
from dnlib.DotNet import *
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet import ModuleDef, ModuleDefMD
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet.Writer import ModuleWriterOptions
from dnlib.DotNet.Emit import OpCodes
from typing import Dict, List, Optional
from io import BytesIO
from maco.extractor import Extractor
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco.model import ExtractorModel
from maco import yara
from ipaddress import IPv4Address, AddressValueError
import base64
import hashlib
from Crypto.Cipher import AES
def is_base64(s: str) -> bool:
"""
Try to decode b64 str to check if it's a valid b64 string or not
"""
try:
decoded = base64.b64decode(s, validate=True)
except Exception:
return False
else:
return True
def check_ip(ip: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ip`
is a valid IPv4 address
"""
try:
IPv4Address(ip)
except AddressValueError:
return False
else:
return True
def pkcs7_unpad(data: bytes) -> bytes:
if not data:
return data
pad_len = data[-1]
if pad_len < 1 or pad_len > AES.block_size:
return data
if data[-pad_len:] != bytes([pad_len]) * pad_len:
return data
return data[:-pad_len]
def decrypt_config(b64_input: str, mutex: str) -> str:
md5 = hashlib.md5(mutex.encode("utf-8")).digest() # 16 bytes
key = bytearray(32)
key[0:16] = md5[0:16]
key[15 : 15 + 16] = md5[0:16]
key_bytes = bytes(key)
cipher = AES.new(key_bytes, AES.MODE_ECB)
try:
ciphertext = base64.b64decode(b64_input)
except Exception as e:
raise ValueError("input is not valid base64") from e
plaintext_padded = cipher.decrypt(ciphertext)
plaintext = pkcs7_unpad(plaintext_padded)
return plaintext.decode("utf-8", errors="ignore")
def extract_setting_obfuscated(data: bytes) -> Optional[Dict[str, str]]:
try:
modctx = ModuleDef.CreateModuleContext()
module = dnlib.DotNet.ModuleDefMD.Load(data, modctx)
config = {}
counter = 1
for type in module.GetTypes():
for method in type.Methods:
if method.Name == ".cctor":
instructions = list(method.Body.Instructions)
for inst_1, inst_2 in zip(instructions, instructions[1:]):
if (
inst_1.OpCode == OpCodes.Ldstr
and inst_2.OpCode == OpCodes.Stsfld
):
config[f"val{counter}"] = inst_1.Operand
counter += 1
valid = all(is_base64(config.get(f"val{i}")) for i in range(1, 6))
if valid:
mutex_key = None
rename_map = {
"val1": "Hosts",
"val2": "Port",
"val3": "KEY",
"val4": "SPL",
"val5": "Groub",
"val6": "USBNM",
}
for old_key, new_key in rename_map.items():
if old_key in config:
config[new_key] = config.pop(old_key)
for k, v in config.items():
if k.startswith("val"):
try:
port = int(decrypt_config(config["Port"], v))
except ValueError:
continue
else:
mutex_key = k
break
if mutex_key:
config["Mutex"] = config.pop(mutex_key)
except Exception as e:
logging.error(f"erreur in extract setting {e}")
else:
return config
def extract_setting(data: bytes) -> Optional[Dict[str, str]]:
try:
modctx = ModuleDef.CreateModuleContext()
module = dnlib.DotNet.ModuleDefMD.Load(data, modctx)
config = {
"Hosts": None,
"Host": None,
"Port": None,
"KEY": None,
"SPL": None,
"Groub": None,
"USBNM": None,
"Mutex": None,
}
for type in module.GetTypes():
if type.Name == "Settings":
for method in type.Methods:
if method.Name == ".cctor":
instructions = list(method.Body.Instructions)
for inst_1, inst_2 in zip(instructions, instructions[1:]):
if (
inst_1.OpCode == OpCodes.Ldstr
and inst_2.OpCode == OpCodes.Stsfld
):
field_name = str(inst_2.Operand.Name)
if field_name in config:
config[field_name] = str(inst_1.Operand)
except Exception as e:
logging.error(f"erreur in extract setting {e}")
else:
return config
class XWorm(Extractor):
family = "XWorm"
author = "Sekoia.io"
last_modified = "17-09-2025"
category = [CategoryEnum.rat, CategoryEnum.worm]
yara_rule = """
rule XWorm_rat_win_v3
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "XWorm"
creation_date = "2023-03-03"
modification_date = "2025-09-17"
description = "Finds XWorm (version XClient, v3) samples based on characteristic strings"
hash = "d79f03dc9477b771155094418098cd3e"
hash = "ba3b86175802fc73758ccde22e32d257"
hash = "3b6564a9815b70bc7f269ea43539ea48"
hash = "bb4ee0fe0c417f63a076fdc296a4f4f4"
hash = "0f2d2d370d98f21b193a5bcfc6c78b9a"
hash = "2f1fae087c76a26dff9cbcd0109a922a"
strings:
$str01 = "$VB$Local_Port" ascii
$str02 = "$VB$Local_Host" ascii
$str03 = "get_Jpeg" ascii
$str04 = "get_servicePack" ascii
$str05 = "Select * from AntivirusProduct" wide
$str06 = "PCRestart" wide
$str07 = "shutdown.exe /f /r /t 0" wide
$str08 = "StopReport" wide
$str09 = "StopDDos" wide
$str10 = "sendPlugin" wide
$str11 = "OfflineKeylogger Not Enabled" wide
$str12 = "-ExecutionPolicy Bypass -File \\"" wide
$str13 = "Content-length: 5235" wide
$crypt01 = "RijndaelManaged" ascii
$crypt02 = "ICryptoTransform" ascii
$crypt03 = "System.Security.Cryptography"
$crypt04 = "SymmetricAlgorithm"
condition:
uint16be(0) == 0x4d5a and 8 of ($str*) and all of ($crypt*)
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("XWorm_rat_win"), matches)):
try:
other = {}
settings = extract_setting(data)
if not settings.get("Mutex"):
settings = extract_setting_obfuscated(data)
mutex, hosts, port = (
settings.get("Mutex"),
settings.get("Hosts"),
settings.get("Port"),
)
if not (mutex and hosts and port):
logging.error("no C2 extraction")
return
decod_c2 = decrypt_config(hosts, mutex)
decod_port = decrypt_config(port, mutex)
ret = ExtractorModel(
family=self.family, version="Windows", category=self.category
)
ret.mutex = [mutex]
conn_kwargs = {"server_port": decod_port, "usage": ConnUsageEnum.c2}
for c2 in decod_c2.split(","):
if check_ip(c2):
conn_kwargs["server_ip"] = c2
else:
conn_kwargs["server_domain"] = c2
ret.tcp.append(ret.Connection(**conn_kwargs))
mappings = [
("KEY", "Clear Aes Key"),
("SPL", "Seperator field"),
("Groub", "Version"),
("USBNM", "Installation name"),
]
ret.other = {
new_key: decrypt_config(settings[old_key], mutex)
for old_key, new_key in mappings
if settings.get(old_key)
}
return ret
except Exception as e:
logging.error(f"error on run - {e}")
else:
return
================================================
FILE: Configuration_extractors/XenoRAT.py
================================================
import sys, struct, clr
clr.AddReference("System.Memory")
from System.Reflection import Assembly, MethodInfo, BindingFlags
from System import Type
import logging
import os
MODULES_DIR_PATH = os.path.dirname(os.path.realpath(__file__))
DNLIB_PATH = os.path.join(MODULES_DIR_PATH, "dnlib.dll")
clr.AddReference(DNLIB_PATH)
import dnlib
from dnlib.DotNet import *
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet import ModuleDef, ModuleDefMD
from dnlib.DotNet.Emit import OpCodes
from dnlib.DotNet.Writer import ModuleWriterOptions
from dnlib.DotNet.Emit import OpCodes
from typing import Dict, List, Optional
from io import BytesIO
from maco.extractor import Extractor
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco.model import ExtractorModel
from maco import yara
from ipaddress import IPv4Address, AddressValueError
def check_ip(ip: str) -> bool:
"""
Use the built-in library ipadress to
validate that the provided parameter `ip`
is a valid IPv4 address
"""
try:
IPv4Address(ip)
except AddressValueError:
return False
else:
return True
def extract_setting(data: bytes) -> Optional[Dict[str, str]]:
try:
modctx = ModuleDef.CreateModuleContext()
module = dnlib.DotNet.ModuleDefMD.Load(data, modctx)
config = {
"ServerIp": None,
"ServerPort": None,
"delay": None,
"mutex_string": None,
"Install_path": None,
"startup_name": None,
}
for type in module.GetTypes():
if type.Name == "Program":
for method in type.Methods:
if method.Name == ".cctor":
instructions = list(method.Body.Instructions)
for inst_1, inst_2 in zip(instructions, instructions[1:]):
if (inst_2.OpCode == OpCodes.Stsfld) and (
inst_1.OpCode == OpCodes.Ldstr
or inst_1.OpCode.Name.startswith("ldc.i4")
):
field_name = str(inst_2.Operand.Name)
if field_name in config:
config[field_name] = str(inst_1.Operand)
except Exception as e:
logging.error(f"erreur in extract setting {e}")
else:
return config
class XenoRAT(Extractor):
family = "XenoRAT"
author = "Sekoia.io"
last_modified = "17-09-2025"
category = [CategoryEnum.rat, CategoryEnum.infostealer]
yara_rule = """
rule XenoRAT_rat_win
{
meta:
version = "1.0"
author = "Sekoia IO"
malware = "XenoRAT"
creation_date = "2024-02-09"
modification_date = "2025-10-07"
description = "Xeno RAT is an open-source RAT, used by kimsuky in january 2024"
hash = "c886878129bd048c3d7d3dced82858f6"
hash = "e0b465d3bd1ec5e95aee016951d55640"
hash = "21843600eea5443841bf6dfe692630a3"
strings:
$s = "moom825"
$x = "xeno_rat_client"
condition:
uint16be(0) == 0x4d5a and $s and #x > 20 and filesize > 43KB and filesize < 50KB
}
"""
def run(
self, stream: BytesIO, matches: List[yara.Match]
) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error("no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("XenoRAT_rat_win"), matches)):
try:
other = {}
settings = extract_setting(data)
hosts, port = (
settings.get("ServerIp"),
settings.get("ServerPort"),
)
if not (hosts and port):
logging.error("no C2 extraction")
return
ret = ExtractorModel(
family=self.family, version="Windows", category=self.category
)
if settings.get("mutex_string") is not None:
ret.mutex = [settings.get("mutex_string")]
conn_kwargs = {"server_port": port, "usage": ConnUsageEnum.c2}
if check_ip(hosts):
conn_kwargs["server_ip"] = hosts
else:
conn_kwargs["server_domain"] = hosts
ret.tcp.append(ret.Connection(**conn_kwargs))
ret.other = {
k: settings[k]
for k in ("Install_path", "startup_name", "delay")
if k in settings
}
return ret
except Exception as e:
logging.error(f"error on run - {e}")
else:
return
================================================
FILE: Configuration_extractors/kaiji.py
================================================
from io import BytesIO
import re
import logging
import base64
from floss import strings
from typing import List, Optional
from maco.extractor import Extractor
from maco.model import ExtractorModel
from maco.model import CategoryEnum
from maco.model import ConnUsageEnum
from maco import yara
from collections import namedtuple
from ipaddress import IPv4Address, AddressValueError
CommandAndControl = namedtuple("CommandAndControl", ["ip", "port"])
def check_ip(ioc: str) -> bool:
"""Use the built-in library ipadress to
validate that the provided parameter `ioc`
is a valid IPv4 address"""
try:
IPv4Address(ioc)
except AddressValueError:
return False
else:
return True
def extract_b64_and_decode(data: bytes) -> Optional[str]:
"""
If C2 is simply base64 encoded, it can be identified in the payload strings.
The string is systematically placed after use ParseCertificate pattern
Once decoded, it is of the form `c2:port|(odk)/*-`
Exemple with payload 2fba3ddffb0e17403b9725e482582573
use ParseCertificateODQuMzIuNDQuOTU6MjUwMDB8KG9kaykvKi0=
"""
data = strings.extract_ascii_strings(data)
for d in data:
match = re.search(r'use ParseCertificate(?P<enc_c2>\S+)', d.string)
if not match:
continue
try:
raw = match.groupdict()
encoded_c2 = raw.get("enc_c2")
dec_c2 = base64.b64decode(encoded_c2).decode("utf-8")
return dec_c2
except Exception as e:
logging.error(f"Error during extraction: {e}")
return None
def parse_c2(raw_data: str) -> CommandAndControl:
"""Parse the stored C2: which is stored in this format `<raw_c2_ip>:<raw_c2_port>|<other data> `"""
raw_c2 = raw_data.split("|")[0]
raw_c2 = raw_c2.split(":")
c2 = CommandAndControl(ip=raw_c2[0], port=int(raw_c2[1]))
return c2
class Kaiji(Extractor):
author = "Sekoia.io"
last_modified = "26-02-2025"
category = [CategoryEnum.bot, CategoryEnum.ddos]
family = 'Kaiji'
yara_rule = """
rule Kaiji_variant_chaos
{
meta:
author = "Sekoia IO"
malware = "ChaosBotnet"
description = "Catch ChaosBotnet on common instruction and pattern"
hash = "90c7c13411a2cdcfaeb61905f768c828"
hash = "a8d011f4307646fe859353631421fa13"
hash = "ff226c9145fc5b1c78edd5e302154cdd"
hash = "4d587de47760a1ba3da618ec63a4254b"
strings:
$v = "main.chaos_" ascii
$go = "GOOS=linux" ascii
$f1 = "_cve_run" ascii
$f2 = "_ipspoof" ascii
$f3 = "_ssh_attack" ascii
$f4 = "reverseshell" ascii
$f5 = "Getmypwd" ascii
condition:
uint32be(0) == 0x7f454c46 and #v > 50 and $go and 4 of ($f*) and filesize > 5000KB and filesize < 6000KB
}
rule Kaiji_variant_ares
{
meta:
author = "Sekoia IO"
malware = "AresBotnet"
description = "Catch AresBotnet on common instruction and pattern"
hash = "e13e9c0520aaa1a51d2c9737145c35cc"
hash = "4395091ac7b78f768b10087e4f4635a2"
hash = "2fba3ddffb0e17403b9725e482582573"
hash = "b7eb8e66f765a5c0a8d0ddf3ff763c3e"
strings:
$v = "main.Ares_" ascii
$go = "GOOS=linux" ascii
$f1 = "Tcp_Keep_Hex" ascii
$f2 = "_ipspoof" ascii
$f3 = "_L3_Udp_Hex" ascii
$f4 = "_Ws_Keep_Hex" ascii
$f5 = "main.attack" ascii
condition:
uint32be(0) == 0x7f454c46 and #v > 50 and $go and 4 of ($f*) and filesize > 5000KB and filesize < 6000KB
}
"""
def run(self, stream: BytesIO, matches: List[yara.Match]) -> Optional[ExtractorModel]:
data = stream.read()
if not data:
logging.error(f"no data")
return None
for hit in matches:
if any(filter(lambda hit: hit.rule.startswith("Kaiji"), matches)):
ret = ExtractorModel(family=self.family, version="Linux", category=self.category)
try:
raw_c2 = extract_b64_and_decode(data)
c2 = parse_c2(raw_c2)
if matches[0].rule == "Kaiji_variant_chaos":
ret.family = "ChaosBotnet"
if matches[0].rule == "Kaiji_variant_ares":
ret.family = "AresBotnet"
if c2:
connection_kwargs = {
"server_port": c2.port,
"usage": ConnUsageEnum.c2,
}
if check_ip(c2.ip):
connection_kwargs["server_ip"] = c2.ip
else:
connection_kwargs["server_domain"] = c2.ip
ret.tcp.append(ret.Connection(**connection_kwargs))
return ret
except Exception as e:
logging.error(f"error during extraction: {e}")
return None
else:
return None
================================================
FILE: Configuration_extractors/requirements.txt
================================================
flare-floss==3.1.1
capstone==5.0.6
cart==1.2.2
requests==2.28.1
flare-capa==9.2.1
pycryptodome==3.19.0
cryptography==3.3.2
pythonnet==3.0.3
dncil==1.0.2
dnfile==0.15.0
lief==0.15.1
beautifulsoup4==4.11.2
lxml==5.4.0
malduck==4.4.1
================================================
FILE: IOCs/8220Gang/8220_Gang_iocs_20242409.csv
================================================
IOC, Valid From, Valid Until, Link
c4k-ircd.pwndns.pw,2022-09-01T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--f428ddd8-c478-4e9e-9ebe-03e99877ecfb
pwn.oracleservice.top,2022-06-01T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--69493717-a478-4d03-9f6d-addb61651815
run.on-demand.pw,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--a32e74b4-3694-4f22-b34e-1514b1dd23d9
play.sck-dns.cc,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--9c694b52-bdb7-42ef-8874-4b343e4ac1c5
http://154.213.192.44/m.xml,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--9d2ed385-f34d-448f-9e92-055f8a515f25
http://154.213.192.44/y,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--0217a6ba-d55b-436b-81d4-efe9d3279fcb
http://154.213.192.44/c,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--3fc6a2e9-d67e-4cfa-a694-28572f7cc5de
http://154.213.192.44/goku,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--a88b5a35-3390-4fe2-ba0c-ec1a14de842c
http://sck-dns.cc/c,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--66d0b708-53b9-431f-bf73-d0eb1801b48b
http://154.213.192.44/m1.xml,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--027af819-1ef0-475d-a2cd-2b43357d554f
http://154.213.192.44/bin.ps1,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--6a4b9f67-2c11-42e9-9aa9-91f3ecf67307
http://154.213.192.44/plugin3.dll,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--ae387077-65ff-4658-9631-af8dc6c12b35
http://154.213.192.44/Ueordwfkay.pdf,2024-09-17T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--0e5acc4f-3df6-4dc0-aae2-f424bd1c3b76
5100dbaf942556184928fc0387fb5aab69dc2ef7e77b29db75905329697f2350,2024-08-28T00:00:00Z,2049-09-18T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--b4b3e913-a7e8-45e8-882e-48b3df13f4fe
10c2913361debb5f1db95c170ce2d6892d598d97b9f1f7f76a8bc7b5053e801a,2024-09-17T00:00:00Z,2049-09-18T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--45dc5b6d-e7ee-4b0c-85db-ff6225b98fca
1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5,2024-03-13T00:00:00Z,2049-03-07T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--ad184308-53e5-43e6-9011-dea3090ba3f8
e68263fcc9b1f8729bba00f63fb5482f069218333a65cf1b0caa0fe6d7ce1ff3,2024-09-23T00:00:00Z,2049-09-18T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--d618f9e9-321f-4762-a551-c9e8be60750e
