Skip to content

cccs-rs/Configuration_extractors

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

103 Commits
.gitignore
.gitignore
 
 
AsyncRAT_config_extractor.py
AsyncRAT_config_extractor.py
 
 
DcRat_config_extract.py
DcRat_config_extract.py
 
 
DynamicRAT_config_decrypt.py
DynamicRAT_config_decrypt.py
 
 
ISFB_DecryptBSS.py
ISFB_DecryptBSS.py
 
 
ISFB_URSNIF_config_extract.py
ISFB_URSNIF_config_extract.py
 
 
IcedID_decrypt.py
IcedID_decrypt.py
 
 
QuasarRAT_config_extractor.py
QuasarRAT_config_extractor.py
 
 
README.md
README.md
 
 
aurora_config_extractor.py
aurora_config_extractor.py
 
 
darkgate_config_extractor.py
darkgate_config_extractor.py
 
 
darkvnc_config_extract.py
darkvnc_config_extract.py
 
 
icedid_first_stage_decrypt.py
icedid_first_stage_decrypt.py
 
 
lumma_config_extract.py
lumma_config_extract.py
 
 
meduza_stealer_config_extractor.py
meduza_stealer_config_extractor.py
 
 
metastealer_config_extractor.py
metastealer_config_extractor.py
 
 
metastealer_string_decryptor.py
metastealer_string_decryptor.py
 
 
poseidon_config_extractor.py
poseidon_config_extractor.py
 
 
raccoonstealerv2_c2_mutex_extract.py
raccoonstealerv2_c2_mutex_extract.py
 
 
requirements.txt
requirements.txt
 
 
solarmarker_payload_extractor.py
solarmarker_payload_extractor.py
 
 
vidar_config_extractor.py
vidar_config_extractor.py
 
 
whitesnake_config_extractor_rc4_obfuscated.py
whitesnake_config_extractor_rc4_obfuscated.py
 
 
whitesnake_config_extractor_xor_obfuscated.py
whitesnake_config_extractor_xor_obfuscated.py
 
 

Repository files navigation

Configuration_extractors

Unless otherwise indicated, the samples mentioned can be found in MalwareBazaar or VirusTotal.

DcRAT:

The configuration extractor was tested on the following samples:

a2766b20b3d09b2eee3a9805cffef7228dc2eab1265a6fbc1e98f67105ae51b9 da642fc983f09b106c32181f7e66d0cad426924650594ca613e5ce5b25b71493 4530c2681887c0748cc2ecddb1976d15ad813a4a01e5810fd8b843adcd2fd3d0

DynamicRAT:

The configuration extractor was tested on the following samples:

41a037f09bf41b5cb1ca453289e6ca961d61cd96eeefb1b5bbf153612396d919 856a3df5b1930c1fcd5fdce56624f6f26a7e829ea331a182b4a28fd2707436f1 b2a3112be417feb4f7c3b3f0385bdaee9213bf9cdc82136c05ebebb835c19a65

IcedID First Stage Configuration Extractor:

The configuration extractor was tested on the following samples:

8fc683128de2f77baddeff88b5fb427c70f9f099cd293032d780e3e06b6f947b fd37c98782453214bab6484f6045b796a5a3dc7ebba9a894f6783817eef6c9c7 dd651c2ffe94faf59e3a3db2da56e05a1a12fcae7cd5f87881d1cb036be3ec2a 59b1721e3c3a42079673bebeb36e8c47dad88e93bdebcd6bb1468c4ca1235732

All samples can be found on https://www.unpac.me/

LummaStealer:

The configuration extractor was tested on the following samples: 988f54f9694dd1ae701bacec3b83c752

MetaStealer:

The configuration extractor was tested on the following samples: 5f690cddc7610b8d4aeb85b82979f326373674f9f4032ee214a65758f4e479be

QuesarRAT:

The configuration extractor was tested on the following samples:

1e7d39f39a804c0c1c3ebbcb7f5b0009bee68ee3c1b9ed396ac6c0098c2dc60b

RemcosRAT:

The configuration extractor was tested on the following samples:

63a2dcb487d0d875688f4e4d5251a93b 2734bb37c9994c543ea81e33a79384053a4635fe7b2f1c8d3fe78d6640b7de