9a5d68ca481091fbfde4d63087a836412bc8805b9a7cae000bd53899b0399e87,2024-09-23T00:00:00Z,2049-09-18T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--7c68157e-f858-46bd-8185-f18b9d46a85a
f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1,2024-09-19T00:00:00Z,2049-09-18T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--2cf6b8fe-fb64-40d8-bbe5-a25eb0f068cf
7b229b173b32cde47963de2a6e4bfcf243a8646fbf100fb2e379526b42ee4515,2024-09-17T00:00:00Z,2049-09-11T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--bd31bdad-81aa-4b3d-82ab-8f48d7e2380e
11be73a9516ace88b1a0af52e4454f4bc1db514cc2511b3e02318bd8be2bcf09,2022-09-17T00:00:00Z,2049-09-11T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--fcc54a5a-3f13-4849-b48e-5197ab901324
c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b,2022-06-28T00:00:00Z,2049-06-22T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--1e9facff-c79a-4ad1-8d6b-4b90a7666519
51.255.171.23:80,2022-04-30T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--820de26f-69eb-4033-8bb4-87b515445a07
64.227.170.227:80,2024-09-17T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--851e33a8-991c-4c2f-a876-2388812bc941
157.230.29.135:80,2024-09-17T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--5183d833-9391-42d1-b7fc-cae397867ba1
51.222.111.116:80,2024-09-17T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--b67815bd-0b13-4d33-a233-0fe38f4f1105
77.221.149.212:80,2024-09-17T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--64e561ba-90fe-484f-97c1-9fe3cf23601e
198.199.85.230:80,2024-09-17T00:00:00Z,2024-10-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--30b7c383-00bb-41b7-9c88-48a6b4a85488
================================================
FILE: IOCs/CVE-2023-46805_CVE-2024-21887/Ivanti_iocs_20240124.csv
================================================
IOC, Valid From, Valid Until, Link
http://81.2.216.78:29742/T7cNxSSK4d/upd.sh,2024-01-23T00:00:00Z,2024-07-21T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--0b42a4b8-fe8e-47d8-b32b-9cb4b4d6aca3
http://81.2.216.78:29742/T7cNxSSK4d/lib,2024-01-23T00:00:00Z,2024-07-21T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--b08e7622-3749-4216-affc-0e3225f822ed
https://telemetry.psecure.pro/index,2024-01-19T00:00:00Z,2024-07-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--d25738dc-c68b-4ff2-99ee-3d6e22834ee3
http://91.92.254.14/index,2024-01-19T00:00:00Z,2024-07-17T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--1927350a-3f87-43f5-afa5-d870216a1b01
81cd61b82577731d1b582ff8665b5774;c33ede79af4f2d60b8c626b69b1b752d13595bd9;76e1853b9a4e88cc0521df2815d6ba5d6ea5549c4477f8bdc43b9fc3ede32636,2024-01-20T00:00:00Z,2049-01-13T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--bcafbef2-11e9-47f7-9654-33f5d7be6db5
02f7b93f8f3edeef75f20dafab6f83d8;b53e7cc305fd9015b27c3146e4f3c11a8cb424ed;d29b9428c4db45cb8f492d7161b635134dc3d4218f731fa04959902f90b95b07,2024-01-01T00:00:00Z,2048-12-25T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--b452addc-9c0f-4eaf-b98f-f3aa41bbf90e
[network-traffic:dst_ip = '101.35.196.225' AND network-traffic:dst_port = 1111],2024-01-17T00:00:00Z,2024-07-19T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--c271ff71-3d01-47a2-a71f-58ff1a33bc8b
[network-traffic:dst_ip = '185.9.36.109' AND network-traffic:dst_port = 4444],2024-01-17T00:00:00Z,2024-07-19T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--6948adee-2795-4747-84bc-671cf8cbec04
[network-traffic:dst_ip = '212.113.106.100' AND network-traffic:dst_port = 8888],2024-01-23T00:00:00Z,2024-07-21T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--c7079b30-1b25-4d20-ada5-25f771165f69
[network-traffic:dst_ip = '45.32.219.109' AND network-traffic:dst_port = 9999],2024-01-23T00:00:00Z,2024-07-21T00:00:00Z,https://app.sekoia.io/intelligence/public/objects/indicator--14352d73-eeac-40a3-978b-dd09699355da
================================================
FILE: IOCs/DDoSia/20240229_DDoSia_IOC.csv
================================================
sha256sum,Valid From
7dd0ae076fa562fa798a0309fed9afba52db25b43aafe501cb500bcb203cbe0d,2024-02-23
c6431ccccc5ba4a1f05378f12213b91617faa58c169366f1edc4715a3e99f75e,2024-02-23
4dd8b3225f10a41366745904db8786ea99615af5490b13701f6984365faa40a7,2024-02-23
4d6f9091cef4197745b93495733b34e623a178cc9d90259b253f851dd0e183b7,2024-02-23
3f4243b18b34eabccf192d948f3b097768ec600050ef1785957c57123ea406e6,2024-02-23
f17f844c195d6d0383333fc92124f31725ed6cc8efe28b91b93340fde3ce9888,2024-02-23
29a05f7f2799c08289039cabd7c244a75c3a46cc51a9ceb473b68fd7efca455d,2024-02-23
42480e52a19bb59d3c462eb08ae26ed2b26f822d47300518f2ffc84b923f7a9e,2024-02-23
f1281bdba5c333f9f38477dc8f45c5d306f8e22e12782dfb79ff78f8f998bfc3,2024-02-23
b8027aeacb5cafde7bab89de7f830acc7068ca73c3c94a42ccbc1316c583866e,2024-02-23
b933e63c10853a4c4c2e3b7142677db196731976d2fb3d7e1dae12b25a0b5973,2024-02-23
71f43739c296758d1e6863083bdd7cddbf3ab908083a46478eda857e5403b08a,2024-02-23
975d7f6925cf6db882a1198b916a85ea77f75d49cfbc8ae07fb656dd54403506,2024-02-23
b4e33dd2890b2de85797fa535d0060556e563ead38f7e5d7be1a2773f8d4f71c,2024-02-23
d5fa22f095343f4c13a2ae2d3904eea2ffb5d93199c0d8d58085e2eddf6c169b,2024-02-23
fe6efc7a63547fc58e1570fee3db65a89e520d732d8a5f54825840936f0ea9f7,2024-02-23
bfa81648fe34c1e1c826a6e048bd667f7f183658c8a45721f584067cf8df5de2,2024-02-23
65087b45c981155756ccc7306cedfaf075f01629fa6ef11988d6eb3cfb1375dd,2024-02-23
e11ad043a588784fe64ab4d0a37aeaab3aeaa76d17e7de7439bfcc876dd42164,2024-02-23
4d8d8c534ffeff0624f2dad3fa142d0882a1bce2756740dff4e0c82a01a5fdca,2024-02-23
93f1e910a27d8c483c1a65b3b31f1b1e754fa6931d8ea6c6e94feead80ad78c6,2024-02-23
ce8a25974f29fc47d8574f2131453ac56c9395934961a6b7b00e7d7f24aeef0d,2024-02-23
afc508032b847c94f7f1c5ce2dd8db643960e4c2ce55f1166b4f09a46f3d4af2,2024-02-23
7180d714ea2b853a0291c32ed0872b00813c556237329135073ebe76966e7f30,2024-02-23
9c7c2597ff25bf5702d8be678d8f728925a1a72bd9d32310f2663003071b2596,2024-02-22
ad70f49326f0d7d6087abf58934dceb19c2f020e17a9855ea8ee3cfa30959971,2024-02-22
84c86c0f1b53729839cd078ac5b0ed6dca1be3279974a78f40582e1cb3075630,2024-02-22
f28057b55b98e159b9b21bd747f54480ebee7ab4ce205446950b2812f434ed29,2024-02-22
1c411bf67cc3aac3c755e6bf418d4392aef78528d967ec767db60aad4f067ff4,2024-02-22
c8625077a822be9ebec9fa8a54c77759e72d59f2c550ea4af4921c4f678e18de,2024-02-22
1cf99362177329eb8efb7799ab543c4236f8febd6fb7e3c4cef5bbd85b2d0942,2024-02-22
336f85f8ec0798c35af1aa785c33ba68abddad078b5986de69514716a28c9533,2024-02-22
cca408a4ba58f84272bbf568cca6c46a98f28a2c0b7220604866a14efb0fcf3e,2024-02-22
c779eb5ecc889a26b7874eaee660d82eb193026e1ad250733750f1d537d7a7eb,2024-02-22
ed80a16ffc6f4999978e331f04a96760d43858f1bcaf6802540d2a94e8b85fb7,2024-02-22
8f33040785145debd98a41ab88afe3f3f01bb5bc527a968bf2fc8338924b82d3,2024-02-22
8c7ae81bb8a6e7aee8b2b13d59c68adec59d6d47a753e898408aa677c545a86a,2024-02-22
2007f60eb116712d1f92e2b889fa4712a0bab634c672aa28e46bf90b6c87d963,2024-02-22
da7688d77f54ff3af436f10d321594ba661fc5af38b063afdad987936cdf593e,2024-02-22
5d46fd3b1feaa1de8bb6e110bb5d9376312dc431a2c75a728c84cff5d8d5aee0,2024-02-22
0e144b05fef13ad7c747ea532aa5489c0bfdc0fb15b29316dabed9e07868ecc8,2024-02-22
e09e958d57a62476ff660da71df4fece1d0b9409ec6414f327c8a5b9f63ba1be,2024-02-22
b300e03b2ea7fa7298c559d9b242a6f9f386ff88dd9344bb3093a27181cd9abf,2024-02-22
9dbe56afb3007eb61534562ebdc58b0534b47761f89f85d542fbb699a6576a8c,2024-02-22
5ab1ff95a4ac3c0a7e26e1857cd5b6b588659f216f3686d9bfecc628165a6e21,2024-02-22
975552c3f84be6b42b20fde7910a3cf438fbe59ed0a72487a4045c1aa40417df,2024-02-22
2369b41d0f9baecc41567a0ab00f1bab3df5499b71dcb1ee02ad05ef83a72aa9,2024-02-22
1229d1a0a51c536d64f1cedc6049f40e3b44fded84f49375339549ec9b962b43,2024-02-22
55185a8a7f0fc47a662a94c88e894546550a9e3e3c0cae440ba501704443172f,2024-02-21
cb85efe03fdc6444775da6b706f0ae3c18e7ebcbfd1db987a06841cbf4b2877b,2024-02-21
cdf3927588d6475d6b5fa5e9a695dcb9d4b625fb515c73ef2223e90ee38eaff2,2024-02-21
17bc526b1ea1c06fcb07d5225e2a8c27d1356d10c5f24f90d4613c001d163c83,2024-02-21
b9e87462bdc4eeee93ce2f0244e95ed031e7fa0eafb7ebd88432350bf81f5949,2024-02-21
2bec9ad2c0a49c495fe1a14695b5cda9905d73a3b7a4a128b57db8f3f2b3e7a9,2024-02-21
8d9ec27297d919754ebb0cf8623989ee377a864b1a8a1e45af7d5f1851ef6fcb,2024-02-21
5ae202a90f7c908afc728e9e48b2ed42cef2356a33559ff788ded8af59a9f4a4,2024-02-21
4e5ca5749f5317af4fb5be093bbe2fcb8b0e5948392903b6b33c00d716802042,2024-02-21
443c799465506effee703a440fc5ad220bdc11a2cd650e621f3739366e2068c1,2024-02-21
1355d87832fbe33c21d50a1a378f7d2a4280a57d2ffd117fe9e08e59b45287d7,2024-02-21
770caa4d3a2ab5056df982ab224f0d8d6e3512c3d512ea2c9e8819c085e90e91,2024-02-21
646a197263bc38a02fd160d49f340ced32dd238e300b89528f45ed28b58b98b6,2024-02-22
a536349871e652509f6265314627e55d2c4fa0ffdf95c10ff634695cd96eccfc,2024-02-21
b39294cd8dc30cb7deb4f89e0cfe0677d7e63ef250b050611b478ca9dd98809c,2024-02-21
0c181e20a22665aaaaf8046719064bace77d4a58288e75df9560d8ab10fd21f6,2024-02-21
b37e83b9b1ac88957f103e07c8ffaa63e923dcb0ebec23be156565ee99b1c155,2024-02-21
bee0d33c7c0c259ee96a7f7b7d744867e2ad00c518c5dad28acf6f5e74e8fff8,2024-02-21
d1aa1d34326e0ba07516e44742b184c99b9c20bc8a41c6c304b887348e49c616,2024-02-21
6b269652d7f8fd30a06837f74606cb933fc5f2b83083c01742757428545f195e,2024-02-21
e75e41c12ba7e9768cf652887fa508aa02f99faec64def489d134dd73365e191,2024-02-22
22b8a310feb5aad71f3497433a364d6e84516f559772ff2d8dedf3d2605a2ebf,2024-02-21
5bacda43d8d4cb5465a283f00498c686f03dffb76a20af9433a443b5de37cea1,2024-02-21
8acf00387f94da39db675a31a40b68242a80b7ad9a79b02eaf2fc6f905cbd78c,2024-02-21
638c4a708d8277683199923f2c81223da2ca46bb49f59f5ae3e78471881b68fe,2024-02-21
17d9954ff1f836636c08b0afeb604dd211512136717123425b4ac38ad19b62fb,2024-02-21
e7b3f2734a21015a7558d7925162add1ee940d58f72c9f57090e04423015145c,2024-02-21
99821f0a9269b7d25d5c95e958769eb96f53dfda8a4f025164786c978a32a367,2024-02-21
b7a0c24177996671a6388c8bb8f7dc9d72a434b3a2fc1102f141091fa11f96d9,2024-02-21
62eae93a2372c2a1216b6db16c5029a18bbf96c092c0614813a3a282ee5eb446,2024-02-21
4446448be77845f6fb6803df24f9e59d7747ea77740ed4480ffdfe0eddae94d3,2024-02-21
00a7ab5c125587e99436530eace7233b0739304c57ffe332841f1aac0f3817e3,2024-02-21
95cd769043cca361d817cb41da2afcfd1e49bd37cb06ca3c336782acd78aeef4,2024-02-21
3dee1ec2ef0e4aae00d8cb472d59208a02380280c66d95c3a4d198b5a4827f00,2024-02-21
36ee314cf74204908eb2137daf393ef6c148a846d89a17348cc4664809300043,2024-02-21
06b7b49114f9a2a6dfa633de107ac5c9ff8d30f79305921edf7a3afb7e869916,2024-02-21
fc7e2b488203b667b6b733dc6b93ca385257112dbe4af21191ce857f6949e0ce,2024-02-21
258cdc54170c050449b68104bd649a6676a5c0599fec562cca51d760ba712357,2024-02-21
b253c02e42ce5090a211774e3bbe97e3a71c544c0677c5dca162742d63b178fb,2024-02-21
31e1efbee27a9e1c6a38ab8c1221ddf093c24ed0b0411d32deaf5c07c4c30d3a,2024-02-21
c37c23811c865683e3b01810b77cf630b0adbc4d1bdece4f50211a078063c1bd,2024-02-21
29813339777484d66d2f71e0a8bf2241dd6b5b5e8e76739c9e26dc4c930422f9,2024-02-21
b76395575619945cdc733bc47c2b319ae4a8b40a30f9e3829fa4714fc289f217,2024-02-21
37f9870397733b815ff92a4acf07582732c46cc5643efc0a73f19705f2927330,2024-02-21
510c3e9e8a059970abd803c473c5a64d81dc5ccca4a609809bc89ce0e0e4c85e,2024-02-21
f67fc029aa961625561c286a060713fe14b0bf972f5212789de9ab9b7c07ff2c,2024-02-21
5867bf5ce5df1dc8b90dcde82a4badf50bf3fc6ed20fc631ad86a71918ec6cad,2024-02-21
b5c35e307835044165f16a5dff40fba5db1b2545723b8eb3709bb71e7561a7ba,2024-02-21
5b9ef3cf92079b2c5d02b9fb0739c1633ae0bd5b81a46939972c166244e09c80,2024-02-21
dece28291b5c1a211517b65aaaa2bf952a51080a95fd71923f37bcd138f7e5c2,2024-02-21
2d3e99c6940c6505fc51e3ef1b659421127e060f5ac7a382fdf8f2a86961af9a,2024-02-21
705126786ed73c878b65214986c0aeb55dd464be40e7f90d228f92f3a33c217a,2024-02-21
166c76f8f76d358fc1341fce21688881bdac1c749cfa6d1305bc60c559d90591,2024-02-21
53d66e21b2bc98c027684ef2930aeb16807b886e472d6f2140728be5ed71f432,2024-02-21
e23ce7d5c71af21c1255d3a3d3897e15d54a1aa72f4df2aaeefc641f441df4e8,2024-02-21
a5ed36adff2aba075a634cc6a7594033924192e3350d28db842436ffa926d0de,2024-02-21
b568de55a7efdfc0b12acc247488812b0eb7e52ac709dc475ae7be6b459001cf,2024-02-21
0f82313b1c261c31c5b0bd7d580b2b280d889cd6d9771716aedecb6650993efd,2024-02-21
691809819b466b0bcee143c55880e9610c4eb1988817d77e60c43ae393a49bce,2024-02-21
5e7a45f6b5b04910fd20b1a2144d2688dcb1b7b179b2c4295250a1b5ea4b2ef1,2024-02-21
42a0dc76165625e2a5d10b6900fa9f6618b4b153a69f2f2c5392e550ebf1041b,2024-02-21
876f9bacf04269780d46df733a9f64596a102ffd40df977a999680f4d416a582,2024-02-21
5b5e5747a4a85c5dadebc1f6b65ffb1ab58078578e60bc4364862e089f5f334a,2024-02-21
a2cc174d4b35e4e622116e72d198165b948bddbefe029dc6a002f1f830bbdf2c,2024-02-21
da905cb307461896e56e7c1487ab43bfa16e0caa87f83afee192f7fedec483b4,2024-02-21
ff71e1621fbdc003ae86733bce1dc267e7808d649ef8adc0681e45cd49ef832a,2024-02-21
ed39ab95cc52a44dfe4b30bbe692008379300386762fc462ec736c06418f0b47,2024-02-21
856b3c24c24b5cf9decf25f9f558dd4c07a8b0bf83972e24763fe0bd9d18df50,2024-02-21
c8a87838dd3fa505ac03ff4d5b7fdd6de2d38eaf2b65421dc8e6a0e593673069,2024-02-21
ee137a55f55eab0d6cb40459ca9de4229418417afaf13121fbda530c8037c1cf,2024-02-21
2500f4e3d76995d9e9a81dbb27ba5f00f5061fe47c64ceb3ad40b751e400dbfd,2024-02-20
8a3274e1ef3cd5d14688e0acaa7a29f1d86393fc82d233d4b208ab452b69ff2f,2024-02-20
f026c887fc758f57f3d2befc645ab8f474cc3c00ba8442bfb93d5b9d4c631732,2024-02-20
551340649a5d7d831991e8f31e50cc7441c9ac1ed668ed64c983a94d83ed276f,2024-02-20
ddd109808e5ddf4466891bbd1cd2cff9e44e132019653cc04a4df590ddf33263,2024-02-20
7cff2cc703010a7eb7de34ba1aa49132a59ec0a79b7c4249f54308d27ce7f5eb,2024-02-20
c4b21d335151528f2c99185e1a49f92e5b9570c4f1ae5f6bf0f34599323c07ed,2024-02-20
e3993a64a4b4b96afbef4df3e3d9df84a6f7dddd2b37b0692f63fe9b6037f42d,2024-02-20
d07623a6c06019f6be33b95a3d654eb1d1b269b7ff571d6c61ebc2b47049dea9,2024-02-20
df51812e53e2b64b009cb247321a06dca0b4ed0c86d15bc970dbf97d7501e919,2024-02-20
d10b705916663e242cf7b6bcddd14b620d44575961957b5e0055eafa6e41eae2,2024-02-20
ee8f2ad8579b163e025ca38e45ef9de64119cce35907281e2798268372e7582c,2024-02-20
71b45a0c6b87a2d475afb27edfa33b0e4a0f1ed6ccfddd7943633a33955eba1d,2024-02-20
1e4cc795c35dd8c304ccc5ea425740f7fea1b615e467b7d041586f6dfc63dfba,2024-02-20
a781953f0bbe132458a5a5140c8b6ac35f25928add17e855b85f4ea2492924bd,2024-02-20
ee3e8a7c5c833e4f93ff8867a0426d87623d3c3247c6984fb447fea9d1884aa0,2024-02-20
af3588e56f696754ca11582147f3416b9a48af84915231b44089a58fb39c8a03,2024-02-20
e9919f8a1fa8e8c28261acc5b597430f4c92c4e1d9a034a5897abf7a6ddbc276,2024-02-20
9af03e734c9fc638a2e90c667fd9e5535d6071d79c17962ac5fdf957aa6d628b,2024-02-20
9e253046412a7853f6e2f8826d57a6a6ae3be263bcfe9403a60657a2f6504762,2024-02-20
db2d136c6d482336afb56a7b60093a48fb1a435e52da837481a5ec154b16ffa8,2024-02-20
6fa98aed3991a42ce0ce2d333b1101c58c4bd03fc5418254c8c0423c8af4de51,2024-02-20
972440fd5f1340495b82e45c1ea7aaae54a2bd90f707d7f729965a3284e4a3fc,2024-02-20
5b2a73916003683896c8d16fe322a9351abd33e74ac838414b2706a26d44c5df,2024-02-20
05af72c39e68e51173af9dfafb39a76a83a23adfc483f197a2b41cd298f79fe8,2024-02-19
c876a71c3db68e2784ef28544ef24bc8c625c07f11646b8737e9312627c91caf,2024-02-19
18b9e453aaaf299d3e00db7c308fa39d14c3ae1b89a08bbbab99f77da4c95d45,2024-02-19
6647aab14e02b6981ddf47b9ef2b9f78f0ce049ec068325f44a1cc59d0093b34,2024-02-19
3cc287378d1e6a7157fe518684736ff62e8ae03f7d15c809e19f86223ef97dad,2024-02-19
b60c99c570c6cf11c2e00fc887b375d5d10f2da85a25ed533de380b2249d883f,2024-02-19
e9b41b67834bd97baee1b765aa08b45f91e5d20247ec9ddda1262f145fb3861c,2024-02-19
6e7dd1d30eb0ce451e512c9f4655bad28cda679bd06d9431a16c15fe0dd1419c,2024-02-19
d5d3806450563817b9fa13c05ac034f7a001b24f5475a161bee04e4747a33d0f,2024-02-19
0a25b3ab39dd5c78cdfe504c0695aa96b78dd4d78b3e9dac0be825e772a5eb2b,2024-02-19
90a40371e4dff65d4c9eee14ba3360a6e42a4c76324b61bfa37b6f9bd0ddfff4,2024-02-19
959e407fda83571b0990e030ff0695c2255fe194dadfa8396feadf5ed5bdff8b,2024-02-19
69af84a0450595ed3ba32db8475513e1e4df4e6e4d9c6b16a332d70ffe2e38d6,2024-02-19
adbb77c88e3c6df10a1c586d2268e361a739456740c7c236faf36a5952c97ac9,2024-02-19
733f8f8f81aff771ed4267aec2590ed8fcc7a192d4369e4f6a2580114c50ca1c,2024-02-19
7decff66c24b369d97d952db518b3ccc9907846336d1d779cac7e775267bbedd,2024-02-19
69fc4f086f13fee411db4d3c6017ced72332acb5f08cc071bd36b61c62f43a73,2024-02-19
d09d9ea53c36682d3ce6ccdecf2373f7bf996b13477b172414f429a933b5fe36,2024-02-19
548c43adecbaff12c944f7788cee4e92b7257beebf6b010bfdff51591a48013e,2024-02-19
e90836ff5e038afa4436422cbc2d84a9075c939f435e2988254bcf4749c389cc,2024-02-19
832efad10013e96ced8681eb6d023c118addab8ec41b38bdee002613b43eea41,2024-02-19
009a692157a5838fb63617c5276ba76de0ce34e16b2d6ec9f5d5884b6ee4e663,2024-02-19
cf0db0544b3d49da999d1329a14f19741faef0eb34b6533d1e6b6b48ac5797d9,2024-02-19
211d049850a98ef8ccd6d267a3f478b67cfe043149b10905c16968524ffeee6f,2024-02-19
9bcdb66bfad14f2e1a4c4562e26e116e026a3c15a5fe0440665e62a20dc5b3a2,2024-02-12
55e3f195d73c30f37b640d4f692be99581410d05f8ca690357838cdc5de1eef3,2024-02-12
4462c26443d4404eb99ad7ca2c4a1455692a56ce70266b2cba4a79907cf574d9,2024-02-12
1efe5b6313f84a75a5234a69e73e4294e9b90d33598dfad86a2690d677d29a2f,2024-02-12
3b5b34ec2f844411e29a4d233411ca5546d5ef2df1e196dbdba3427eec425cfd,2024-02-12
98da3d3e100ed1a5fa87e6a187c23e62259b24187cd014a0fee68eb8eb431673,2024-02-12
a578afe6c8b5e4235ea44ffaf6b7783c46598e6fd1708378cb28d831e411493a,2024-02-12
9bcbf9081c6dbc38dc10d19619403fcf18997be43644713b03862a1c7828c21b,2024-02-12
882c411ecc021dc4101ece8031cf552a4cad5849566a41546fe03ebf96df5468,2024-02-12
a29a72f946195524cbd114f36ae788037bdc53a739271b1fffbea7a3ebafdab2,2024-02-12
d48bf8234d81abe610c2ea614e6f585be7d42588e54e722d8356f91f1d2e5b4c,2024-02-12
54f4a77a8db96a4bb2793c88ed0086077ea8162bbfbdec069499ef39a84fbc4e,2024-02-12
4cf290626a3362c315e2540422f3224fe79f59725ee79fc74c79d2bb74c50f5e,2024-02-12
89c510b38e75158a6b98b5730c8f5f4b9416bcb22548f169b806cae66a49eaff,2024-02-12
58392ca6788b1c9a03a1426b247a4e066cbd2f2e55258351cf2cf96f55c1ec72,2024-02-12
6da1d603647e5ded39fcb46155de8a924be5e129aa7a34894a1e820bf26127da,2024-02-12
0319cc6087e1f7c2e103ad9c0b1bfcdf75d332f0ed7b0139f1fc1498268178e0,2024-02-12
ae661f8cd8a490657a3bd7d40663ea7589a79faa90ad8aba354064beaa89667b,2024-02-12
0587ec719b3b2d2212df4b2123f614a645c966c6d24e119acb9f70d65b91ac18,2024-02-12
e8a779704da78e1d253c777bc5e5ed48ae3857ee319e6f1c03666478da11eb7d,2024-02-12
be2948538feaabd45d22797c487858afdd8ad5aafb13f74a1fd4d596dbebcb13,2024-02-12
3345e19046e0e22239f877e72b7b974aeb3793bf3657d666ee3138e56b5758c0,2024-02-12
536d2ad9b4d071ad75808a0a3b421f82c1c8e5b9c9e59df94466ab3104f7373a,2024-02-12
7956d5a916c5cf00cc40df133649b1abe71e0d1279a5f04750abcddaaad054b7,2024-02-12
6f67a13b2161cf4070cc4c537fcad1ea9e172e0c7faa249479b551b47eca5ffd,2024-02-10
bad27a37f2d3b7c1e3a44506ba4cc00ba937ecfec8950bd79700029665a0098b,2024-02-10
01965fc52cfaa06b210e86262f3141f55877b8ac702e3ece20b2d3eaf42920a2,2024-02-10
a818432484aa7ed3a4237336b32853b412b962a0d138e064ad39bcf71743c103,2024-02-10
b5708abdfb38a752f196e1404b2c17d670a83b3b78186fd670cc24c2f1f5c2c3,2024-02-10
5f2e82bf21d303ac5085c8edd98faf6f5505f270960287ea6c62e416b3461e15,2024-02-10
de291b8fe9db9c071f81617ad7633fbe878aab0d67552d35a4ccd5b08f3ed8f7,2024-02-10
a032011c054436340179716238fe7b82c95b0967c50d2a0266b5ff45f09f9856,2024-02-10
2b11f451017cb10c08068374d18f6408513a1cab59846cd4a062db5bcc70d4c7,2024-02-10
f0678e7ddc414aa39aab7691a45f4a8563239d32084ef83368b89ca34af091c2,2024-02-10
27df2844673ae321c97ee2a873680ae28948bbab0c7a5190a8dcfc08708a9d17,2024-02-10
f7ab2a8ab49b5c0acf98535348d7b989a02237f23ca360b482edab0d5a35dbef,2024-02-10
6ef7ef4a08f21ab6f9dc3cc137cca9dbe984fa307bbb7c49882ac3be0d1dba0d,2024-02-10
3430fe01cee05cd809a510565cbb0d977114c9b1f16222d7d8845de63c719584,2024-02-10
3393a1af391b48f9cbe93d15515675ceaea88fcbe4ed8bafed1375895c66d568,2024-02-10
3a53af36a573d2d2a95b63223318fb9d728107e65a9671f311738b6e63db7137,2024-02-10
b2fbe6c085dcf64bf9e6285734909515b04966012b7ca191a9cb8fad5b7a832d,2024-02-10
9662641e5b2dd0c67b8dbac99933e8c5dde081212b3579d8eea6ab6a3f2008b7,2024-02-10
5eef47d671b2a10bebb9497a0e8ee05ceb877b43a380a8e797689874fbcb1fed,2024-02-10
094a70e2e5470cf23251cbe74d6c53eb47249d02190c1dfc2c98c7b7dcc406c0,2024-02-10
cbee50f42459cb7935fa1f5d9ba83e8ec7208ed94304d6f8d886c4a6517455aa,2024-02-10
20bd05caf155d073bb5c463b0f2ae3684fe905117bb9a03b91bbc5d854ac3165,2024-02-10
fa8ba07310a37499f757265013c351cffc49463a90fc19533355efee59b35b31,2024-02-10
022031b6ac2639a984c7b5584f1e77377533d4a1d62b0f5ee63dc1ab469964dc,2024-02-10
ae9c3fa793c354736418072e673971f03abc946e136ee27e530e581e41fb89b1,2024-02-09
e504b2295a856c762804e30309e664471f44e96860cf1f2475aff3a510c28e6c,2024-02-09
1f0172b2c798bc1201b17e9cf5a112b928386a45ad53330252d155911872b2e2,2024-02-09
1cf1d534ea4230e8b7e9743586658b147f3356f5e72c9497b665f5072445fe8a,2024-02-09
c2cbe6a81928901c34c15d5683449e58d9a718ad4325fd55de68ecc418773dab,2024-02-09
1784deae1fabcc4d848797be17a73be0a243dc517b148d402ba444844c72908c,2024-02-09
158c9d5661b75af1642c3e1df484fae1aceb764eb68faa3a86945f7e30c7c5a8,2024-02-09
91e8be35b7aa2597752767ab5dda9306f8504d029b90139531ddda21a60259a9,2024-02-09
5c2e32f9175626b766b1a2ab9c54726a6c3ce6c0c0f4201056b34e009ade498f,2024-02-09
84fb780233abda0fd81c7941ed25800cb795b2c3c4afa4aa55b2a30480856623,2024-02-09
1b7c1302074938f155769f6b170ec4db345d645b641a089db4a6a08bec2651a3,2024-02-09
bbc4834c67beeab1b7e26eef745abd45cd9ff76ef9262f04e8a323dc28113446,2024-02-09
c726ce1d4f6ebdc1e63b26796f5ee2d5d58b10ea5b54c59fe6745c404aca77e8,2024-02-09
dec31c0ea320f1e9216411ab8bc693424b8a8dccd61608a4e41b6728b82c77e7,2024-02-09
50a96f770f680033e3b06c7b9d41b21885e6ccebf1ae8dfa7308c1fa9dc358eb,2024-02-09
d39e0751600ef0343fb55908f2cb1dc9d3da23d4881c88c709791ed84552ef2d,2024-02-09
f16f907a3df16b5d8f5ece727c2424ee0b1e4ff545e3745ed59fa08ba323bade,2024-02-09
4af424afd9de1acf7739b0f1cdefd1a67e6baeb37e83535aca35d165d59bc0a2,2024-02-09
b57375feb061b65474aa66a63e64491e1b659e4758e440c92b421bd457fd049b,2024-02-09
3b5ec1ae4bb0862e8ebdee807cf79218e5461ce1d28a0e7dcaee6468cf31847f,2024-02-09
d689a0d2af153cc5a54ef040703e0b7f4b51a94eadc40af55363b56aef537f3e,2024-02-09
971da319f3090adb2911ee485fc4414a56e199f284fdad7d0fdafd54307362d4,2024-02-09
b4794ccd4da15fa04aec1a6a445da21a621f90b4c394adfaf048880eb141bbf6,2024-02-09
4b4c65fc5cd44171cb0e5dbab7fae233930d24cca6fdf1aa1448b7fd81fea9f4,2024-02-09
c764fe0dd9cdda3964486927c8b03d92af4779df5b3407eb8a9ed4d42d61c867,2024-02-08
530a39b447dce0d6edd8a560c333f64a7e6799aa972dadf9f07787a6da12489e,2024-02-08
f5c478581f847475c49d62ccab293f1bf2f616372d47cb90e454c463a9e6db8a,2024-02-08
b9d1b5921e7f073f55cd277e02c383d98eaa75d4bbe8234befa349e01ae245ff,2024-02-08
4ae365b7f9d56ea9a627d2cf71d17c005e1188eb2102c8a74c527d34d1a8063a,2024-02-08
52242c406e0c030568054294b0cead3e9dca3ae913fe37453092a97d2f312efa,2024-02-08
825df0632d38b1767a62b77ce7a04d60b22a60ab9427fd51954c31444a949a6c,2024-02-08
cfa25d7b172f7258a544f1a344bce6e4c029c002d274ec3dce730bb4b3459524,2024-02-08
8f806b2a7935e2f8e8464b58f38ffdf6ab0a930361090b3fa19098d79c8ff123,2024-02-08
61cf6b93b70ee80b41f2c0308ca8b058b85b6372ef84eeede58d518382c07b85,2024-02-08
5194f12633cfe91c9864f7aa6ad92978111fc254af01bb7a073d02fa27fb26b6,2024-02-08
77cbdde222464a648fdb60ab5f99df62855d629cb680a19c5c46243b9fcb5cfc,2024-02-08
342ffbf0d7efc6633bfd3402292499fb5c50fd860a2d8dd021ec462d8f748f7f,2024-02-08
256fd2f2559f40da2590dc304c136e3cc0c70eccfc894cc22c8947aab8b8fc9a,2024-02-08
577dc9d828cbca767ecd61a119c8c991c60bd9343225524ce5d05a8aff5116fb,2024-02-08
efffa8d507373692fc1035eb396d5d1b63bd88c48c36279c34e213497a210af3,2024-02-08
ebf5e0d1b00bcf81800f5944db68ae4d83c05ac7025e2a4a53ee478258f451f0,2024-02-08
ba5b82590ec2ed9ad3680b7cbd5fa3b19d1caa17c107d95222802cb661ac4029,2024-02-08
54abe86d823d867351a43bed5c3b25a8fbc2164ad00b1e4ea772de6905ce86e1,2024-02-08
0debbbb6a79f0d20dc3e573879ff24b8dfc4ecfb59669fd8baadc74b4ade3e64,2024-02-08
c3d516ea279eaf1f7db25e098506dc2e08be8b8f5dddae62c4ffead50642f940,2024-02-08
3ed0c1ec2da77f8e25411bf7dc650a4a6fd015a544c787fdc7c2056de08bf83b,2024-02-08
3531661f1a33e187460164ef158d720fdef9510e8295f08d993919ec22a1a24f,2024-02-08
3021d56363427b5cfa57ca51a93156437ef431ee68c4a6c6944177c347858bdd,2024-02-08
cdba3bf21bc4245dc1bc19610f783bb549512dac25baa78b2b1604f5cfa92ad6,2024-02-07
8eecff15c15f52f0066faa9ca9b5fd52fa68fb6b47104076be6c984312a9df1e,2024-02-07
502e1767f2b5faa9655244eaeaaf72752cac4b8117af97e81094846235c17bd0,2024-02-07
3fc6fcbcba2ca3f9b28363ce214ce83e345908b1d3178231f605c2992a3adaa4,2024-02-07
b686779c65ee67441b886039b19d5008640c5d95926414b316e159b46cf0dc90,2024-02-07
a70aee4929510c54256bdf7b81c797c7e228606b7e2e8d18d3c2cb17e70a797c,2024-02-07
2e854f30f5ced582b470dd472b8d7d6255e42fa7cc28cc0916c29a7eaf5c36ec,2024-02-07
70706ba651729b66b27277b89b08589fbe2f894381ced72ed1487fa41ccc5aa5,2024-02-07
db63aa9f6ce1fc479fe82a8048c677b70c068e867f203b1b3002d74f8b6191ba,2024-02-07
6c4f675717fef6cbec3a893ed8afd63694839610e485c9bbebb1fd8bea225dde,2024-02-07
ab48f942e9f528535d16dd4351d204eb6c81b731d6f543934d10fcea44b8b6fb,2024-02-07
e4ffc6a79d94fa2090f4fcd896c8dca5f43a804bf667997d761c74b57ba368ee,2024-02-07
f1b27c49e442b685e1ee54f033eab178329153b9490b75f287a82fe4dac1e72e,2024-02-07
1f16fe46759103d47dd9b3dcfc44a3c5b41b07ee12490ae8de0efc2d7765798e,2024-02-07
c5d4df13315e298112f0ad4ca4d98f49401df4606a8cf44ea5326022c88ea8e2,2024-02-07
5ed551237b3ea1f317735a89b23e3591deab908115a24298e92dab32d4ae45ef,2024-02-07
77d48b8a3be120ddb21fd39fc78816db40c4b2d5192ea7d2ee01fd2cc2b25632,2024-02-07
960f1116b56f7f1574bb7b2edb14a4a912c746ded216e4f4d9a54bf78fddd890,2024-02-07
1683e0435043678bf67198b77d48806da315f5b5daed899cab3bde6975c9acdf,2024-02-07
35291bed51dc452b3f4a476f281202b617f8961033836ca03bcf0809d0afd8ab,2024-02-07
4b27a87ecc57d8defa53a2fdb162a45055ca519f924d6b549c424bc259f4ec2b,2024-02-07
70a1115e90290be240b9fa5dc46dd255b4b0cdf135930618d766b599791e31a5,2024-02-07
87e20c7cdfd8307412673c48cb659aa555da0fee5b52132c1e6232af8c5c8593,2024-02-07
509486ee29e34a3a969aee23745df35e0d87a68cce6d46b8b351b57b53138ed4,2024-02-07
5cec9bbb9ac188222bcce6f3cc9575137695fd9613471820b521cf2de6b14a2f,2024-02-07
3e6c97d68ed22e2175efa224efc1696cb5c8c05075dedf66850b7683eafb3378,2024-02-06
e144a42464dd83bf79c727b0094b96fb4285f15d8b57b0620a50d42f2375bb41,2024-02-06
b36de199aeb5decf804c980ff3ab011e6890c4f8fa84b31b5732a5a17212ccb4,2024-02-06
b8a93a89914db003c1807cc59d6210ad8253c882f61140c24570ed770fac597f,2024-02-06
facd81cdaf9f9775e4a0db910fe99d0989e2b23f7ed6b88e136ad9209604ce28,2024-02-06
66d160f6e1252a464aae290f9623279464ca0cd1df018f02cbed1fc08cc55bfd,2024-02-06
f225c445975b7f9085252704a2beb105767d24080e29a5a3ec7bd11de5a3e1f0,2024-02-06
4b27a87ecc57d8defa53a2fdb162a45055ca519f924d6b549c424bc259f4ec2b,2024-02-06
b5664ca23cb3b4d4853054af1fd473bb550bc862846e74c45a9add150f34dd3d,2024-02-06
503bd2466d867c6ba695e5b16c72f6c604b8a2071ce0c10f71e2a6250205b76d,2024-02-06
8483092fe069c4cfca9cdb5d3e637095e75584bc1ff5789742e2bc2e81bc386e,2024-02-06
41deacd6fb3edccc52ef8e0e8727ada0e9b9597cf36bd3c59e36bb1dbd50e216,2024-02-04
6e9cfeaada4e187ea3b330cea1c9c1ad5b0fce7b9164a163a73f2940a2e4089c,2024-02-04
87bebe8afec9cfd8c0fcedc0ab9542b2063c46688aaf7e9a5f2693fb50c85df6,2024-02-04
464d105a87d835b9413eddbfc0912bdbcca01eaf2e0e245289c484f17c407752,2024-02-04
2e07d56a3ab25213ae38732dc2eb73baad34e3f3cbe0a4918ecba574aff51e71,2024-02-04
1c569cf7ee2fcaf344009ecf52a77644fe1e1dec84e63284a97f29c226d4dd7c,2024-02-04
01626688a1a3bfc9c734f35ca6cdb7975ecdf7b703e384ef9c6b886ee02dd80d,2024-02-04
c4d0b62977c45b752080aab58a42eeb26dc6c0788a86725299c0e531d83fd567,2024-02-04
6fc8ec4bac6104f0ae000fb663add5eee6b1f6aa5a8ce880ae4b092b88589602,2024-02-04
e630ea19b6f03990f2aeebbad52db99e91ad86683f51cbf1f344e95d39148ea5,2024-02-04
f15531fb0c9deeacc3889333636e9c8b97daea430adcbdd60d359c6b6c0bb5a9,2024-02-04
c08fbe08fd132227e6fbd6d26993f1f4adb82d31b4d828aed185a0a810d98f1f,2024-02-04
cebb03df81afc127143b5278163ef95c2de204f7e44f0ec62bcade5051765c34,2024-02-04
18982189f89802c4d2326569e01a1df609c35beddf3ac2159b181ebe0482824e,2024-02-04
f82a56be8dbb9199885907b2303fb2ad14a4bf960eeb4b8980879b2aaaba9c2a,2024-02-04
652fe81fef36a37d2c03d4517b78506aa148c321af28eaac15aa5cd9391e5e46,2024-02-04
4df2538387bde0c0986a343011a26b5f3be961f7721123dbbee966c8f96a40f2,2024-02-04
3faa315f4b46fe1258309f6f1f686ab56d1539e25f757556a6ccb2d9df60f2f6,2024-02-04
c2f0ecb7d09418a8c4d1d4646bd9716b1e97b6ba9f5d5911faeb4aebdcc648e7,2024-02-04
20680cd00c1d3d1c3d3b818c86b2670a5946283f34ecb0bb9bfbc13645ac28c5,2024-02-04
03ea73ff626811d86914f8a382640661ddb0323dbe3298dbbc20357a967f2432,2024-02-04
e4f0ff4104e362c7fe53c88ca8842d59d5cb82f0bc96ad37e9f4b6235792892e,2024-02-04
eed07b786ac1a45b36c2bf4089f787d25a25daaeaff45d9aa85f762edd6636d4,2024-02-04
2cb083dc0df09ad64f87caeb0a093f0db46b1c3432cc7a7ca323c07d98fe4be2,2024-02-04
1e7c560df41149951d6f3c73134ccf2f47bb78b673853697824a9722f98d4c1e,2024-02-02
16506a6ab55c95a6298455585036228c5d05a6fd778ae568346ea47b7b7c3adf,2024-02-02
036c62d32799c5d590d9d87750df70b0d901d6d78dce13ea14908ed4991ab6a7,2024-02-02
0db86c3abdeadb44817e087e027ecf7572b3f6db492852a1c3bb78b81b1ba08a,2024-02-02
15904e4fdfcee03642ea4ce1eb4f52a007b158e90a61692d9147d1084a9ec024,2024-02-02
7989f64483bd30c894b68aae3ad62814bf6fa7cd9736234618be6b68e6f4d8aa,2024-02-02
50a6736f9e5ed7ef9ee6e7fc3947c62785f08f957453b0f180d990053d2acadd,2024-02-02
2b369fd7198e5c67e8b12c64f69bed688c65952134a40e2ed62ae40d7dd55784,2024-02-02
1533b60e397f9c6c24fbb85d0e247025833d703be8acdb1a59fbc58aaed1302b,2024-02-02
6653889aae5cbfa46e0f59c4ffaea1f7ac3933ff10b62dbf3318551cbfd10e8b,2024-02-02
c75c98672346aa5ad3280151ac9f87a8a71fd0275f1b2194ef5b9a52dab5968b,2024-02-02
a0f7ac0853fb245136b502526db850450bbf679a4332d149066c206b3ace2b67,2024-02-02
586c296eadac934bb23d5dfd224733b0befe7240e49a363ff8f6d4ef6a0491cd,2024-02-02
c4369f017d19bf6394e25aa768b552aa7e14364e23beebb1bde53759c038fac1,2024-02-02
bf17246afd81e6383f201f2515e7bd9209f9a43e85917bdae1146a91b413b0e2,2024-02-02
7b960c1454b060035720960c0797c6ec5dbb882a0067f937f338b8ab0cbebd17,2024-02-02
e3a468fda899bc765292effbe2e352d239e22a59e257ccc8f0f70e9da4e6cae0,2024-02-02
0bd18838ea6d5f84f656261d1468306cc7d4b6efc1c3a79883b12a37c43dd010,2024-02-02
1d3434347e592d8a4314aecb611f182d6dc2cedc34a7629444888d06ddc59fe0,2024-02-02
aa11a94f5030eea8b261349d23d4571093dd8c79778615bd90b03233bb64414d,2024-02-02
c62df3c0cc7352c1ac5e493c424dbbe5f2e74b026df23744b01b85f5f213520b,2024-02-02
a0195a10081a9b41488d1b3dccf6be7042453ab946732e4e522af4576c01fb16,2024-02-02
cd06ca461edebaab71e1f44b03151884c52abddde84a6147b97da28acd5fa827,2024-02-02
4e30f234fc47fb056c1ed0e5cc32d907873b8c6d06bea2e32996ee4284659aeb,2024-02-02
b496eff0855a8a8b0975a3fa8ac527a73641dd995ee8d8568dc6cd567137819b,2024-02-01
d28f7cfee969645cbaf6bc4174dfc1638063def4afa9dcb458f4a7b41e68cf18,2024-02-01
4f33f905a60d9589a14239edb2f5838240d85153a5d10612bcd4f7a5b1ae2cfc,2024-02-01
ec896f7c8cd333f6dc76bd24f05736b8305f6ef3851631081e21c33574362120,2024-02-01
13a778040b4c83f6e78a7bd584090a2295f65574c09fdb89eec90ce4c91d18ab,2024-02-01
9e82a60e8bdb7c836e8e956e69ad845fda74fc73189106864fe85ca282fa0ea3,2024-02-01
91371433ba87f54a62845c2edbd22287bc3dbad0276b669efdb929b19f2a4ba1,2024-02-01
a7549f2a0c07f04237696fba9196b0cc7a895dc49c169330f53fef3f2dde088d,2024-02-01
0e543ed1f5938fb106214f2c64f59cb74f2a294dcd7ce80868bc1a068f474137,2024-02-01
3e4bb4c4430a60d7c0d7a03f004ff67b188431a2a445e5147f3cdc814bc9ca36,2024-02-01
755f2c18d95655ec14faeec834a9e0294628941319415d38c27d0df56e932649,2024-02-01
3e520ec9a492663a65ab765922f9ae307ab5b7d67d5105a8ddf54a7684454a10,2024-02-01
afec6962cdc53ac29e8e7ea790a82ae9db72e553981d330b3111436dc123f51a,2024-02-01
a2048c97e47c5cd139b3f790691cba89eed1d20d1ad1a09a816fa82fd169f98f,2024-02-01
729d343f7748ceacd04aae48fe7cb40327e6fe45a2a6b0f286ac11f0f216b340,2024-02-01
a964d4940d65b0dd9c7dce036ff15312c973d820a041101137af67964724e6d8,2024-02-01
9d1204b500100387e5a7647d859e0dd27e21f68b4a308ae6e0afdef34b8337d5,2024-02-01
2599de0c4500c2997b78eb2c598f876756f217008e8fae3e07de7d578247c631,2024-02-01
2fa9eee563cbe23574e3b1bd1ff17db5132df4743be36106bf6d498c9afe7259,2024-02-01
5e7d54035bc3f20a5e9054a8b63590988cdda32f4434d3070118db7587af778f,2024-02-01
c4834c2f5005bf7b728c915d0c68abfd1f35af6a1306edbfd8b7d9891c8b64ad,2024-02-01
32544c3e2c9c5d1323f0a72fec9654bbd94a4fca5d63732eb890e36c21fa97fe,2024-02-01
2d4450cfd8020b40203f15d50671d5753bb86a195b23ba90c7a3aee81bc23ce4,2024-02-01
886e07ae5b0bda180531fb75a5fed3564f9af42857f0ab0a0d2ca39a37552344,2024-02-01
883d4b478543af279058925351a629cf75b0023c33a468d213b318f5cafec9ea,2024-01-31
a1334d0a0ed3ac265046255e18bcd093541055760c3f21c86d4e86f9dcb9e226,2024-01-31
660d86b349183d0faec0e17a64f4fd52f0d8ea74cfc43f37487d1ddcf1a9acf0,2024-01-31
c7240651c2cddd3468ab741a1c48674e6a8be803c59f2690d550e80a45fd3fe0,2024-01-31
a70016e24a11fef4982f31a8fa145040c485d0d5dc91be1ac994232f4ec55a93,2024-01-31
ccef95c436570a18999050b82b8521895c3183fa999bb1fa951d81d122037c50,2024-01-31
d92bf20af8471bde91c04aa03858f7f674e615c5f18db125deb75e56fbd63c64,2024-01-31
69a4fe7d7f7c9ffafde2750a2fef9d56583c3bcc6f575478e228ae7346f4d11b,2024-01-31
32f414690071df228753a7526f4f3584c4bc6804143af29f70d8e92cdb29c4b3,2024-01-31
b35bb026bfbb0244368cc11919a50e5c5547067de5400b7e43bf520eb496aa37,2024-01-31
84668570d95b547f138d85d797bc8e986ed515c4015a6aa9faaa934bce708b44,2024-01-31
2fd2663d9e48d7c9c20d3b2e3853ea29a6cbfcb1914b54519c842c73e93a8e0a,2024-01-31
7a1f70bd430d0809b869bdc0ec9651d417567764d91cd1304100c18faded1b8a,2024-01-31
d9a881185ec7f1b65e72f263e9c65246c189fcc2edfc5d7df71aaa2b5016146b,2024-01-31
ece4b0659545cb0390b0ea9f1f1ddc4367a53e7b15a1079b64ab86b0f7cf90e9,2024-01-31
61c928d2db9a81a841edb06c77d07f26b3acf7e2d39b95916ff395ee151a29fe,2024-01-31
f9b1d8e6d10d7535f47b65ba983fe187e7658e9b44d53593871789470036a59b,2024-01-31
9207e5929055b8f59fd331494ab4b88e439d6dd5f657503579f0d8835e28941f,2024-01-31
99a7180aec835a3c4c40ac212ac33ab930d91272b04fe42ae6ec61570eed7677,2024-01-31
cfc06c4154c49e3f3ef28120dca7863ea6d1847d0297bcee09d1772a9ea9ebbb,2024-01-31
79eb6702423cc5a565f0302fd7ac468a5a0b1dba10773cbff3f794aa34ffe2a6,2024-01-31
d7ee65d6bc9fe32bb84f014b7c63c114e67cb4f91ee7c50c9420394d0a3c294b,2024-01-31
7156ce6406f1888c0587b6733b5b823044976b0eb909e1b3b3e049b972b474db,2024-01-31
9070ea3494f9a14072239f3c4752c24756bd9234d681b2ff7aae369db29f913c,2024-01-31
59dee97e7c95c0a67c430ed4a2fb4ef01aa3a985ad284518154d47246e01af21,2024-01-29
c96e32715426ab88617f872a7ef55fdf6408124d757cb5e9732978e20a0de914,2024-01-29
40539c92ed77be82ed33d297e27410a052ceb7f82cc6092797eec19e190d95fa,2024-01-29
0de4307b8c4519b59e4bac8fc398a12bd5d370e20ae580f4340ca519686e90ba,2024-01-29
32cbf864f1d1c545286407e6a80429efbf1918abbaf32ff9534171ab1c9f74a6,2024-01-29
5db0b07ccca6851d349170cac836ea51f43286b5e8e5e84b429b8649e6a8116e,2024-01-29
37cb8a0267919b4c67ef36c495b1957f0a940a51e05016186087da10b5481ae2,2024-01-29
1d97c8b519b85a0c44d1bfda84e453df77fabc0cf2c02a0723f283adcc756e2c,2024-01-29
8bad12a42c0843afdea3049987f788086705bc3fb3752bcc4648a32c6b98f55a,2024-01-29
3dd982a987d2ea0a918e4759d6d5e766e09aa93b8d449a14e02280f1a954270f,2024-01-29
2dc7e450072076c9210a9058c54ee7ecad22d20020e436bd33b2a4e00a7cef86,2024-01-29
be6b824e01e63a0e67c71f66aaa09a0798d2ae321016c2e48bda6213fbd99545,2024-01-29
6594d037f2b47c805c26b1f2b701df2f671d971b4a94a423c1e45f389542ded6,2024-01-29
998193a4335e6b2b380585692f046e12dbd075da0535bdde9a100e96bc008cba,2024-01-29
7fbd7f532b4a17c5b902336f97844e0aec4e30abe7ade8dce1269e1893e38430,2024-01-29
e72fe5027a54feae4d52a0512a7acf2e26be910c86546dd0774b271036f10d57,2024-01-29
c1be14c437f537a1439fe4acda6298b40aa27b8cc7a137cd58054ee63cede390,2024-01-29
ab33c4a824ad1c395f37ebea88678e318dd673abbd4be7b27eaaa0588a2766b8,2024-01-29
de18346eb60b566e1949f4770b8c42cefcb7b072e349147a912be3839a85355c,2024-01-29
49945c35b303bbd0c3fa49391f55974ff21cf6e44475b32fc5f5a61de7f84aec,2024-01-29
87944aac4fb4d033d1830f0bdf8128bf94d1df5f4d2006b82b6c75ad6141b605,2024-01-29
1e44866f5dd580556b84af0af91b751abef4c3bbc6efc66dea143b5df4bd3da5,2024-01-29
cb4610d9d16289868cb543e1f11b226958951dd4c5899c75a810e42afdb99bb6,2024-01-29
1c8271044d1ca4a7e819992ea32ca9cf34269ca97347b062a9c6030678cd4f39,2024-01-29
935e151fd31b5009e1fc4b0185c2f154cf2945315913243234ee93a66e37e4e2,2024-01-26
e0976f7323ada6762b86e42f7c5bf60198697d9b5c6c93f0ac5b2ee993b62c66,2024-01-26
64d936c9aca3eb4f17220e92908dbcebbdbfe71162569c3096dd479fe3b98c5e,2024-01-26
c0f0f02e8588905a2744754dd6b5af9146b7f87de3a31ad812834627f7bff003,2024-01-26
e9627704d7dc592fbb7e21df71c4f913cddc51b384dad18f15802e8bb10b0a8f,2024-01-26
0ed621330bad1dd2e58c91c5bcb01c532c7b2822b11c1e744727d1e9d3ebdf7a,2024-01-26
dd2a4a10a107440512fb5bd9f79c79bba4a588383368b5ddb01a3f172a7a139c,2024-01-26
31128676128dac342675e67a9bf9411ff1b0f51b470c6545e9edf8bfcbfed943,2024-01-26
ffc58b49c79e420fcb2cb383190c1f21f8aa90e4aed547ccbe86cfeafc2b263f,2024-01-26
767f28f63cf5692f4b6041e369a948f05ca06ff0c9e2b49aa395ce9f313c69ff,2024-01-26
60bff20292f85c098d747867db71856733bf3f5597e6d7b883410db57707b7f1,2024-01-26
e8c3ee124e1a50d4ec4ee83b276308e9866aedd0b96526535355fc50ecb74c2a,2024-01-26
89646f03c7584970ff04a21872e794bddbadd850f8184449a9907ae25a3ea676,2024-01-26
66c416c82f88c20d0fb836cdbc49884662bb584ebe1397d61492a86b496728c2,2024-01-26
de7ea74874f56cacd87f673ff480edf30d8754e6134f95b2e5f9fff8c9a1b803,2024-01-26
c8f564804c7cd21ea322f65fea3e2788a80647006efc2123ba3e747779356037,2024-01-26
5110d70117c4c03e8cff457e4f017cc7b659f34e067352fdfa870697107a44c3,2024-01-26
96bdb900269af2ce0deaff72e26775dcf96e9c92ee2a3ba206c5da9ebd2b1aee,2024-01-26
dd36465d1000b6df457746a84d5d5ce158da080ea41e36aa71ce825631da6a75,2024-01-26
d0b8f8fadafd7e296168fc6e2bbc73ae440351e12233828ca5af4bd15206236a,2024-01-26
3d8c28f3bb2876afc47e8f3a0d71181496edb901daf18cc9ac42434b9c0230d3,2024-01-26
01f642934e6192f4e907caba8a7c935ccf8ae5dd84f350e679b9c51e2508cd77,2024-01-26
7d37c2b87c99f4b3832e29cc22685631b914a935212494c2360de45bdc7c0e43,2024-01-26
687ae860b396f78d3d7bc1d63d62c2f0be830a772f68c8afa7f73719cd85bbfd,2024-01-26
740870cb34a66e41359389f8e9bc8b3f0511a4e5bb07644c48d90312c9fac86f,2024-01-23
c0dcc35e57f13f57985426d8d1d2b24bf54957b83ae58b554ad04fba17e914f5,2024-01-23
946c4ee22f9dbf719f0e4d0aa7c1a9045c3713aade673e1551f398c79050ecaf,2024-01-23
85de257b0c0f9a1c115069a13208c79499d36f3f0ce3f77908f4fd25a612a13a,2024-01-23
d4cf6e869ce1db8a07b036833fbc603d976f3f5292134b3b0f7682617aabaecd,2024-01-23
300fd4626c079b3d50354e78abc839bb67f1b3321a703ead8399e7cf860b3186,2024-01-23
db3dd638a4a297144ced31334a7261a1063ab85d8571e5b762a39049447c8bc7,2024-01-23
c42e66a2ca3baefe2957336c226dcf2a2837b113942f21b227e1fe76055802ac,2024-01-23
4e4b567e1105cc13cee03a12fab3bb1a966fcfec45d7b379dcdffbc62b107b45,2024-01-23
35419dab42fadcd222f21c7488321f04919d3615cb852dcfd57650b5dd48f860,2024-01-23
b1d24ba872f6fc5e8f4ff6bc5135caee7e2884e5ddf2291e35c682bce3fdabbb,2024-01-23
b6384f3f87622683360cc8b0e3ba8d4c4053091988f028d678dd8d5c8c2d4703,2024-01-23
ea9a183945cdb525e5e66691ffd9e6001f21fccfd1e142aefad1a079c533627e,2024-01-23
a7015b82cec5e825e7b02df659de5f889d9a62b9b8639c0453e97e4646a592c9,2024-01-23
1c80646a3d0cfe318a8b2f0b1c123df2be49dc0b8cc4203dbdef6f1ba55fe9b3,2024-01-23
6740286e47b67fe92dafa18d3d7bf0ea4e2ea6f3832c18f0d21940133e520b02,2024-01-23
65c5ede514aa3ab39926f4c7b6e70c8feb53ab88e767b2ff8850b6742c6921f9,2024-01-23
fa66c3f0cbfacca3d51e608b53ca7819d2dc5249ad1465bd82578602174c285f,2024-01-23
01ba7a50286d87a1dbc16203f313f6a49160f059d93f1d04479a6c1e3f258f41,2024-01-23
3a04f50b8740367445c547b839c1cf5c6e4c9f7078245d2ab294c97695a23b86,2024-01-23
ded0d6cdf7ac1f78c88057bb02ca5850b4bd47cdc150fcc652c7655d4fa5f794,2024-01-23
1231a825e31f30a738940763c24ba6fd7329130b71189d41885f42cc85d20608,2024-01-23
0f4b73adfd946de88d3f13de2f1b3f861ece6d6bda8c2499efb8d3a1f592d9e9,2024-01-23
5946540bcf3a4c877b0a636d36f16941e14ddcaacc48ed95df2fe58c7ea06784,2024-01-23
767850cae424eaa436dc9f1d18f9c02837d5b6f7c1e1da41b1a6d35195510e3c,2024-01-23
8628a62ca1f18bb4bb5e9a52374ed36bff2d83e0d2c489b8108c0a5c5d7d5cee,2024-01-23
34a80dd9fbb005066ecb5047e4b55d2163c67cb0d7a46ce4914823bb3c432a11,2024-01-23
3107dab2a1a3dc2ca13fd30723358b5d2c1f14fa71565080aa9a871a57b55bc0,2024-01-23
e57e37535efadad438e3024e6289c0f23bc18373b2d52e108430cc790b8f5b92,2024-01-23
919721fcd6a8cf01aaa279a6a7b95f539cb52bb73fde37f656f21f1b05d6614f,2024-01-23
91efa1725629aacd5f5a8a701cccc83959b95d477253ebd1b6438076d3055caa,2024-01-23
60d08995cbf9caa5d903a932582e62208c34091843e4e8cdda0562e29d3e2d00,2024-01-23
ec4a1b9045c455287df63023b081357d9cf8e6457e13acc2d2e42c6bd12c5d39,2024-01-23
d2cced737a0fa94a6114ed63080c3935dfcbaed369848915e29bfd26b3968bb3,2024-01-23
53bbaaac8b5f406ae0fe3c30a51336f29600d887e1b3c9e5ae880bdf46533a9a,2024-01-23
f57362b1adf5981fe33e6ea2a59478d67bb46ec1549e75211b1cf492cd920658,2024-01-23
32ccc22ca03c1f4f1703ff182df7a7714acad4ccd6729bd78d19998f3bb9ad0b,2024-01-23
be1315a5c61660de292a92422d3cc0c523333b26b9ec1a59e4a1b7bf0d04291e,2024-01-23
65cf9ade1845648ab212f4bd5c7d4373221f50a3dd27c73668b52effbae75983,2024-01-23
4580093724a502bc7e8cacde775b7f3b4d3bde3879b7c9c63669a3017f645931,2024-01-23
909ff2b81fbf5c48d35f1d1d7ebc75ac081957aedc86dc9afd766c4a5582388b,2024-01-23
bd118642c631be6bdeb418e1c5bc9ad8759aedbf401b9b5c199104a5c2dab95c,2024-01-23
6649dc6c0d410d5aa51c2cf412e510edda4c6558149fd044979414413181c5d9,2024-01-23
82d84acf27e1293c87a028aad586fc9a22530490549ece584f6d418d24b3da8b,2024-01-23
80ce00db9a831d3c17b6641747954a8b78b1eafa79fff3f3e666f802f9840440,2024-01-23
b025b009ecb32e7deadad9bed2be5613e6ff78f3465a7bf2e847453cac8c739c,2024-01-23
90bc4b0ea5ecf4cbb0046e0250ac4110a4ac0abf22c22673b6715cf83e584935,2024-01-23
0e260d76a54edb4527fd9d1630ff6e5956d29f11ea1c5e36e5131a4a6e74a1b6,2024-01-23
57535bbb9388aba2a6312c48d7c82d378f8ad5950f1b622289a2c013f0e38a1b,2024-01-23
7a99936b061e8e2af1d8d60021d112ac7a79e3cac4bf5b9772027493489df078,2024-01-22
6888be4ef99b288905b9764487e4a0276a1632f1d3fdd0113289ff9c16ed307b,2024-01-22
a868bbca529bf98d53963dda76182e0e1fbdb1109af2b29cc70ce092f9e6345a,2024-01-22
43c8a0e112de144dfe16c54ca46013baa8a3423e68fb107e4a3bb444e08148ab,2024-01-22
e7a63fcc52f9e0866dd6544b697a119a0bbdec2edadd64ec5d9f5e24626ef5ec,2024-01-22
f65cee324f7e120cbe4671899ed01f56492dcb9b7b96c8cec4fdae1ea763059c,2024-01-22
07c509b555d9e35a6d9071297c0231183cc403ef72fa598210afe3118064812b,2024-01-22
3fd173ca9e607c08bbf24b105fdc58c1c0bc8a5ae8e0fa6b7b90e7a09ae7840a,2024-01-22
72d5c6e5ab210fa2558d7aefc2d8bf3977598c99750512e54728c24aedae6c40,2024-01-22
9584c7310229f303fd78d47e681bae026e91daecb3a93963d6ffc9822a652a72,2024-01-22
57c2b5caba1a53c21677de0349027777b3c752681a4aeff70bbac96c85aa385d,2024-01-22
021e802872dd7875561caa5ae5522170e2e59803cdf483e12e3ef1c04fb5a7a1,2024-01-22
8813f2c7708a637e199548928f02ef7f43b1824a0750a6285cdd9d56a70c4b8e,2024-01-22
3a661b312d7289316a524f4fbada890e13c6c1df398a98385bf0ae629bc5d576,2024-01-22
152423ecaf8a2252ef7049ceca7d39090a8d8855ee935b578bc3a7f381afe622,2024-01-22
19121f7d039a6f7373e137adcc9141a20ff97f9af9c800cd754be85a717b0cf6,2024-01-22
eb04d44cac2a6ab2781275c5826f3c442f933f9d813c27506ffc3eb617fba13c,2024-01-22
05f2f5499bdeaa3b1487556fc04ec3ae325d8d2fa9f1dada777f3960b40f1315,2024-01-22
4064a51a911118944c3e5cb69b16cbae041ed306a57f20905115403ebaa9eb1f,2024-01-22
33c5123fd8dcef090e07fdf17fca8139b8208b0a05317795dd68179d71ac3b61,2024-01-22
79d2fca0671fe7bcb5b0caa6eede34456cad11d1795f83582ed67dad3b4b4bc4,2024-01-22
d13993e3d90feeaeee38fd98546d0ab6f22d2e68989445d5cdb24e03cd759374,2024-01-22
a4500ee7edca23075d763008999bc59bd475be9603fb85f58c98e9353bac2461,2024-01-22
750575f8a3a58b6c04b936548a22d02c5df2d11243d7c817676613cb7ec0aed3,2024-01-22
2545968e2176ebb7497725a051b4768d442db5a818c125ad85d6b64286a29fe4,2024-01-22
429fc18435cd4310f7006fc7c35bd91ebba7454c62dac16b58a818507521efba,2024-01-20
8da8de74777e8d8ffe4d00b50d6c9691d482b82c94e6be0e8b3fc99624da1032,2024-01-20
b160deb1334483df5c953ea05f7cfdf4a57da4756ec6983633d25eb9a81099d2,2024-01-20
ea049cdbab59a00a2ddd4a26afc86f5d96e50bc282bc375011848ab71b5d698e,2024-01-20
7ca73f4bb4e77ade1729eedd7f0ae7b9c79f672fdddadf1d071bdbc7a6fa1275,2024-01-20
efb7fe8b141c15f92b1b6ccb2a353f83a9623b391003c60938f967540f9ea774,2024-01-20
a55cd9570f533d607f6b52fc72b8b191484ad35ef730ca2a182cca057604a7d0,2024-01-20
8daf673141b1bad6cfe26b61eb84a778fdfd08d421a5095cda7bc3bb5e20a257,2024-01-20
adcdf6a959c60578bad3f421887236af08790cba73b75ae61948fe1db39b7602,2024-01-20
277730f312b07a3f7b5565b6b1afd037f977c89cd906ac0ba5743f9d4fc376d6,2024-01-20
1a9c40736bc7f2c913e37ccd8a9667d9d92f6b69daaaaab22ee271abcd0e3e23,2024-01-20
e29e7ba6848e8d3e9df35a2f5961c9d189d9bb9122dddab60ac5b173927c691f,2024-01-20
bfefde137c048033cc0d70088132eec75364a15a3695166f792fa2ea3a9812dd,2024-01-20
36d6fc09f634c681a24a6c4a216819c8204de9992952028af859e657dede4f8d,2024-01-20
4648c9714315c62538487d57c01534f214aef92d5b64c581ffd45d1e674b3194,2024-01-20
2a40795c76c3230727909e75cc354a2115ff6bb256064e5423e2fca437420c04,2024-01-20
c11cc15b2eab588b
gitextract_q2gxq5e7/
├── Configuration_extractors/
│ ├── ChaosRat.py
│ ├── ConnectBack.py
│ ├── Ddostf.py
│ ├── Gafgyt.py
│ ├── Njrat.py
│ ├── QuasarRAT.py
│ ├── README.md
│ ├── SNOWLIGHT.py
│ ├── TShVariant.py
│ ├── XWorm.py
│ ├── XenoRAT.py
│ ├── kaiji.py
│ └── requirements.txt
├── IOCs/
│ ├── 8220Gang/
│ │ └── 8220_Gang_iocs_20242409.csv
│ ├── CVE-2023-46805_CVE-2024-21887/
│ │ └── Ivanti_iocs_20240124.csv
│ ├── DDoSia/
│ │ └── 20240229_DDoSia_IOC.csv
│ ├── DarkGate/
│ │ └── scripts/
│ │ ├── AV_checked.txt
│ │ ├── DarkGate-C2-communication-deobfuscator.py
│ │ └── action-id-documentations.md
│ ├── DiceLoader/
│ │ └── scripts/
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── extractor.py
│ │ └── fake_c2_tcp_server.py
│ ├── Doppelgänger/
│ │ └── DoppelGänger-observables.csv
│ ├── I2PRAT/
│ │ ├── I2PRAT_iocs_20250211.csv
│ │ └── scripts/
│ │ ├── ida_hashes_extraction.py
│ │ └── resolve_hashes.py
│ ├── Interlock/
│ │ ├── interlock.yar
│ │ └── interlock_IOCs.txt
│ ├── Lycantrox/
│ │ ├── Lycantrox_domains_high_confidence.txt
│ │ └── Lycantrox_domains_medium_confidence.txt
│ ├── MuddyWater/
│ │ └── yara/
│ │ ├── apt_MuddyWater_MuddyRot_strings.yar
│ │ └── apt_MuddyWater_malicious_pdf.yar
│ ├── README.md
│ ├── ScatteredSpider/
│ │ └── 20240220_ScatteredSpider_IOC.csv
│ ├── acrstealer/
│ │ ├── acrstealer_iocs_20240429.md
│ │ └── infostealer_acrstealer_apr24.yar
│ ├── activemq/
│ │ └── activemq_iocs_20231206.csv
│ ├── apt31/
│ │ ├── 2021-11-10 APT31 - STIX2.jsonl
│ │ ├── 2021-11-10 APT31 IOCs.csv
│ │ └── yara_rules/
│ │ ├── apt_misp_apt31_orb_2021.yar
│ │ └── unk_apt31_tsh_2021.yar
│ ├── aurora/
│ │ ├── aurora_iocs_20221121.csv
│ │ └── yara_rules/
│ │ └── infostealer_aurora.yar
│ ├── bananasulfate/
│ │ └── SEKOIAIO_Banana_Sulfate_infrastructure.csv
│ ├── bluefox/
│ │ ├── bluefox_iocs_20221102.csv
│ │ └── yara_rules/
│ │ └── infostealer_bluefox.yar
│ ├── calisto/
│ │ ├── Domains already known related to CALISTO.txt
│ │ ├── SSL Certificates SHA1, emails and IPs.csv
│ │ ├── calisto_infrastructure_20220622
│ │ └── calisto_infrastructure_20221205
│ ├── clearfake/
│ │ ├── clearfake_iocs_20231016.csv
│ │ ├── clearfake_iocs_20250318.csv
│ │ └── clearfake_malicious_script_content.md
│ ├── clickfix_fake_google_meet/
│ │ └── clickfix_fake_google_meet_iocs_20241017.csv
│ ├── compromised_chrome_extensions_dec24/
│ │ └── compromised_chrome_extensions_iocs_20250122.csv
│ ├── cs2nginx/
│ │ └── cs2nginx_C2.csv
│ ├── customerloader/
│ │ └── customerloader_iocs_20230712.csv
│ ├── emotet/
│ │ └── 2021-01-20_Emotet_Campaign.csv
│ ├── evilnum/
│ │ └── 20220721_EvilNum_domains_list.txt
│ ├── eviltokens/
│ │ ├── eviltokens_iocs_20260330.csv
│ │ └── yara_rules/
│ │ └── phishing_eviltokens_phishing_pages.yar
│ ├── fakebat/
│ │ ├── fakebat_iocs_20240702.csv
│ │ ├── loader_fakebat_initial_powershell_may24.yar
│ │ └── loader_fakebat_powershell_fingerprint_may24.yar
│ ├── gamaredon/
│ │ └── yara.yar
│ ├── global-analysis-aitm-phishing-threats/
│ │ ├── README.md
│ │ ├── cephas/
│ │ │ ├── 1_loading-page_beautified.html
│ │ │ ├── 2_phishing-page_decoded.html
│ │ │ ├── cephas-stripped.har
│ │ │ ├── cephas.har
│ │ │ └── urlscan_io.txt
│ │ ├── evilginx/
│ │ │ ├── 1_loading-page_reformatted.html
│ │ │ ├── evilginx-ywnjb-stripped.har
│ │ │ ├── evilginx-ywnjb.har
│ │ │ └── urlscan_io.txt
│ │ ├── evilproxy/
│ │ │ ├── 1_page.html
│ │ │ ├── 2.1_phishing-form_script1-deobfuscated.js
│ │ │ ├── 2.2_phishing-form_script2-deobfuscated.js
│ │ │ ├── 2_phishing-form.html
│ │ │ ├── evilproxy-stripped.har
│ │ │ ├── evilproxy.har
│ │ │ └── urlscan_io.txt
│ │ ├── gabagool/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2.1_loading-page_scripts-deobfuscated.js
│ │ │ ├── 2_loading-page.html
│ │ │ ├── 3_phishing-page_decoded.html
│ │ │ ├── gabagool-stripped.har
│ │ │ ├── gabagool.har
│ │ │ └── urlscan_io.txt
│ │ ├── greatness/
│ │ │ ├── 1.1_loading-page_decoded.html
│ │ │ ├── 1_loader-script_deobfuscated.js
│ │ │ ├── 2_captcha-page_rendered.html
│ │ │ ├── 3_phishing-page_deobfuscated.html
│ │ │ ├── greatness-stripped.har
│ │ │ ├── greatness.har
│ │ │ └── urlscan_io.txt
│ │ ├── mamba-2fa/
│ │ │ ├── 1_antibot-page.html
│ │ │ ├── 2_loader-page.html
│ │ │ ├── 3.1_phishing-page_rendered.html
│ │ │ ├── 3_phishing-page_deobfuscated.html
│ │ │ ├── mamba-2fa-stripped.har
│ │ │ ├── mamba-2fa.har
│ │ │ └── urlscan_io.txt
│ │ ├── nakedpages/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2_loading-page_beautified.html
│ │ │ ├── nakedpage-stripped.har
│ │ │ ├── nakedpage.har
│ │ │ └── urlscan_io.txt
│ │ ├── saiga-2fa/
│ │ │ └── urlscan_io.txt
│ │ ├── sneaky-2fa/
│ │ │ ├── 1_initial-page.html
│ │ │ ├── 2_captcha-page.html
│ │ │ ├── 3.1_autograb-page_script-deobfuscated.js
│ │ │ ├── 3_autograb-page.html
│ │ │ ├── 4_phishing-form.html
│ │ │ ├── sneaky-2fa-stripped.har
│ │ │ ├── sneaky-2fa.har
│ │ │ └── urlscan_io.txt
│ │ ├── storm-1167/
│ │ │ ├── 1_captcha-page.html
│ │ │ ├── 2.1_loading-page_decoded-skeleton.html
│ │ │ ├── 2.2_phishing-page_full-script-deobfuscated.js
│ │ │ ├── 2.3_phishing-page_script-stripped.js
│ │ │ ├── 2.4_phishing-page_rendered.html
│ │ │ ├── 2_loading-page.html
│ │ │ ├── storm-1167-stripped.har
│ │ │ ├── storm-1167.har
│ │ │ └── urlscan_io.txt
│ │ └── tycoon-2fa/
│ │ ├── 1.1_captcha-page_scripts-decoded.js
│ │ ├── 1_captcha-page.html
│ │ ├── 2.1_decoy-page_script-decoded.html
│ │ ├── 2_decoy-page.html
│ │ ├── 3_loading-page.html
│ │ ├── 4.1_phishing-form_script1-decoded.js
│ │ ├── 4.2_phishing-form_script2-deobfuscated.js
│ │ ├── 4_phishing-form.html
│ │ ├── tycoon-2fa-stripped.har
│ │ ├── tycoon-2fa.har
│ │ └── urlscan_io.txt
│ ├── hermeticwiper/
│ │ └── yara_rules/
│ │ └── wiper_HermeticWiper_variants.yar
│ ├── i_paid_twice/
│ │ └── i_paid_twice_iocs_20251106.csv
│ ├── iclickfix/
│ │ ├── iclickfix_iocs_20260129.csv
│ │ └── yara_rules/
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_html_lure.yar
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_js_javascript1.yar
│ │ ├── infrastructure_iclickfix_cluster_ic_tracker_js_javascript2.yar
│ │ └── infrastructure_iclickfix_cluster_ic_tracker_js_wordpress.yar
│ ├── infra_seo_crack_stealers/
│ │ └── infra_seo_crack_stealers_iocs_20230106.csv
│ ├── mallox/
│ │ └── mallox_purecrypter_iocs_20240513.csv
│ ├── marsstealer/
│ │ ├── mars_stealer_iocs_20220407.csv
│ │ └── yara_rules/
│ │ ├── infostealer_marsstealer_early_version.yar
│ │ ├── infostealer_marsstealer_llcppc.yar
│ │ └── infostealer_marsstealer_xor_routine.yar
│ ├── nobelium/
│ │ ├── 2022_01_06_C2 Nobelium.csv
│ │ ├── 2022_01_06_NOBELIUM_MD5
│ │ └── yara_rules/
│ │ ├── apt_nobelium_b64_to_Uint8Array.yar
│ │ ├── apt_nobelium_cs_loader_obfuscation.yar
│ │ ├── apt_nobelium_hta_in_iso.yar
│ │ ├── apt_nobelium_html_smuggling_iso.yar
│ │ ├── apt_nobelium_powsershell_reg_loader_decoded.yar
│ │ └── rule apt_nobelium_hta_reg_dropper.yar
│ ├── pikabot/
│ │ └── pikabot_iocs_20240603.csv
│ ├── privateloader/
│ │ └── 20220914_privateloader_IOC.csv
│ ├── qnapworm/
│ │ └── 20220704_QNAP_Worm_Infrastructure
│ ├── raccoonstealer/
│ │ └── raccoon_stealer_iocs_20220628.csv
│ ├── roamingmantis/
│ │ └── roaming_mantis_iocs_20220718.csv
│ ├── ryuk/
│ │ └── 2020-10-29 C2 Ryuk.csv
│ ├── sneaky2fa/
│ │ └── sneaky2fa_iocs_20250116.csv
│ ├── stealc/
│ │ ├── scripts/
│ │ │ ├── IDA_strings_deobfuscator.py
│ │ │ └── stealc_stealer_c2_extractor.py
│ │ ├── stealc_iocs_20230220.csv
│ │ ├── suricata_rules/
│ │ │ └── infostealer_stealc.rules
│ │ └── yara_rules/
│ │ ├── infostealer_stealc_behavior.yar
│ │ └── infostealer_stealc_standalone.yar
│ └── tycoon2fa/
│ └── tycoon2fa_iocs_20240325.csv
├── LICENSE.md
├── MaltegoTransforms/
│ ├── LICENSE.md
│ ├── README.md
│ ├── export.mtz
│ ├── requirements.txt
│ └── transforms/
│ ├── config.yaml
│ ├── libs/
│ │ ├── config.py
│ │ └── transform.py
│ ├── openwith.py
│ ├── virustotal-behaviour.py
│ └── virustotal.py
├── README.md
├── events/
│ ├── README.md
│ ├── lookups.json
│ └── smart-descriptions.json
├── playbooks/
│ └── templates/
│ ├── Alerts_Shodan_Enrichment.json
│ ├── CrowdSec_alert_enrichment.json
│ ├── Crowdstrike_dissemination.json
│ ├── DigitalShadows_SearchLight_fetch_alerts.json
│ ├── Enrich_alerts_with_AbuseIPDB.json
│ ├── Enrich_alerts_with_VirusTotal_Hash.json
│ ├── Enrich_alerts_with_hostnames.json
│ ├── Enrich_with_IKnow_What_You_Download.json
│ ├── HTTP_request_Remediation.json
│ ├── OSINT_to_observables.json
│ ├── Reject_old_alerts.json
│ ├── Shodan_search_to_observables.json
│ ├── Tranco_top_domains_to_observables.json
│ ├── URL_scan_VirusTotal_Enrichement.json
│ ├── VirusTotal_Enrichement.json
│ ├── add_destination_ips_to_ioc_collection.json
│ ├── add_domains_to_ioc_collection.json
│ ├── add_source_ips_to_ioc_collection.json
│ ├── alert_webhook_internet_scan.json
│ ├── cascade_alert_status_on_harfang.json
│ ├── create_alert_on_the_hive_automatic.json
│ ├── create_alert_on_the_hive_manual.json
│ ├── create_incident_on_cortex_xsoar.json
│ ├── create_jira_ticket_on_alert.json
│ ├── email_notification_on_alert_webhook.json
│ ├── forward_google_pubsub_events.json
│ ├── forward_panda_security_events.json
│ ├── forward_vadesecure_records.json
│ ├── get_additional_harfang_telemetry.json
│ ├── get_data_and_enrich_with_cloudflare.json
│ ├── imperva_waf_fetch_logs.json
│ ├── mattermost_notification_on_alert.json
│ ├── msteams_notification.json
│ ├── playbook_adware.json
│ ├── playbooks.json
│ ├── push_iocs_to_xsiam.json
│ ├── send_alert_to_nybble_hub.json
│ ├── slack_notification_on_alert.json
│ └── urgency_to_0_on_rejected.json
├── scripts/
│ ├── mars_stealer_c2_extractor.py
│ ├── raccoon_stealer_v2_c2_extrator.py
│ └── test_forwarder.bash
├── sigma_rules/
│ ├── README.md
│ ├── cloud/
│ │ ├── aws_ec2_enable_serial_console_access.yml
│ │ ├── aws_ec2_subnet_deleted.yml
│ │ ├── aws_iam_password_policy_updated.yml
│ │ ├── aws_route53_transfer_lock_disabled.yml
│ │ └── aws_s3_bucket_replication.yml
│ ├── host/
│ │ ├── attrib_hiding_files.yml
│ │ ├── correlation_html_smuggling.yml
│ │ ├── correlation_iso-lnk_chain.yml
│ │ ├── correlation_iso-lnk_infection_chain.yml
│ │ ├── correlation_lnk-hta_infection_chain.yml
│ │ ├── data_compressed_with_rar_with_password.yml
│ │ ├── disable_windows_defender.yml
│ │ ├── impacket_wmiexec.yml
│ │ ├── mdav_disable_base64_encoded.yml
│ │ ├── mdav_disable_base64_encoded_setmppreference.yml
│ │ ├── mdav_disable_services.yml
│ │ ├── mdav_signatures_removed_mpcmdrun.yml
│ │ ├── mdav_threat_detected.yml
│ │ ├── mshta_suspicious_child.yml
│ │ ├── non_legit_use_eula_parameter.yml
│ │ ├── powershell_amsi_bypass.yml
│ │ ├── powershell_amsi_deactivation_bypass_using_net_reflection.yml
│ │ ├── powershell_exchange_snapin_mailbox.yml
│ │ ├── powershell_suspicious_keywords.yml
│ │ ├── procdump_args.yml
│ │ ├── socks_tunneling_tool.yml
│ │ ├── win_powershell_load_regkey.yml
│ │ └── wmic_process_call_create.yml
│ └── network/
│ ├── dynamic_dns_domain.yml
│ └── email_suspicious_attachment_received.yml
└── yara_rules/
├── apt37_rokrat_macho.yar
├── apt_37_chinotto.yar
├── apt_3cx_payload_stealer.yar
├── apt_agent_racoon_strings.yar
├── apt_andariel_dorarat_strings.yar
├── apt_andariel_keylogger_strings.yar
├── apt_andariel_nestdoor_variants_strings.yar
├── apt_andariel_siennablue.yar
├── apt_apt10_hui_loader.yar
├── apt_apt28_document_phishing_webpage.yar
├── apt_apt28_htmlsmuggling.yar
├── apt_apt28_htmlsmuggling_disclosing_ip.yar
├── apt_apt28_powershell_ntlm_stealer.yar
├── apt_apt28_susp_graphite_downloader.yar
├── apt_apt28_ukrnet_phishing_page.yar
├── apt_apt28_wayzgoose_exploit_string.yar
├── apt_apt29_malicious_rdp_file.yar
├── apt_apt29_quarterrig.yar
├── apt_apt29_wineloader_malicious_hta.yar
├── apt_apt29_wineloader_malicious_pdf.yar
├── apt_apt31_pakdoor.yar
├── apt_apt31_rekoobe.yar
├── apt_apt33_falsefont.yar
├── apt_apt33_tickler.yar
├── apt_apt35_iisraid_strings.yar
├── apt_apt37_chinotto_powershell_variant.yar
├── apt_apt37_malicious_hta_file.yar
├── apt_apt41_javascript_dropper.yar
├── apt_apt41_keyplug_dropper.yar
├── apt_apt41_powershell_collection_script.yar
├── apt_apt41_powershell_exfiltration_script.yar
├── apt_apt_k_47_orpcbackdoor.yar
├── apt_apt_k_47_walkershell.yar
├── apt_aptc36_vbs_maldoc.yar
├── apt_aptc60_downloader_strings.yar
├── apt_aptk47_asyncshell.yar
├── apt_aptk47_maliciouslnk.yar
├── apt_aridviper_rustsysjoker.yar
├── apt_backdoordiplomaty_custommerlinagent_strings.yar
├── apt_backdoordiplomaty_phantomnet.yar
├── apt_badmagic_commonmagic_generic_1.yar
├── apt_badmagic_commonmagic_generic_2.yar
├── apt_badmagic_commonmagic_main.yar
├── apt_badmagic_commonmagic_screenshot_module.yar
├── apt_badmagic_commonmagic_usbstealer.yar
├── apt_badmagic_generic_pshscript.yar
├── apt_badmagic_installpzz_pshscript.yar
├── apt_badmagic_ld_dll_loader_pshscript.yar
├── apt_badmagic_listfiles_pshscript.yar
├── apt_badmagic_malicious_lnk.yar
├── apt_badmagic_modules.yar
├── apt_badmagic_reco_pshscript.yar
├── apt_badmagic_startngrok_pshscript.yar
├── apt_badmagic_startrevsocks_pshscript.yar
├── apt_blackwood_nspx30_plugin.yar
├── apt_boldmove_strings.yar
├── apt_buhtrap_maldocx.yar
├── apt_cerana_keeper_dropboxflop.yar
├── apt_cerana_keeper_yk0130.yar
├── apt_cloudatlas_init_module_virtualalloc.yar
├── apt_cloudatlas_powershower_clean.yar
├── apt_cloudatlas_powershower_module.yar
├── apt_cloudatlas_powershower_obfuscated.yar
├── apt_cloudatlas_powershower_variant.yar
├── apt_cloudatlas_powertunnel.yar
├── apt_cloudatlas_powertunnel_loader.yar
├── apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
├── apt_cloudatlas_stagescalldllmainafterexec.yar
├── apt_cloudmensis_downloader_strings.yar
├── apt_cloudmensis_spyagent_strings.yar
├── apt_coathanger_beacon.yar
├── apt_coathanger_files.yar
├── apt_cottonsandstorm_win_implant.yar
├── apt_dark_pink_pdb_path.yar
├── apt_darkpink_kamikakabot_strings.yar
├── apt_darkpink_loader_decryptionroutine.yar
├── apt_darkpink_sample.yar
├── apt_emberbear_credpump_strings.yar
├── apt_emissarypanda_sysupdate_removing_tool.yar
├── apt_emissarypanda_web_auto_attack_tool.yar
├── apt_evasive_panda_downloader_certificate_exe.yar
├── apt_evasive_panda_rphost_dll.yar
├── apt_flightnight_malicious_lnk.yar
├── apt_gamaredon_ddrdoh_powershell_backdoor.yar
├── apt_gamaredon_ddrdoh_vbs_downloader.yar
├── apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
├── apt_gamaredon_doc_external_template.yar
├── apt_gamaredon_flash_infostealer.yar
├── apt_gamaredon_gamaredon_lnk_usb_spreader.yar
├── apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
├── apt_gamaredon_gammaload_malicioushta.yar
├── apt_gamaredon_gammaload_maliciouslnk.yar
├── apt_gamaredon_getlogicaldrive_hunting.yar
├── apt_gamaredon_htmlsmuggling_2024.yar
├── apt_gamaredon_htmlsmuggling_attachment.yar
├── apt_gamaredon_htmlsmuggling_attachment_stage2.yar
├── apt_gamaredon_lnk.yar
├── apt_gamaredon_lnk_spreader.yar
├── apt_gamaredon_lnks_farl139_hostname.yar
├── apt_gamaredon_powerrevshell.yar
├── apt_gamaredon_stealer_obfuscation_1.yar
├── apt_gamaredon_stealer_obfuscation_2.yar
├── apt_gamaredon_subtle_paws.yar
├── apt_gamaredon_vbs_downloader.yar
├── apt_gelsemium_firewood_backdoor.yar
├── apt_gelsemium_wolfsbane_backdoor.yar
├── apt_gelsemium_wolfsbane_launcher.yar
├── apt_gelsemium_wolfsbane_rootkit.yar
├── apt_globalshadow.yar
├── apt_gobrat_2.yar
├── apt_granitetyphoon_pingpulllinux_strings.yar
├── apt_granitetyphoon_sword2023_strings.yar
├── apt_icepeony_icecache.yar
├── apt_icepeony_iceevent.yar
├── apt_implant_xdealer_linux_variant_strings.yar
├── apt_implant_xdealer_stealer_strings.yar
├── apt_implant_xdealer_strings.yar
├── apt_implant_xdealer_vbs_launcher_strings.yar
├── apt_ir_sugarush_implant.yar
├── apt_ivanti_krustyloader.yar
├── apt_kimsuky_fpspy.yar
├── apt_kimsuky_klogexe.yar
├── apt_kimsuky_malicious_gotopwsh_lnk.yar
├── apt_kimsuky_malicious_vba.yar
├── apt_kimsuky_powershell.yar
├── apt_kimsuky_powershell_dropper_strings.yar
├── apt_kimsuky_sharpext_compromised_securepreferences.yar
├── apt_kimsuky_sharpext_devps1_strings.yar
├── apt_kimsuky_sharpext_devtoolmodule_strings.yar
├── apt_kimsuky_sharpext_jsexfil_strings.yar
├── apt_kimsuky_sharptongue_c2_source.yar
├── apt_kimsuky_sharptongue_strings.yar
├── apt_kimsuky_sharptongue_vbslauncher_strings.yar
├── apt_kimsuky_toddlershark_obfuscated.yar
├── apt_kimsuky_toddlershark_strings.yar
├── apt_kimsuky_validator_strings.yar
├── apt_kimsuky_vbs.yar
├── apt_kimsuky_vbs_powershell_downloader.yar
├── apt_konni.yar
├── apt_konni_check_bat.yar
├── apt_konni_dropper.yar
├── apt_lazarus_backdoored_jslib.yar
├── apt_lazarus_blindingcan_rtti.yar
├── apt_lazarus_dangerouspassword_lnk.yar
├── apt_lazarus_dll_c2_comms.yar
├── apt_lazarus_gopuram_backdoor.yar
├── apt_lazarus_lambload_timecheck.yar
├── apt_lazarus_pondrat.yar
├── apt_lazarus_vhd_ransomware_downloader.yar
├── apt_lazarus_vhd_ransomware_loader.yar
├── apt_luckymouse_compromised_electronapp.yar
├── apt_luckymouse_rshell_strings.yar
├── apt_luckymouse_rshell_strings_all_platform.yar
├── apt_luckymouse_sysupdate_removing_tool.yar
├── apt_malware_pocoproxy.yar
├── apt_menupass_maliciouslibvlc_dll.yar
├── apt_micdown_encrypted_configuration.yar
├── apt_muddywater_manifestation_backdoor.yar
├── apt_muddywater_manifestation_backdoor_obfuscated.yar
├── apt_muddywater_moriagent.yar
├── apt_muddywater_muddyc2go_dll_launcher_strings.yar
├── apt_muddywater_powershell_reverse_secure_proxy.yar
├── apt_muddywater_powgoop_decode_loop.yar
├── apt_muddywater_powgoop_decoded.yar
├── apt_muddywater_powgoop_loader.yar
├── apt_muddywater_rotrot_strings.yar
├── apt_mustang_panda_nupakage.yar
├── apt_mustang_panda_toneins.yar
├── apt_mustang_panda_toneshell.yar
├── apt_mustangpanda_coolclient.yar
├── apt_mustangpanda_decrypt_payload.yar
├── apt_mustangpanda_downloader.yar
├── apt_mustangpanda_malicious_lnk_worm.yar
├── apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
├── apt_mustangpanda_mqsttang_qmagent.yar
├── apt_mustangpanda_payload.yar
├── apt_mustangpanda_tinynote.yar
├── apt_mustangpanda_tonedrop.yar
├── apt_mustangpanda_windows_remoteshell.yar
├── apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
├── apt_mustangpanda_xoreddll.yar
├── apt_mustangpanda_zpakage.yar
├── apt_nobelium_acrobox_downloader_apr2022.yar
├── apt_nobelium_nativezone_gen.yar
├── apt_oilrig_clipog_strings.yar
├── apt_oilrig_maliciousdocument_may2022.yar
├── apt_oilrig_odagent_strings.yar
├── apt_oilrig_oilbooster_strings.yar
├── apt_oilrig_powerexchange.yar
├── apt_oilrig_saitama_backdoor_may2022.yar
├── apt_oilrig_saitama_backdoor_may2022_2.yar
├── apt_oilrig_sc5kv3_strings.yar
├── apt_oilrig_webshell.yar
├── apt_polonium_deepcreep_strings.yar
├── apt_polonium_megacreep_strings.yar
├── apt_polonium_powershell_creepydrive_strings.yar
├── apt_polonium_technocreep_strings.yar
├── apt_qnapworm_loader_may2022.yar
├── apt_queueseed.yar
├── apt_reaper_2fa_phishing_webpage.yar
├── apt_reaper_malicious_lnk.yar
├── apt_redhotel_maliciouslnk_strings.yar
├── apt_rusticweb_stealer.yar
├── apt_sandworm_awfulshred_obfuscation_apr2022.yar
├── apt_sandworm_caddywiper_stacked_strings.yar
├── apt_sandworm_notpetya_strings.yar
├── apt_sandworm_olympicdestroyer.yar
├── apt_sandworm_orcshred_apr2022.yar
├── apt_sandworm_powergap_apr2022.yar
├── apt_scanbox_framework_not_obfuscated.yar
├── apt_scanbox_obfuscated_versions.yar
├── apt_shadowpad_first_called_function.yar
├── apt_sidecopy_actionrat_packer_strings.yar
├── apt_sidecopy_cheex.yar
├── apt_sidecopy_malicious_macro.yar
├── apt_sidecopy_reverserat_strings.yar
├── apt_sofacy_graphitemalware_generic.yar
├── apt_spikedwine_malicious_hta.yar
├── apt_spikedwine_wineloader.yar
├── apt_spynote_android_dex_strings.yar
├── apt_stripedfly.yar
├── apt_sugardump_credentials_stealer_http.yar
├── apt_sugardump_credentials_stealer_smtp.yar
├── apt_sugargh0stcampaign_malicious_lnk.yar
├── apt_susp_apt28_uac0063_hatvibe.yar
├── apt_susp_apt28_uac0063_hta_loader.yar
├── apt_susp_apt28_uac0063_malicious_doc.yar
├── apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
├── apt_susp_apt28_uac0063_malicious_doc_vba.yar
├── apt_susp_lazarus_dangerous_password.yar
├── apt_suspected_sandworm_sdelete_wiper.yar
├── apt_ta410_driver_keylogger.yar
├── apt_ta410_flowcloud_loader.yar
├── apt_ta410_flowcloud_rtti.yar
├── apt_ta428_tmanger_strings.yar
├── apt_tealkurma_snappytcp_reverse_shell_strings.yar
├── apt_tealkurma_snappytcp_strings.yar
├── apt_toddycat_toddybox_strings.yar
├── apt_toddycat_tomberbil_strings.yar
├── apt_toddycat_waexp_strings.yar
├── apt_toneshell_loader.yar
├── apt_toneshell_shellcode.yar
├── apt_tortoiseshell_imaploader.yar
├── apt_tortoiseshell_wateringhole_script.yar
├── apt_turla_comlook.yar
├── apt_turla_kazuar_variant_2023.yar
├── apt_uac0099_lonepage.yar
├── apt_uac0154_malicious_html_smuggling.yar
├── apt_uac0154_powershell_infection_chain_1.yar
├── apt_uac0154_powershell_infection_chain_2.yar
├── apt_unc3524_quietexit_strings.yar
├── apt_unc4990_emptyspace_pyc.yar
├── apt_unc4990_explorer_ps1.yar
├── apt_unc4990_explorer_ps1_reverse_b64.yar
├── apt_unk_batcopier_strings.yar
├── apt_unk_dex_china_freedom_trap_spyware.yar
├── apt_unk_hrserv_memory_commands_strings.yar
├── apt_unk_hrserv_webshell_strings.yar
├── apt_unk_malicious_lnk.yar
├── apt_unknown_sessionmanageriis_strings.yar
├── apt_uta0178_javascript_inclusion_strings.yar
├── apt_uta0218_upstyle_backdoor_strings.yar
├── apt_win_disabledefender.yar
├── apt_windows_wip19_screencap.yar
├── apt_yemen_apk_guardzoo.yar
├── backdoor_blueshell.yar
├── backdoor_lin_bifrost.yar
├── backdoor_lin_bpfdoor.yar
├── backdoor_lin_sysupdate.yar
├── backdoor_mul_sparkrat.yar
├── backdoor_mul_supershell_client.yar
├── backdoor_opensource_northstar_strings.yar
├── backdoor_oyster.yar
├── backdoor_powershellempire_batlauchers.yar
├── backdoor_powershellempire_csharp.yar
├── backdoor_powershellempire_gen.yar
├── backdoor_powershellempire_python.yar
├── backdoor_powershellempire_sharpire.yar
├── backdoor_sandman_strings.yar
├── backdoor_win_andardoor.yar
├── backdoor_win_blackrat.yar
├── backdoor_win_feedload.yar
├── backdoor_win_foresttiger.yar
├── backdoor_win_headertip.yar
├── backdoor_win_ketrum2.yar
├── backdoor_win_kimsuky.yar
├── backdoor_win_mgbot_main.yar
├── backdoor_win_minibike.yar
├── backdoor_win_minibus.yar
├── backdoor_win_nukesped_andariel.yar
├── backdoor_win_rokrat.yar
├── backdoor_win_rollsling.yar
├── backdoor_win_sidewinder_cobaltstrike_2022_09.yar
├── backdoor_win_spacecolon.yar
├── backdoor_win_sponsor.yar
├── backdoor_win_volgmer.yar
├── backdoor_win_warhawk.yar
├── backdoor_win_winordll64.yar
├── backdoor_xploitspy_strings.yar
├── backoor_win_gobear.yar
├── backoor_win_tinyturla_ng.yar
├── bot_lin_enemybot_april22.yar
├── bot_lin_kinsing_strings.yar
├── bot_lin_lucifer_strings.yar
├── bot_lin_xorddos_strings.yar
├── bot_lin_zerobot_dec22.yar
├── bot_win_yamabot.yar
├── botnet_lin_tsunami.yar
├── builder_win_royalroad_rtf.yar
├── bumblebee_loader.yar
├── bumblebee_vhd.yar
├── clipper_win_atlas_strings.yar
├── clipper_win_cryptoclippy.yar
├── clwiper_strings.yar
├── crime_sload_mainpowershellimplant.yar
├── crime_sload_powershellarchiveexfiltrator_strings.yar
├── crime_sload_scheduledtask_dropper_strings.yar
├── crime_sload_vbs_downloader_strings_1.yar
├── crime_sload_vbs_downloader_strings_2.yar
├── crime_sload_vbs_wsf_downloader.yar
├── crime_sload_zip_archives.yar
├── crimeware_njrat_strings.yar
├── crybercrime_prophetspider_proxy.yar
├── crypter_vbs_to_exe.yar
├── crypter_win_dotrunpex.yar
├── darkriver_encodedurl.yar
├── dotnet_injector_new_payload.yar
├── downloader_kimsuky_lnk.yar
├── downloader_mac_rustbucket.yar
├── downloader_mac_rustbucket_swiftloader.yar
├── downloader_mac_smooth_operator.yar
├── downloader_win_andarloader.yar
├── downloader_win_apt33_tickler.yar
├── downloader_win_cobianrat.yar
├── downloader_win_curl_agent.yar
├── downloader_win_donot.yar
├── downloader_win_fake_tor_browser.yar
├── downloader_win_newsterminal.yar
├── downloader_win_search.yar
├── dropper_mac_lazarus_manuscrypt.yar
├── dropper_win_konni_cab.yar
├── dropper_win_ninerat.yar
├── dropper_win_romcom_dropper.yar
├── dropper_win_selfau3.yar
├── emmenhtal_strings_hta_exe.yar
├── evilnumpayload_fmtstr.yar
├── exploit_cve20191458_strings.yar
├── exploit_ez_pwnkit_strings.yar
├── exploit_linux_eop_cve20177308_strings.yar
├── exploit_linux_eop_cve202121974_exploit_strings.yar
├── exploit_linux_eop_dirtyc0w_strings.yar
├── exploit_linux_eop_dirtypipe_strings.yar
├── exploit_linux_eop_polkit_pkexec_strings.yar
├── exploit_linux_eop_pwnkit_strings.yar
├── exploit_linux_eop_rationallove_strings.yar
├── exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
├── exploit_win_cloudatlas_cve_2018_0798.yar
├── gen_empire_onedrive_stager.yar
├── generic_bat_script_mock_http_services.yar
├── generic_perl_reverse_shell.yar
├── generic_php_webshell.yar
├── generic_python_reverse_shell.yar
├── generic_sharpshooter_payload_1.yar
├── generic_sharpshooter_payload_10.yar
├── generic_sharpshooter_payload_11.yar
├── generic_sharpshooter_payload_12.yar
├── generic_sharpshooter_payload_13.yar
├── generic_sharpshooter_payload_2.yar
├── generic_sharpshooter_payload_3.yar
├── generic_sharpshooter_payload_4.yar
├── generic_sharpshooter_payload_5.yar
├── generic_sharpshooter_payload_6.yar
├── generic_sharpshooter_payload_7.yar
├── generic_sharpshooter_payload_8.yar
├── generic_sharpshooter_payload_9.yar
├── generic_tor_hidden_service_leading_to_winports.yar
├── guerrilla_lemongroup.yar
├── guloader_lnk_file.yar
├── guloader_powershell_1.yar
├── guloader_unpacker.yar
├── guloader_unpacker_decoded.yar
├── guloader_vbscript.yar
├── hacktool_credentialkatz.yar
├── hacktool_defendercontrol_strings.yar
├── hacktool_dnscat2_strings.yar
├── hacktool_duplicatedump_strings.yar
├── hacktool_earthworm_strings.yar
├── hacktool_fscan_strings.yar
├── hacktool_gtunnel_strings.yar
├── hacktool_impacket_compiled_binary.yar
├── hacktool_iox_tunneling.yar
├── hacktool_ipmipwner_strings.yar
├── hacktool_lazagne_strings.yar
├── hacktool_ligolo_relay_strings.yar
├── hacktool_ligolo_strings.yar
├── hacktool_microsocks_strings.yar
├── hacktool_mimikat_ssp_strings.yar
├── hacktool_mimikatz_obfuscated.yar
├── hacktool_mimilite.yar
├── hacktool_nbtscan_strings.yar
├── hacktool_ntdsdumpex_strings.yar
├── hacktool_ntospy_strings.yar
├── hacktool_pplblade_strings.yar
├── hacktool_rubeus_strings.yar
├── hacktool_sharpview_strings.yar
├── hacktool_socat_strings.yar
├── hacktool_stowaway_strings.yar
├── hacktool_win_cookiekatz.yar
├── hacktool_win_gmer.yar
├── hacktool_win_powertool.yar
├── hacktool_win_processhacker.yar
├── hacktool_win_uknowseckeylogger.yar
├── hafnium_tarrask_malware.yar
├── icebot_exported_function.yar
├── icedid_chm_ttp.yar
├── implant_any_sliver.yar
├── implant_any_sliver_not_stripped.yar
├── implant_lin_geacon.yar
├── implant_lin_lightning.yar
├── implant_mac_rustbucket.yar
├── implant_mac_smoothoperator_update_agent.yar
├── implant_macos_geacon.yar
├── implant_mul_alchimist.yar
├── implant_win_apt29_2022_10.yar
├── implant_win_flagpro.yar
├── implant_win_geacon.yar
├── implant_win_graphiron_downloader.yar
├── implant_win_havoc_default_strings.yar
├── implant_win_incontroller.yar
├── implant_win_knotweed_jumplump.yar
├── implant_win_lyceum.yar
├── implant_win_magicrat.yar
├── implant_win_mysterysnail.yar
├── implant_win_pingpull.yar
├── implant_win_quantum_builder_lnk.yar
├── implant_win_quasarrat.yar
├── implant_win_sliver_dll.yar
├── in2al5d_p3in4er_loader.yar
├── infostealer_mac_realst.yar
├── infostealer_win_44caliber.yar
├── infostealer_win_acridrain_mar23.yar
├── infostealer_win_acrstealer_str.yar
├── infostealer_win_agrat.yar
├── infostealer_win_aurora.yar
├── infostealer_win_aurora_str.yar
├── infostealer_win_banditstealer.yar
├── infostealer_win_bebra.yar
├── infostealer_win_blackcap.yar
├── infostealer_win_blackguard_mar23.yar
├── infostealer_win_blustealer.yar
├── infostealer_win_cinoshistealer.yar
├── infostealer_win_daolpu_str.yar
├── infostealer_win_doenerium_str.yar
├── infostealer_win_ducklogs.yar
├── infostealer_win_edgeguard.yar
├── infostealer_win_enigma_initial_loader.yar
├── infostealer_win_enigma_loader_module.yar
├── infostealer_win_enigma_stealer_module.yar
├── infostealer_win_eternity.yar
├── infostealer_win_fwit_strings.yar
├── infostealer_win_ginzostealer_str.yar
├── infostealer_win_gomorrah.yar
├── infostealer_win_grmsk_strings.yar
├── infostealer_win_irontiger_chrome_stealer.yar
├── infostealer_win_leaf.yar
├── infostealer_win_lighting.yar
├── infostealer_win_lumma_strings_aug23.yar
├── infostealer_win_lumma_strings_sept23.yar
├── infostealer_win_mars_stealer.yar
├── infostealer_win_mars_stealer_variant_llcppc1.yar
├── infostealer_win_mars_stealer_xor_routine.yar
├── infostealer_win_meduzastealer.yar
├── infostealer_win_metastealer_strings.yar
├── infostealer_win_monster_stub.yar
├── infostealer_win_nekostealer.yar
├── infostealer_win_nemesis_in_memory.yar
├── infostealer_win_nosu.yar
├── infostealer_win_pennywise_mar23.yar
├── infostealer_win_phoenix.yar
├── infostealer_win_phoenixwave.yar
├── infostealer_win_raccoon_str_takemypainback.yar
├── infostealer_win_redline_strings.yar
├── infostealer_win_solarmarker_dll.yar
├── infostealer_win_solarmarker_powershell.yar
├── infostealer_win_spacestealer.yar
├── infostealer_win_stealc.yar
├── infostealer_win_stealc_str_oct24.yar
├── infostealer_win_stealerium.yar
├── infostealer_win_stormkitty.yar
├── infostealer_win_stormkitty_exfil_urls.yar
├── infostealer_win_titan.yar
├── infostealer_win_vidar_str_jul22.yar
├── infostealer_win_vidar_strings_nov23.yar
├── infostealer_win_vulturi.yar
├── infostealer_win_whitesnake_loader_feb23.yar
├── infostealer_win_whitesnake_stealer_feb23.yar
├── infostealer_win_whitesnake_xor_rc4_july12.yar
├── infostealer_win_xehook_str.yar
├── infostealer_win_xenostealer_strings.yar
├── infostealer_win_xfiles.yar
├── installer_win_minibus.yar
├── keylogger_win_donot.yar
├── killfloor_avkiller_strings.yar
├── kimsuky_konni_dll.yar
├── koi_koiloader.yar
├── koi_netstealer.yar
├── koi_powershell_loading_obfuscatednet.yar
├── koiloader_lnk.yar
├── koiloader_powershell_reflective_loading.yar
├── latrodectus_br4_js_dropper.yar
├── latrodectus_exports.yar
├── launcher_win_bluehaze.yar
├── launcher_win_mistcloak.yar
├── launcher_win_romcom_launcher.yar
├── launcher_win_stealthmutant_bat_launcher.yar
├── lnk_astaroth.yar
├── loader_amadey_clipper_plugin.yar
├── loader_amadey_standalone_may23.yar
├── loader_amadey_stealer_plugin.yar
├── loader_fakebat_initial_powershell_may24.yar
├── loader_fakebat_powershell_fingerprint_may24.yar
├── loader_latrodectus_dll.yar
├── loader_win_abcloader.yar
├── loader_win_aresloader.yar
├── loader_win_batloader_scripts.yar
├── loader_win_bumblebee.yar
├── loader_win_dodgebox.yar
├── loader_win_doppeldridex.yar
├── loader_win_erbium.yar
├── loader_win_fudloader.yar
├── loader_win_gcleaner.yar
├── loader_win_goshellcode.yar
├── loader_win_jennlog.yar
├── loader_win_jinxloader_strings.yar
├── loader_win_konni_bat.yar
├── loader_win_konni_wpnprv.yar
├── loader_win_ninerat.yar
├── loader_win_operationmagalenha_vbs.yar
├── loader_win_piccassoloader.yar
├── loader_win_purecrypter.yar
├── loader_win_red0044_powershell_may24.yar
├── loader_win_revil_loader.yar
├── loader_win_squirrelwaffle.yar
├── loader_win_squirrelwaffle_doc.yar
├── loader_win_stealthvector.yar
├── loader_win_svcready_imports.yar
├── luckymouse_sysupdate_loader.yar
├── luckymouse_sysupdate_payload.yar
├── malicious_lnk_exploiting_webdav_share_generic.yar
├── malware_httpshell_strings.yar
├── malware_remcom_strings.yar
├── malware_sugargh0st_strings.yar
├── malware_swordldr.yar
├── malware_tinyshell_strings.yar
├── malware_valleyrat_1ststage_strings.yar
├── malware_valleyrat_downloader_strings.yar
├── malware_valleyrat_strings_config.yar
├── malware_venom_admin_strings.yar
├── malware_venom_agent_strings.yar
├── malware_win_lyceum_maldoc_macro_20220613.yar
├── malware_win_mex.yar
├── malware_win_passlib.yar
├── manjusaka_samples.yar
├── merlin_crossplatform.yar
├── merlin_linux_elf.yar
├── merlin_win_dll.yar
├── merlin_win_exe.yar
├── miner_lin_xmrig_strings.yar
├── miner_win_xmrig_strings.yar
├── nomercy.yar
├── observerstealer.yar
├── pe_princeransomware_strings.yar
├── pe_stealer_axilestealer_strings.yar
├── pe_stealer_scarletstealer_strings.yar
├── platypus_winlinmac_strings.yar
├── plugx_final_payload.yar
├── radx_stealer.yar
├── ransomware_lin_avoslocker_sections.yar
├── ransomware_lin_avoslocker_strings.yar
├── ransomware_linux_icefire_2023.yar
├── ransomware_mallox.yar
├── ransomware_win_agenda.yar
├── ransomware_win_avoslocker.yar
├── ransomware_win_blackcat.yar
├── ransomware_win_blackmatter.yar
├── ransomware_win_chaos.yar
├── ransomware_win_dodo_2023.yar
├── ransomware_win_eking_rich_header.yar
├── ransomware_win_fonix.yar
├── ransomware_win_honkai_jan2023.yar
├── ransomware_win_karma.yar
├── ransomware_win_lorenz.yar
├── ransomware_win_masons_jan2023.yar
├── ransomware_win_raworld.yar
├── ransomware_win_redeemer.yar
├── ransomware_win_scransom.yar
├── ransomware_win_shrinklocker.yar
├── ransomware_win_voidcrypt.yar
├── ransomware_win_wing.yar
├── rat_darkvision_string.yar
├── rat_lin_gobrat_2023.yar
├── rat_win_arrow_str.yar
├── rat_win_asbit.yar
├── rat_win_asyncrat.yar
├── rat_win_atharvan.yar
├── rat_win_babylon.yar
├── rat_win_borat.yar
├── rat_win_dcrat_qwqdanchun.yar
├── rat_win_hiddenz.yar
├── rat_win_konni_rat.yar
├── rat_win_lilith.yar
├── rat_win_millenium.yar
├── rat_win_nighthawk.yar
├── rat_win_ninerat.yar
├── rat_win_ratel_strings.yar
├── rat_win_remcos.yar
├── rat_win_reverserat.yar
├── rat_win_romcom_payload.yar
├── rat_win_tutclient.yar
├── rat_win_xeno_rat.yar
├── rat_win_xworm_v2.yar
├── rat_win_xworm_v3.yar
├── recotool_adfind_strings.yar
├── reverseshell_win_1st_troy.yar
├── rootkit_diamorphine_strings.yar
├── rootkit_lin_winnti.yar
├── rootkit_win_purplefox_360_tct.yar
├── rootkit_win_purplefox_kernel_driver.yar
├── rootkit_win_purplefox_svchost_txt.yar
├── rule_lazarus_generic_downloader_7c3f94702fa7.yar
├── shell_win_danfuan.yar
├── spyware_and_bahamut.yar
├── spyware_and_fastfire.yar
├── spyware_and_strongpity_mobile_backdoor.yar
├── stealer_win_demotryspy.yar
├── stealer_win_luca.yar
├── stealer_win_mgbot_credential_stealer.yar
├── stealer_win_strela.yar
├── storm_1811_files_dat.yar
├── storm_1811_screenconnect_update.yar
├── strongpity_malware.yar
├── suspicious_users_dev.yar
├── ta410_control_flow_obfuscation.yar
├── technique_csv_dde_exec_regex.yar
├── tinyfluff_nodejs.yar
├── tool_3proxy_strings.yar
├── tool_advancedrun_strings.yar
├── tool_bore_rust_any_platform.yar
├── tool_bypassgodzilla.yar
├── tool_cheat_engine.yar
├── tool_chisel_strings.yar
├── tool_dogtunnel_strings.yar
├── tool_dynamicwrapper_strings.yar
├── tool_edrsandblast_api_strings.yar
├── tool_edrsandblast_cli_strings.yar
├── tool_edrsandblast_kernelcallbacks.yar
├── tool_edrsandblast_strings.yar
├── tool_efspotato.yar
├── tool_ehole.yar
├── tool_enum4linux_strings.yar
├── tool_execit_obfuscator_strings.yar
├── tool_exploit_badpotato_strings.yar
├── tool_exploit_comahawk_strings.yar
├── tool_exploit_rottenpotato_strings.yar
├── tool_generic_python_reverse_shell_strings.yar
├── tool_godpotato.yar
├── tool_gost_tunnel_strings.yar
├── tool_gsocket_strings.yar
├── tool_htran_strings.yar
├── tool_impersonate_strings.yar
├── tool_inswor_strings.yar
├── tool_iodine_strings.yar
├── tool_juicypotato_exploit_strings.yar
├── tool_juicypotatong_strings.yar
├── tool_koblas_server_strings.yar
├── tool_ladon_strings.yar
├── tool_lsass_dump_strings.yar
├── tool_masky_strings.yar
├── tool_multidump_strings.yar
├── tool_nping_strings.yar
├── tool_nssm_strings.yar
├── tool_paexec_strings.yar
├── tool_pchunter_and_related_certificate.yar
├── tool_petitpotato.yar
├── tool_pivotnacci.yar
├── tool_pivotnacci_webshell.yar
├── tool_powershell_unicorn.yar
├── tool_printnotifypotato.yar
├── tool_quarkspwdump.yar
├── tool_rathole_strings.yar
├── tool_realblindingedr_strings.yar
├── tool_reversessh_strings.yar
├── tool_revsocks_strings.yar
├── tool_rsockstun_strings.yar
├── tool_rubeus_strings.yar
├── tool_runpeinmemory_strings.yar
├── tool_safetykatz.yar
├── tool_scanline_strings.yar
├── tool_sharpefspotato_strings.yar
├── tool_sharphoundexecutable_strings.yar
├── tool_sharphoundpowershell_strings.yar
├── tool_sharpnbtscan_strings.yar
├── tool_sharpsecdump.yar
├── tool_soaphound_strings.yar
├── tool_ssf_strings.yar
├── tool_swor.yar
├── tool_sy_runas.yar
├── tool_tacticalrmm_installer_strings.yar
├── tool_tokenplayer_strings.yar
├── tool_webshell_b374k_strings.yar
├── tool_win_blackfly_proxy_config.yar
├── tool_win_driverjack.yar
├── tool_win_forkplayground.yar
├── tool_win_gosecretsdump.yar
├── tool_win_lightrail.yar
├── tool_win_sharpshares.yar
├── tool_win_snap2html.yar
├── tool_xiebroc2_strings.yar
├── tool_yasso_strings.yar
├── trojan_and_keepspy.yar
├── trojan_android_brata.yar
├── trojan_android_cerberus.yar
├── trojan_android_xenomorph.yar
├── trojan_win_bbtok_dll1_sep23.yar
├── trojan_win_bbtok_iso_sep23.yar
├── trojan_win_bbtok_lnk_sep23.yar
├── trojan_win_grandoreiro.yar
├── truesightkiller_avkiller_strings.yar
├── typhon_reborn_stealer.yar
├── unk_quad7_fsynet_strings.yar
├── unk_quad7_netd_strings.yar
├── unk_quad7_updtae_reverse_shell_strings.yar
├── unknown_7777_xlogin.yar
├── unknown_quad7_wildcard_login.yar
├── ursnif.yar
├── ursnif_ldr4.yar
├── vpn_mul_softether.yar
├── water_sigbin_group.yar
├── webshell_icesword_strings.yar
├── webshell_wso_webshell_strings.yar
├── weevely_webshell_payload.yar
├── win_clipper_generic.yar
├── win_infostealer_serpent_strings.yar
├── win_loader_astasialoader_strings.yar
├── win_malware_agnianestealer.yar
├── win_malware_janelarat_strings.yar
├── win_malware_statc_downloader.yar
├── wiper_hermeticwiper_variants.yar
├── wiper_win_caddywiper.yar
├── wiper_win_dnwipe.yar
├── wiper_win_isaacwiper.yar
├── wiper_win_nominatus_toxicbattery.yar
├── wiper_win_ruransom.yar
├── xworm_dotnet_injector.yar
├── yara_runascs.yar
└── zip_win_abcloader.yar
Copy disabled (too large)
Condensed preview — 1014 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (32,184K chars).
[
{
"path": "Configuration_extractors/ChaosRat.py",
"chars": 5699,
"preview": "import re\nimport base64\nimport json\nimport logging\nfrom floss import strings\nfrom io import BytesIO\nfrom typing import D..."
},
{
"path": "Configuration_extractors/ConnectBack.py",
"chars": 4622,
"preview": "import struct\nfrom io import BytesIO\nimport re\nimport logging\nfrom typing import List, Optional\nfrom ipaddress import IP..."
},
{
"path": "Configuration_extractors/Ddostf.py",
"chars": 19261,
"preview": "import re\nimport socket\nimport logging\nfrom io import BytesIO\nfrom typing import List, Optional\nfrom collections import..."
},
{
"path": "Configuration_extractors/Gafgyt.py",
"chars": 7418,
"preview": "from io import BytesIO\nimport logging\nimport lief\nfrom lief.ELF import ARCH, Header\nimport struct\nfrom typing import Lis..."
},
{
"path": "Configuration_extractors/Njrat.py",
"chars": 6506,
"preview": "import sys, struct, clr\n\nclr.AddReference(\"System.Memory\")\nfrom System.Reflection import Assembly, MethodInfo, BindingFl..."
},
{
"path": "Configuration_extractors/QuasarRAT.py",
"chars": 20637,
"preview": "import clr\n\nclr.AddReference(\"System.Memory\")\nfrom System.Reflection import Assembly, MethodInfo, BindingFlags\nfrom Syst..."
},
{
"path": "Configuration_extractors/README.md",
"chars": 1616,
"preview": "# Configuration_Extractors\n\n## Description\nThis repo contains various Python scripts for extracting malware configuratio..."
},
{
"path": "Configuration_extractors/SNOWLIGHT.py",
"chars": 9653,
"preview": "import re\nimport socket\nimport logging\nfrom io import BytesIO\nfrom typing import List, Optional\nfrom collections import..."
},
{
"path": "Configuration_extractors/TShVariant.py",
"chars": 11391,
"preview": "import logging\nimport textwrap\nimport tempfile\nfrom io import BytesIO\nfrom typing import List, Optional\nfrom pathlib imp..."
},
{
"path": "Configuration_extractors/XWorm.py",
"chars": 9440,
"preview": "import sys, struct, clr\n\nclr.AddReference(\"System.Memory\")\nfrom System.Reflection import Assembly, MethodInfo, BindingFl..."
},
{
"path": "Configuration_extractors/XenoRAT.py",
"chars": 5034,
"preview": "import sys, struct, clr\n\nclr.AddReference(\"System.Memory\")\nfrom System.Reflection import Assembly, MethodInfo, BindingFl..."
},
{
"path": "Configuration_extractors/kaiji.py",
"chars": 5231,
"preview": "from io import BytesIO\nimport re\nimport logging\nimport base64\nfrom floss import strings\nfrom typing import List, Optiona..."
},
{
"path": "Configuration_extractors/requirements.txt",
"chars": 231,
"preview": "flare-floss==3.1.1\ncapstone==5.0.6\ncart==1.2.2\nrequests==2.28.1\nflare-capa==9.2.1\npycryptodome==3.19.0\ncryptography==3.3..."
},
{
"path": "IOCs/8220Gang/8220_Gang_iocs_20242409.csv",
"chars": 4974,
"preview": "IOC, Valid From, Valid Until, Link\nc4k-ircd.pwndns.pw,2022-09-01T00:00:00Z,2025-03-16T00:00:00Z,https://app.sekoia.io/in..."
},
{
"path": "IOCs/CVE-2023-46805_CVE-2024-21887/Ivanti_iocs_20240124.csv",
"chars": 2176,
"preview": "IOC, Valid From, Valid Until, Link\nhttp://81.2.216.78:29742/T7cNxSSK4d/upd.sh,2024-01-23T00:00:00Z,2024-07-21T00:00:00Z,..."
},
{
"path": "IOCs/DDoSia/20240229_DDoSia_IOC.csv",
"chars": 41679,
"preview": "sha256sum,Valid From\r\n7dd0ae076fa562fa798a0309fed9afba52db25b43aafe501cb500bcb203cbe0d,2024-02-23\r\nc6431ccccc5ba4a1f0537..."
},
{
"path": "IOCs/DarkGate/scripts/AV_checked.txt",
"chars": 697,
"preview": "ByteFence\nC:\\Program Files (x86)\\Avira\nC:\\Program Files (x86)\\F-Secu\nC:\\Program Files (x86)\\IObit\nC:\\Program Files (x86)..."
},
{
"path": "IOCs/DarkGate/scripts/DarkGate-C2-communication-deobfuscator.py",
"chars": 4082,
"preview": "import base64\nimport binascii\nimport urllib\n\n\ndef unhex(hex_string):\n \"\"\"oalabs fonction copy from:\n https://githu..."
},
{
"path": "IOCs/DarkGate/scripts/action-id-documentations.md",
"chars": 2452,
"preview": "| Action Id | Description |\n| --- | --- |\n| 1052 | search and delete log files |\n| 1053 | self update (and remove traces..."
},
{
"path": "IOCs/DiceLoader/scripts/ReflectiveDLLInjection.h",
"chars": 4297,
"preview": "#define DLL_QUERY_HMODULE\t\t6\n\n#define DEREF( name )*(UINT_PTR *)(name)\n#define DEREF_64( name )*(DWORD64 *)(name)\n#defin..."
},
{
"path": "IOCs/DiceLoader/scripts/extractor.py",
"chars": 1527,
"preview": "import sys\nimport pefile\nfrom typing import List\n\n\ndef get_data_section_virtualAddress(pe: pefile.PE) -> int:\n \"\"\"Ret..."
},
{
"path": "IOCs/DiceLoader/scripts/fake_c2_tcp_server.py",
"chars": 15141,
"preview": "import os\nimport sys\nimport time\nimport struct\nimport logging\nimport socket\nimport select\nimport argparse\nimport platfor..."
},
{
"path": "IOCs/Doppelgänger/DoppelGänger-observables.csv",
"chars": 41461,
"preview": "TLP,Observable (not an IOC!),Comment,Source\r\nWHITE,04cxsh[.]rentranking[.]online,First stage DoppelGänger,Sekoia.io\r\nWHI..."
},
{
"path": "IOCs/I2PRAT/I2PRAT_iocs_20250211.csv",
"chars": 4681,
"preview": "IOC, Valid From, Valid Until, Link\nacc39a1fdfcecae66662397c3d8e49d2,2024-11-01T00:00:00Z,2049-10-26T00:00:00Z,https://ap..."
},
{
"path": "IOCs/I2PRAT/scripts/ida_hashes_extraction.py",
"chars": 646,
"preview": "import idc\nimport idautils\n\nresolve_func_addr = 0x00014000BE08 # to adapt to your context\nhashes = []\nfor ref in idauti..."
},
{
"path": "IOCs/I2PRAT/scripts/resolve_hashes.py",
"chars": 1171,
"preview": "from typing import Tuple\nfrom dumpulator import Dumpulator, modules\n\nADDR_CRYPT_FUNC = 0x14000BE08 # to replace accordi..."
},
{
"path": "IOCs/Interlock/interlock.yar",
"chars": 3295,
"preview": "rule backdoor_win_interlock_powershell_backdoor {\n\tmeta:\n \tid = \"678827c2-9416-417b-98c3-6e22010bb541\"\n \tversion =..."
},
{
"path": "IOCs/Interlock/interlock_IOCs.txt",
"chars": 7866,
"preview": "# Indicators\n\n## Fake Updater\n\n576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296\nf962e15c6efebb3c29fe399b..."
},
{
"path": "IOCs/Lycantrox/Lycantrox_domains_high_confidence.txt",
"chars": 1838,
"preview": "betly.me\nsec-flare.com\nverifyurl.me\ncandidaturasminfin.info\ngrupohel.social\nnotify-kz.info\nintnews.world\ntaagangola.co\na..."
},
{
"path": "IOCs/Lycantrox/Lycantrox_domains_medium_confidence.txt",
"chars": 432,
"preview": "amritacity.com\nawlaqf.sbs\nbosmata.com\npoliti.live\ntoomec.net\ncrudco.info\ncorncog.com\ndbtest.online\nespn-sports.live\nftli..."
},
{
"path": "IOCs/MuddyWater/yara/apt_MuddyWater_MuddyRot_strings.yar",
"chars": 994,
"preview": "rule apt_MuddyWater_MuddyRot_strings {\n meta:\n id = \"f7bc195a-0e60-4495-b78a-78f101543700\"\n version = \"1...."
},
{
"path": "IOCs/MuddyWater/yara/apt_MuddyWater_malicious_pdf.yar",
"chars": 507,
"preview": "rule apt_MuddyWater_malicious_pdf {\n meta:\n id = \"77983aea-47cb-4436-b773-faf7be430339\"\n version = \"1.0..."
},
{
"path": "IOCs/README.md",
"chars": 163,
"preview": "# IOCs\n\nThis directory hosts Indicators of Compromise (IOCs) and YARA Rules shared by [SEKOIA.IO](https://sekoia.io). Yo..."
},
{
"path": "IOCs/ScatteredSpider/20240220_ScatteredSpider_IOC.csv",
"chars": 9762,
"preview": "IOC, Valid From, Valid Until, Link\ngitlabhr.com,2024-01-26T00:00:00Z,2024-07-25T00:00:00Z,https://app.sekoia.io/intellig..."
},
{
"path": "IOCs/acrstealer/acrstealer_iocs_20240429.md",
"chars": 1982,
"preview": "# ACR Stealer: unveiling SheldIO's (not so) new infostealer\n\n_2024-04-29_\n\n## ACR Stealer IoCs\n\n**Dead Drop Resolvers (D..."
},
{
"path": "IOCs/acrstealer/infostealer_acrstealer_apr24.yar",
"chars": 789,
"preview": "rule infostealer_win_acrstealer_str {\n\tmeta:\n\t\tmalware = \"ACR Stealer\"\n\t\tdescription = \"Finds ACR Stealer standalone sam..."
},
{
"path": "IOCs/activemq/activemq_iocs_20231206.csv",
"chars": 8777,
"preview": "IOC, Valid From, Valid Until, Link\n[network-traffic:dst_ip = '212.22.77.79' AND network-traffic:dst_port = 80],2023-11-0..."
},
{
"path": "IOCs/apt31/2021-11-10 APT31 - STIX2.jsonl",
"chars": 777607,
"preview": "{\"description\": \"Before compromising a victim, adversaries may develop malware and malware components that can be used d..."
},
{
"path": "IOCs/apt31/2021-11-10 APT31 IOCs.csv",
"chars": 35488,
"preview": "tlp,id,type,name,pattern,pattern_type,created,modified,first_seen,last_seen,valid_from,valid_until,confidence,kill_chain..."
},
{
"path": "IOCs/apt31/yara_rules/apt_misp_apt31_orb_2021.yar",
"chars": 664,
"preview": "rule apt_misp_apt31_orb_2021 { \n meta:\n description = \"Detects APT31 ORB implant\"\n version = \"1.0\"..."
},
{
"path": "IOCs/apt31/yara_rules/unk_apt31_tsh_2021.yar",
"chars": 858,
"preview": "rule unk_apt31_tsh_2021 {\n meta:\n description = \"Detect APT31-linked TSH sample. This rule is quite specific w..."
},
{
"path": "IOCs/aurora/aurora_iocs_20221121.csv",
"chars": 8590,
"preview": "IOC, Valid From, Valid Until, Link\n138.201.92[.]44:8081,2022-11-07T00:00:00Z,2022-12-07T00:00:00Z,https://app.sekoia.io/..."
},
{
"path": "IOCs/aurora/yara_rules/infostealer_aurora.yar",
"chars": 1465,
"preview": "rule infostealer_win_aurora {\n meta:\n malware = \"Aurora\"\n description = \"Finds Aurora samples based on..."
},
{
"path": "IOCs/bananasulfate/SEKOIAIO_Banana_Sulfate_infrastructure.csv",
"chars": 17428,
"preview": "tlp,type,name,observable_types,valid_from,valid_until,confidence,kill_chain,sources\r\nwhite,indicator,online-repo.com,dom..."
},
{
"path": "IOCs/bluefox/bluefox_iocs_20221102.csv",
"chars": 4121,
"preview": "IOC, Valid From, Valid Until, Link\n31.41.244[.]152:47567,2022-10-30T00:00:00Z,2022-11-29T00:00:00Z,https://app.sekoia.io..."
},
{
"path": "IOCs/bluefox/yara_rules/infostealer_bluefox.yar",
"chars": 832,
"preview": "rule infostealer_win_bluefox {\n meta:\n malware = \"BlueFox\"\n description = \"Find BlueFox Stealer v2 samp..."
},
{
"path": "IOCs/calisto/Domains already known related to CALISTO.txt",
"chars": 2307,
"preview": "accounts-google[.]eu\naccounts-mail[.]asia\nauthentification-request[.]top\nauth-login[.]top\ndrive-login[.]com\ndrive-meet-g..."
},
{
"path": "IOCs/calisto/SSL Certificates SHA1, emails and IPs.csv",
"chars": 976,
"preview": "805fb9539c7398f8c249160e699d2050e4f08d6d;nepkomi@gmail[.]com;154.127.59[.]186\n0641a4550d80fa0278c7825dd90cae69019f2299;u..."
},
{
"path": "IOCs/calisto/calisto_infrastructure_20220622",
"chars": 438,
"preview": "documents-cloud.com \ncache-docs.com\nprotect-link.online\ndocs-shared.com\ndocuments-cloud.online\ndrive-share.live\nhypertex..."
},
{
"path": "IOCs/calisto/calisto_infrastructure_20221205",
"chars": 1820,
"preview": "access-confirmation[.]com\nallow-access[.]com\nantibots-service[.]com\napicomcloud[.]com\nas-mvd[.]ru\nattach-docs[.]com\natta..."
},
{
"path": "IOCs/clearfake/clearfake_iocs_20231016.csv",
"chars": 10633,
"preview": "IOC, Valid From, Valid Until, Link\n921hapudyqwdvy.com,2023-09-01T00:00:00Z,2024-03-28T00:00:00Z,https://app.sekoia.io/in..."
},
{
"path": "IOCs/clearfake/clearfake_iocs_20250318.csv",
"chars": 18549,
"preview": "IOC, Valid From, Valid Until, Link\nhttps://recaptcha-verify-1t.pages.dev/,2025-02-07T00:00:00Z,2025-08-06T00:00:00Z,http..."
},
{
"path": "IOCs/clearfake/clearfake_malicious_script_content.md",
"chars": 9662,
"preview": "# ClearFake Malicious Script Content\n\nFollowing malicious scripts are based on the analysis of ClearFake, as of 30 Septe..."
},
{
"path": "IOCs/clickfix_fake_google_meet/clickfix_fake_google_meet_iocs_20241017.csv",
"chars": 23586,
"preview": "IOC, Valid From, Valid Until, Link\ncdm-join.us,2024-08-05T00:00:00Z,2025-02-01T00:00:00Z,https://app.sekoia.io/intellige..."
},
{
"path": "IOCs/compromised_chrome_extensions_dec24/compromised_chrome_extensions_iocs_20250122.csv",
"chars": 13373,
"preview": "IOC, Valid From, Valid Until, Link\nchromewebstore-noreply@chromeforextension.com,2024-12-01T00:00:00Z,2025-05-30T00:00:0..."
},
{
"path": "IOCs/cs2nginx/cs2nginx_C2.csv",
"chars": 493,
"preview": "Type,IOC\ndomain,updates.uk[.]com\ndomain,onlinebusinessadviceuk[.]com\ndomain,assets.completehealthcareuk[.]net\ndomain,d2r..."
},
{
"path": "IOCs/customerloader/customerloader_iocs_20230712.csv",
"chars": 80747,
"preview": "IOC,Valid From,Valid Until,Link\r\nkyliansuperm92139124[.]sbs,2023-06-20T00:00:00Z,2023-08-20T00:00:00Z,https://app.sekoia..."
},
{
"path": "IOCs/emotet/2021-01-20_Emotet_Campaign.csv",
"chars": 114938,
"preview": "Indicator,Kill chain,Creation date,End of validity,Context\r\nshwetha@field-meetingapp.com,Delivery,2021-01-20T11:00:00Z,2..."
},
{
"path": "IOCs/evilnum/20220721_EvilNum_domains_list.txt",
"chars": 5023,
"preview": "apidevops.org\nazcloudazure.com\nthismads.com\nnetpixelds.com\nam-reader.com\nmartinjo.com\nupservicemc.com\nsymantecq.com\ninfo..."
},
{
"path": "IOCs/eviltokens/eviltokens_iocs_20260330.csv",
"chars": 13107,
"preview": "IOC, Valid From, Valid Until, Link\nonedrive-33i.amittal-prodwaresol-com-s-account.workers.dev,2026-03-19T00:00:00Z,2026-..."
},
{
"path": "IOCs/eviltokens/yara_rules/phishing_eviltokens_phishing_pages.yar",
"chars": 1090,
"preview": "rule phishing_eviltokens_phishing_page {\n meta:\n malware = \"EvilTokens\"\n description = \"Find EvilTokens..."
},
{
"path": "IOCs/fakebat/fakebat_iocs_20240702.csv",
"chars": 41392,
"preview": "IOC, Valid From, Valid Until, Link\n0212top.online,2023-09-01T00:00:00Z,2024-02-28T00:00:00Z,https://app.sekoia.io/intell..."
},
{
"path": "IOCs/fakebat/loader_fakebat_initial_powershell_may24.yar",
"chars": 502,
"preview": "rule loader_fakebat_initial_powershell_may24 {\n meta:\n malware = \"FakeBat\"\n description = \"Finds FakeBa..."
},
{
"path": "IOCs/fakebat/loader_fakebat_powershell_fingerprint_may24.yar",
"chars": 917,
"preview": "rule loader_fakebat_powershell_fingerprint_may24 {\n meta:\n malware = \"FakeBat\"\n description = \"Finds Fa..."
},
{
"path": "IOCs/gamaredon/yara.yar",
"chars": 2339,
"preview": "rule apt_GAMAREDON_HTMLSmuggling_Attachment {\n meta:\n id = \"a39b6e67-9327-4c5b-902a-b9853cfefc8e\"\n vers..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/README.md",
"chars": 1330,
"preview": "# Global analysis of Adversary-in-the-Middle phishing threats\n\nThis repository contains technical artifacts of the AiTM..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/cephas/1_loading-page_beautified.html",
"chars": 28469,
"preview": "<html lang=\"en\">\n <head>\n <meta charset=\"UTF-8\">\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n <me..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/cephas/2_phishing-page_decoded.html",
"chars": 329383,
"preview": "<html lang=\"en\">\n <head>\n <style id=\"default_css\">\n /* <STRIPPED> */\n\n @font-face {\n font-family: \"..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/cephas/cephas-stripped.har",
"chars": 29104,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/cephas/cephas.har",
"chars": 1783939,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/cephas/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/0196ce8c-22cb-75f8-934b-6f56139d67d1/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilginx/1_loading-page_reformatted.html",
"chars": 43870,
"preview": "\n\n<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->\n<!DOCTYPE html>\n<html dir=\"ltr\" class=\"\" lang=\"en\">..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilginx/evilginx-ywnjb-stripped.har",
"chars": 287176,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilginx/evilginx-ywnjb.har",
"chars": 4841046,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilginx/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/0197573d-9165-74f8-b164-f97d03df28c7/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/1_page.html",
"chars": 3837,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <script type=\"text/javascript\">\n // <STRIPPED>\n </script>\n <meta charset=..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/2.1_phishing-form_script1-deobfuscated.js",
"chars": 204390,
"preview": "var a0c = (function () {\n var z = true\n return function (e, N) {\n var c = z\n ? function () {..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/2.2_phishing-form_script2-deobfuscated.js",
"chars": 87463,
"preview": ";(() => {\n 'use strict'\n var t = {\n 1: (t, r, e) => {\n var n = e(5578),\n o = e(7255),\n i..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/2_phishing-form.html",
"chars": 16337,
"preview": "\n<!DOCTYPE html>\n\n<html class=\"\" dir=\"ltr\" lang=\"en\">\n<head>\n<title>Sign in to your account</title>\n<meta content=\"text/..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/evilproxy-stripped.har",
"chars": 171737,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/evilproxy.har",
"chars": 4806578,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/evilproxy/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/0197595e-7649-740a-a7a8-68ac52757068/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/1_captcha-page.html",
"chars": 2683,
"preview": " <!DOCTYPE html>\n <html lang=\"en\">\n\n <head>\n <title></title>\n <meta charset=\"UTF-8\">\n <me..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/2.1_loading-page_scripts-deobfuscated.js",
"chars": 3118,
"preview": "// https://couplevisa.com/456d5fg79h9gg/assets/js/url_helper.js\nfunction getBaseUrl() {\n return window.baseUrl || ''\n}..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/2_loading-page.html",
"chars": 11157,
"preview": " <html>\n\n <head>\n <title></title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/3_phishing-page_decoded.html",
"chars": 164222,
"preview": "<html lang=\"en\">\n<head>\n <title>Ac​count sig⁠n in</title>\n <meta http-equiv=\"X-UA-Compatible\"..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/gabagool-stripped.har",
"chars": 76554,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/gabagool.har",
"chars": 1316381,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/gabagool/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/0197377b-4e3d-7438-b955-c9ea469d916c/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/1.1_loading-page_decoded.html",
"chars": 18769,
"preview": "<html><head>\n \n <style>\n #ab3599c083884 {\n position: fixed;\n top: 0;\n bottom: 0;\n left: 0;..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/1_loader-script_deobfuscated.js",
"chars": 7913,
"preview": "(() => {\n \"use strict\";\n var __webpack_modules__ = {962: function () {\n var __classPrivateFieldGet = this && this._..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/2_captcha-page_rendered.html",
"chars": 2809,
"preview": "<html>\n <head>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalab..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/3_phishing-page_deobfuscated.html",
"chars": 142295,
"preview": "<html dir=\"ltr\" lang=\"en\" style=\"filter: hue-rotate(10deg)\"><head><meta charset=\"utf-8\"/>\n <link href=\"data:image/png;..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/greatness-stripped.har",
"chars": 24581,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/greatness.har",
"chars": 684351,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/greatness/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/0197574c-c916-7244-9c63-b3a0dbd8585d/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/1_antibot-page.html",
"chars": 2875,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-wid..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/2_loader-page.html",
"chars": 584,
"preview": "<html>\n<head>\n <style>\n .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 5..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/3.1_phishing-page_rendered.html",
"chars": 57119,
"preview": "<!DOCTYPE html>\n<html id='html' sti='VlZORlVqQTNNRFV5TURJMVZUVXlNRFV3TnpVMg==' vic='' lang='en'>\n\n<head>\n <script src..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/3_phishing-page_deobfuscated.html",
"chars": 20177,
"preview": "<!DOCTYPE html>\n<html id='html' sti='VlZORlVqQTNNRFV5TURJMVZUVXlNRFV3TnpVMg==' vic='' lang='en'>\n\n<head>\n <script src..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/mamba-2fa-stripped.har",
"chars": 64358,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/mamba-2fa.har",
"chars": 1282362,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/mamba-2fa/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/019756b4-9e92-734f-bb45-84036db9180c/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/nakedpages/1_captcha-page.html",
"chars": 6798,
"preview": "<!doctype html>\n<html lang=\"en-US\">\n<head> \n <script async defer src=\"https://challenges.cloudflare.com/turnstile/v0/ap..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/nakedpages/2_loading-page_beautified.html",
"chars": 17418,
"preview": "<!DOCTYPE html>\n<html dir=ltr xmlns=http://www.w3.org/1999/xhtml translate=no>\n <head>\n <script src=\"data:text/javas..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/nakedpages/nakedpage-stripped.har",
"chars": 363998,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"Charles Proxy\",\n \"version\": \"5.0.1\"\n },\n \"..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/nakedpages/urlscan_io.txt",
"chars": 84,
"preview": "https://c6a10d7c.bf89d0fd70b126f60de08c49.workers.dev/?qrc=dmljdGltQGV4YW1wbGUuY29t\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/saiga-2fa/urlscan_io.txt",
"chars": 128,
"preview": "https://urlscan.io/result/0195676e-fa18-7dd8-a65f-47d6bf4b2de8/\nhttps://urlscan.io/result/78781798-1dfa-4c3d-aa35-66a43b..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/1_initial-page.html",
"chars": 4067,
"preview": "<script>console.log(/'TvYzPsamU6/')</script><!DOCTYPE html>\r\n<html lang=\"en\">\r\n<head>\r\n <meta charset=\"UTF-8\">\r\n <..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/2_captcha-page.html",
"chars": 8451,
"preview": "<script>console.log(/'4m3VAl6Dao/')</script><!DOCTYPE html> <html lang=\"en\"> <head> <meta charset=\"UTF-8\"> <meta name=\"v..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/3.1_autograb-page_script-deobfuscated.js",
"chars": 5221,
"preview": "var link =\n 'OTEzZlRIZ3FBRk42dmU4YlZXdGhkeHBEbndSMG16bHpNUTlxNjcxbVBENDV1MndTb0tzV2Z2bldLMGF3azF1SjJqS2ZZYmx6Wnl5TFpvNG..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/3_autograb-page.html",
"chars": 4424,
"preview": "<script>console.log(/'xLeVs1cTXy/')</script>\r\n<!DOCTYPE html>\r\n<html lang=\"en\">\r\n<head>\r\n <meta charset=\"UTF-8\">..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/4_phishing-form.html",
"chars": 35833,
"preview": "\n<!DOCTYPE html>\n<html lang=\"en\">\n\n<head>\n <meta charset=\"UTF-8\">\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/sneaky-2fa-stripped.har",
"chars": 55324,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/sneaky-2fa.har",
"chars": 4564938,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/sneaky-2fa/urlscan_io.txt",
"chars": 64,
"preview": "https://urlscan.io/result/01975949-8625-719e-b8eb-3327e5f06b2a/\n"
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/1_captcha-page.html",
"chars": 2672,
"preview": " <html lang=\"en\">\n\n <head>\n <meta charset=\"UTF-8\">\n <title>woodwind</title>\n <!-- <span>She c..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/2.1_loading-page_decoded-skeleton.html",
"chars": 2160,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n\n<head>\n <!-- <span>Ut picanha flank, chicken sausage shoulder kielbasa cow.</span>..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/2.2_phishing-page_full-script-deobfuscated.js",
"chars": 207192,
"preview": "var file = 'aHR0cHM6Ly81MzM0NjM1NjcxLmNmZC9uZXh0LnBocA=='\r\nvar count = 0\r\nlet email, keyGlobal, token, numberSms, number..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/2.3_phishing-page_script-stripped.js",
"chars": 15721,
"preview": "// <STRIPPED> designates content that was removed from this file to workaround GitHub Code Search's file/line size limit..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/2.4_phishing-page_rendered.html",
"chars": 8834,
"preview": "<!-- <STRIPPED> designates content that was removed from this file to workaround GitHub Code Search's file/line size lim..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/2_loading-page.html",
"chars": 6267,
"preview": "<script>\nlet rh13z8jemt = ''; // Nostrud pig ad tri-tip, cupim proident eu duis et occaecat salami picanha shankle.\nif(\"..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/storm-1167-stripped.har",
"chars": 61989,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/storm-1167.har",
"chars": 1712412,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/storm-1167/urlscan_io.txt",
"chars": 128,
"preview": "https://urlscan.io/result/0197595b-c5cf-7208-8854-4d81d2bd779b/\nhttps://urlscan.io/result/0196cdca-c39f-7457-a832-1023a0..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/1.1_captcha-page_scripts-decoded.js",
"chars": 3172,
"preview": "var nr = window.location.hash.substr(1);\nif (nr) {\nwindow.location.replace('https://www.etsy.com');\n}\nif (navigator.webd..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/1_captcha-page.html",
"chars": 6813,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n <title>​</title>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge,chrome=..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/2.1_decoy-page_script-decoded.html",
"chars": 6935,
"preview": "<script src=\"https://code.jquery.com/jquery-3.6.0.min.js\"></script>\n<script src=\"https://cdnjs.cloudflare.com/ajax/libs/..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/2_decoy-page.html",
"chars": 14584,
"preview": "<script>\r\ntnbKpsEdxe = atob;\r\nfunction TNHMWoVFmI(oSvwniVyUp, UnFJXIgcAc) {\r\nlet XNqagZghUe = '';\r\noSvwniVyUp = tnbKpsEd..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/3_loading-page.html",
"chars": 214467,
"preview": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n<head>\r\n <script src=\"https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypt..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/4.1_phishing-form_script1-decoded.js",
"chars": 13051,
"preview": "var otherweburl = \"\";\nvar websitenames = [\"godaddy\", \"okta\"];\nvar bes = [\"Apple.com\",\"Netflix.com\"];\nvar pes = [\"https:\\..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/4.2_phishing-form_script2-deobfuscated.js",
"chars": 178673,
"preview": "var webnotfound = false,\n interacted = 0,\n multipleaccountsback = 0\nlet wait2facancel = 0,\n otptype = 0\nvar currentwe..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/4_phishing-form.html",
"chars": 107781,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<!-- <div>Don't be afraid to give up the good to go for the great.</div> --..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/tycoon-2fa-stripped.har",
"chars": 142217,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"12.0.1\",\n \"comment..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/tycoon-2fa.har",
"chars": 3205339,
"preview": "{\n \"log\": {\n \"version\": \"1.2\",\n \"creator\": {\n \"name\": \"mitmproxy\",\n \"version\": \"1..."
},
{
"path": "IOCs/global-analysis-aitm-phishing-threats/tycoon-2fa/urlscan_io.txt",
"chars": 128,
"preview": "https://urlscan.io/result/0197594c-5c32-72d2-a59f-10d5498eab88/\nhttps://urlscan.io/result/0197594d-b533-769e-b403-85f3b7..."
},
{
"path": "IOCs/hermeticwiper/yara_rules/wiper_HermeticWiper_variants.yar",
"chars": 888,
"preview": "import \"pe\"\nrule wiper_HermeticWiper_variants {\n meta:\n id = \"102ecf15-167e-49e4-932c-6334e3cdcc69\"\n ve..."
},
{
"path": "IOCs/i_paid_twice/i_paid_twice_iocs_20251106.csv",
"chars": 13307,
"preview": "IOC, Valid From, Valid Until, Link\nhttps://confirmation8324-booking.com/17149438,2025-09-27T00:00:00Z,2025-10-29T00:00:0..."
},
{
"path": "IOCs/iclickfix/iclickfix_iocs_20260129.csv",
"chars": 17276,
"preview": "IOC, Valid From, Valid Until, Link\nmedi-care.gr,2025-11-05T00:00:00Z,2026-05-04T00:00:00Z,https://app.sekoia.io/intellig..."
},
{
"path": "IOCs/iclickfix/yara_rules/infrastructure_iclickfix_cluster_ic_tracker_html_lure.yar",
"chars": 1496,
"preview": "rule infrastructure_iclickfix_cluster_ic_tracker_html_lure {\n meta:\n description = \"Find the HTML lure used by..."
},
{
"path": "IOCs/iclickfix/yara_rules/infrastructure_iclickfix_cluster_ic_tracker_js_javascript1.yar",
"chars": 901,
"preview": "rule infrastructure_iclickfix_cluster_ic_tracker_js_javascript1 {\n meta:\n description = \"Find the first obfusc..."
},
{
"path": "IOCs/iclickfix/yara_rules/infrastructure_iclickfix_cluster_ic_tracker_js_javascript2.yar",
"chars": 1016,
"preview": "rule infrastructure_iclickfix_cluster_ic_tracker_js_javascript2 {\n meta:\n description = \"Find the second JavaS..."
},
{
"path": "IOCs/iclickfix/yara_rules/infrastructure_iclickfix_cluster_ic_tracker_js_wordpress.yar",
"chars": 560,
"preview": "rule infrastructure_iclickfix_cluster_ic_tracker_js_wordpress {\n meta:\n description = \"Find WordPress HTML compr..."
},
{
"path": "IOCs/infra_seo_crack_stealers/infra_seo_crack_stealers_iocs_20230106.csv",
"chars": 87185,
"preview": "IOC, Valid From, Valid Until, Link\ncrackzero.com,2022-04-01T00:00:00Z,2023-07-01T00:00:00Z,https://app.sekoia.io/intelli..."
},
{
"path": "IOCs/mallox/mallox_purecrypter_iocs_20240513.csv",
"chars": 4446,
"preview": "IOC, Valid From, Valid Until, Link\nhttp://80.66.76.251/Kpueez.exe,2024-04-15T00:00:00Z,2024-10-12T00:00:00Z,https://app...."
},
{
"path": "IOCs/marsstealer/mars_stealer_iocs_20220407.csv",
"chars": 30184,
"preview": "type,ioc\nurl,hxxp://103.179.143[.]132/56ce.php\nurl,hxxp://13.58.70[.]215/gate.php\nurl,hxxp://13.58.70[.]215/request\nurl,..."
},
{
"path": "IOCs/marsstealer/yara_rules/infostealer_marsstealer_early_version.yar",
"chars": 1254,
"preview": "rule infostealer_win_mars_stealer_early_version {\n meta:\n description = \"Identifies samples of Mars Stealer ea..."
},
{
"path": "IOCs/marsstealer/yara_rules/infostealer_marsstealer_llcppc.yar",
"chars": 584,
"preview": "import \"pe\"\n\nrule infostealer_win_mars_stealer_llcppc {\n meta:\n description = \"Identifies samples of Mars Stea..."
},
{
"path": "IOCs/marsstealer/yara_rules/infostealer_marsstealer_xor_routine.yar",
"chars": 618,
"preview": "rule infostealer_win_mars_stealer_xor_routine {\n meta:\n description = \"Identifies samples of Mars Stealer base..."
},
{
"path": "IOCs/nobelium/2022_01_06_C2 Nobelium.csv",
"chars": 436,
"preview": "Type,IOC\r\ndomain,crochetnews[.]com\r\ndomain,dom-news[.]com\r\ndomain,readnewshot[.]com\r\ndomain,pharaosjournal[.]com\r\ndomain..."
},
{
"path": "IOCs/nobelium/2022_01_06_NOBELIUM_MD5",
"chars": 297,
"preview": "054940ba8908b9e11f57ee081d1140cb\nb84c00ae9e7f9684b36d75a1a09f8210\n3d18bc4bfe1ec7b6b73a3fb39d490b64\nb87073c34a910f20a83c0..."
},
{
"path": "IOCs/nobelium/yara_rules/apt_nobelium_b64_to_Uint8Array.yar",
"chars": 753,
"preview": "rule apt_nobelium_b64_to_Uint8Array {\n meta:\n id = \"66c9b00b-f021-4115-b9ec-d1e1f491ce72\"\n description..."
},
{
"path": "IOCs/nobelium/yara_rules/apt_nobelium_cs_loader_obfuscation.yar",
"chars": 817,
"preview": "import \"pe\"\nrule apt_nobelium_cs_loader_obfuscation {\n meta:\n id = \"5f21b031-3dc1-4dad-b775-6099bfcb0472\"..."
},
{
"path": "IOCs/nobelium/yara_rules/apt_nobelium_hta_in_iso.yar",
"chars": 574,
"preview": "rule apt_nobelium_hta_in_iso {\n meta:\n id = \"874ab41b-5c60-4303-8776-e1c10313a401\"\n description = \"Matc..."
},
{
"path": "IOCs/nobelium/yara_rules/apt_nobelium_html_smuggling_iso.yar",
"chars": 740,
"preview": "rule apt_nobelium_html_smuggling_iso {\n meta:\n id = \"9bd5b626-8ea3-4607-a858-58deff18396c\"\n version = \"..."
},
{
"path": "IOCs/nobelium/yara_rules/apt_nobelium_powsershell_reg_loader_decoded.yar",
"chars": 643,
"preview": "rule apt_nobelium_powsershell_reg_loader_decoded {\n meta:\n id = \"c8ee9c40-fa28-4b9a-98e8-88ccc4a16091\"..."
},
{
"path": "IOCs/nobelium/yara_rules/rule apt_nobelium_hta_reg_dropper.yar",
"chars": 882,
"preview": "rule apt_nobelium_hta_reg_dropper {\n meta:\n id = \"9f6a2154-c33a-4c38-9667-7479bf49c310\"\n description =..."
},
{
"path": "IOCs/pikabot/pikabot_iocs_20240603.csv",
"chars": 58573,
"preview": "IOC, Valid From, Valid Until, Link\n192.248.159.76:2222,2024-02-29T00:00:00Z,2024-04-07T00:00:00Z,https://app.sekoia.io/i..."
},
{
"path": "IOCs/privateloader/20220914_privateloader_IOC.csv",
"chars": 16992,
"preview": "IOC, Valid From, Valid Until, Link, Comment\nhttp://212.193.30.115/base/api/getData.php,2022-07-01T00:00:00Z,2023-02-11T0..."
},
{
"path": "IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
"chars": 1988,
"preview": "03s30.com\n0dz.me\n0e.si\n0i.pm\n0i.wf\n0j.re\n0j.wf\n0p.rs\n0t.yt\n0v.wf\n0w.pm\n0x9.biz\n13j.me\n1h3.me\n1i.pm\n1j4.xyz\n1j.pm\n1k4.xyz..."
},
{
"path": "IOCs/raccoonstealer/raccoon_stealer_iocs_20220628.csv",
"chars": 72822,
"preview": "type,ioc\nip,136.244.65[.]99\nip,138.197.179[.]146\nip,140.82.52[.]55\nip,142.132.180[.]233\nip,142.132.225[.]253\nip,142.132...."
},
{
"path": "IOCs/roamingmantis/roaming_mantis_iocs_20220718.csv",
"chars": 5571,
"preview": "type,ioc,comment\nip,134.119.193[.]106,Android payload server\nip,134.119.193[.]108,Android payload server\nip,134.119.193[..."
},
{
"path": "IOCs/ryuk/2020-10-29 C2 Ryuk.csv",
"chars": 27869,
"preview": "Indicator,Source,Kill chain,Creation date,End of validity,Context\n5.2.64.135,SEKOIA C2 Tracker,\"command-and-control \n\",2..."
},
{
"path": "IOCs/sneaky2fa/sneaky2fa_iocs_20250116.csv",
"chars": 6698,
"preview": "ioc,first seen,domain creation,description,comment\nflorenceorganics.us,2024-10-08,2022-04-19,attacker-controlled domain,..."
},
{
"path": "IOCs/stealc/scripts/IDA_strings_deobfuscator.py",
"chars": 2004,
"preview": "from idaapi import *\nfrom ida_bytes import *\nfrom ida_name import *\nfrom base64 import b64decode\nfrom string import asci..."
},
{
"path": "IOCs/stealc/scripts/stealc_stealer_c2_extractor.py",
"chars": 3824,
"preview": "from base64 import b64decode\nfrom pefile import PE, SectionStructure\nfrom cryptography.hazmat.primitives.ciphers import..."
},
{
"path": "IOCs/stealc/stealc_iocs_20230220.csv",
"chars": 27257,
"preview": "IOC, Valid From, Valid Until, Link\n91.215.85[.]188,2023-02-14T00:00:00Z,2023-02-27T00:00:00Z,https://app.sekoia.io/intel..."
},
{
"path": "IOCs/stealc/suricata_rules/infostealer_stealc.rules",
"chars": 1363,
"preview": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"SEKOIA.IO Malware Stealc POST request: hwid, build\"; flow:establishe..."
},
{
"path": "IOCs/stealc/yara_rules/infostealer_stealc_behavior.yar",
"chars": 724,
"preview": "import \"vt\"\n\nrule infostealer_win_stealc_behaviour {\n\tmeta:\n\t\tmalware = \"Stealc\"\n\t\tdescription = \"Find Stealc sample bas..."
},
{
"path": "IOCs/stealc/yara_rules/infostealer_stealc_standalone.yar",
"chars": 948,
"preview": "rule infostealer_win_stealc_standalone {\n meta:\n malware = \"Stealc\"\n description = \"Find standalone Ste..."
},
{
"path": "IOCs/tycoon2fa/tycoon2fa_iocs_20240325.csv",
"chars": 8567,
"preview": "IOC, Valid From, Valid Until, Link\np1v12.17nor.com,2024-02-06T00:00:00Z,2024-09-07T00:00:00Z,https://app.sekoia.io/intel..."
},
{
"path": "LICENSE.md",
"chars": 1897,
"preview": "# Detection Rule License (DRL) 1.1\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this..."
},
{
"path": "MaltegoTransforms/LICENSE.md",
"chars": 1066,
"preview": "MIT License\n\nCopyright (c) 2022 SEKOIA.IO\n\nPermission is hereby granted, free of charge, to any person obtaining a copy..."
},
{
"path": "MaltegoTransforms/README.md",
"chars": 2710,
"preview": "# SEKOIA.IO Maltego Transforms\r\n\r\nWelcome to the Sekoia Maltego Transform repository!\r\n\r\nTo help the Threat Intelligence..."
},
{
"path": "MaltegoTransforms/requirements.txt",
"chars": 10,
"preview": "ipaddress\n"
},
{
"path": "MaltegoTransforms/transforms/config.yaml",
"chars": 240,
"preview": "apis:\n virustotal:\n url: https://www.virustotal.com/api/v3/\n api_key: <your api key>\ntools:\n hexedit..."
},
{
"path": "MaltegoTransforms/transforms/libs/config.py",
"chars": 88,
"preview": "import yaml\n\nfile = open(\"config.yaml\")\nconfig = yaml.load(file, Loader=yaml.FullLoader)"
},
{
"path": "MaltegoTransforms/transforms/libs/transform.py",
"chars": 7499,
"preview": "#!/usr/bin/python \n#######################################################\n# Maltego Python Local Transform Helper..."
},
{
"path": "MaltegoTransforms/transforms/openwith.py",
"chars": 3478,
"preview": "from libs.transform import MaltegoTransform\nfrom libs.config import config\nimport subprocess as sp\nimport argparse\nimpor..."
},
{
"path": "MaltegoTransforms/transforms/virustotal-behaviour.py",
"chars": 32724,
"preview": "from libs.transform import MaltegoTransform, MaltegoEntity\nfrom requests.packages.urllib3.exceptions import InsecureRequ..."
},
{
"path": "MaltegoTransforms/transforms/virustotal.py",
"chars": 108568,
"preview": "from libs.transform import MaltegoTransform, MaltegoEntity\nfrom requests.packages.urllib3.exceptions import InsecureRequ..."
},
{
"path": "README.md",
"chars": 652,
"preview": "# Community\n\nWelcome to the SEKOIA.IO Community repository! This repository contains IOCs, cyber threat intelligence mat..."
},
{
"path": "events/README.md",
"chars": 5474,
"preview": "# Events\n\nThis section contains data files that are used by the Operation Center to help analysts better understand thei..."
},
{
"path": "events/lookups.json",
"chars": 15633,
"preview": "{\n \"user.id\": [{\n \"values\": {\n \"S-1-0\": \"Null Authority\",\n \"S-1-0-0\": \"Nobody\",\n \"S-1-1\": \"World Auth..."
},
{
"path": "events/smart-descriptions.json",
"chars": 134937,
"preview": "{\n \"office 365\": [\n {\n \"value\": \"User {user.name} performed action {action.name} on service {service.name} from..."
},
{
"path": "playbooks/templates/Alerts_Shodan_Enrichment.json",
"chars": 7271,
"preview": "{\n \"name\": \"Enrich with Shodan\",\n \"nodes\": {\n \"0\": {\n \"icon\": \"data:image/svg+xml;base64,PHN2ZyB..."
},
{
"path": "playbooks/templates/CrowdSec_alert_enrichment.json",
"chars": 18946,
"preview": "{\n \"name\": \"Enrich with CrowdSec Smoke database\",\n \"nodes\": {\n \"0\": {\n \"name\": \"Manual Trigger\",..."
},
{
"path": "playbooks/templates/Crowdstrike_dissemination.json",
"chars": 17927,
"preview": "{\n \"name\": \"Disseminate IOCs to CrowdStrike Falcon\",\n \"nodes\": {\n \"0\": {\n \"name\": \"Feed IOC Cons..."
},
{
"path": "playbooks/templates/DigitalShadows_SearchLight_fetch_alerts.json",
"chars": 6348,
"preview": "{\n \"name\": \"Fetch alerts from Digital Shadows SearchLight\",\n \"nodes\": {\n \"0\": {\n \"icon\": \"data:i..."
},
{
"path": "playbooks/templates/Enrich_alerts_with_AbuseIPDB.json",
"chars": 5078,
"preview": "{\n \"name\": \"Enrich alerts with AbuseIPDB\",\n \"uuid\": \"0d745afb-de40-4a7d-af5f-e448ffe9f0ee\",\n \"nodes\": {..."
},
{
"path": "playbooks/templates/Enrich_alerts_with_VirusTotal_Hash.json",
"chars": 8297,
"preview": "{\n \"name\": \"Scan for hash on VirusTotal\",\n \"uuid\": \"558a4c09-bb8c-4d11-9c26-635c43ba9fd0\",\n \"nodes\": {..."
},
{
"path": "playbooks/templates/Enrich_alerts_with_hostnames.json",
"chars": 15281,
"preview": "{\n \"name\": \"Enrich alerts with hostnames\",\n \"nodes\": {\n \"1\": {\n \"icon\": \"data:image/svg+xml;base..."
},
{
"path": "playbooks/templates/Enrich_with_IKnow_What_You_Download.json",
"chars": 4352,
"preview": "{\n \"name\": \"Enrich with IKnowWhatYouDownload\",\n \"nodes\": {\n \"0\": {\n \"name\": \"alert_webhook\",..."
},
{
"path": "playbooks/templates/HTTP_request_Remediation.json",
"chars": 11789,
"preview": "{\n \"uuid\": \"9743354f-39bc-4172-b570-a75c9ce55a9b\",\n \"name\": \"[Training usecase] Post an HTTP request based on aler..."
},
{
"path": "playbooks/templates/OSINT_to_observables.json",
"chars": 1658,
"preview": "{\n \"name\": \"Generic Fetch OSINT to observable\",\n \"workspace\": \"Intelligence Center\",\n \"description\": \"Retrieve..."
},
{
"path": "playbooks/templates/Reject_old_alerts.json",
"chars": 4267,
"preview": "{\n \"name\": \"Reject old alerts (1 year)\",\n \"uuid\": \"2737166d-caa0-4c8d-bc28-d9c17125c948\",\n \"nodes\": {\n \"..."
},
{
"path": "playbooks/templates/Shodan_search_to_observables.json",
"chars": 2502,
"preview": "{\n \"name\": \"Shodan search to observables\",\n \"description\": \"Get IP addresses from a shodan search and add it to Ob..."
},
{
"path": "playbooks/templates/Tranco_top_domains_to_observables.json",
"chars": 5403,
"preview": "{\n \"name\": \"Tranco top domains to observables\",\n \"nodes\": {\n \"0\": {\n \"name\": \"Fetch Tranco\",..."
},
{
"path": "playbooks/templates/URL_scan_VirusTotal_Enrichement.json",
"chars": 16404,
"preview": "{\n \"name\": \"[Training usecase] Scan for url on VirusTotal\",\n \"description\": \"Enrich to check if this url.domain is..."
},
{
"path": "playbooks/templates/VirusTotal_Enrichement.json",
"chars": 25733,
"preview": "{\n \"name\": \"Enhance network alerts with VirusTotal\",\n \"nodes\": {\n \"0\": {\n \"name\": \"Manual trigge..."
}
]
// ... and 814 more files (download for full content)
About this extraction
This page contains the full source code of the SEKOIA-IO/Community GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 1016 files (47.2 MB), approximately 7.8M tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.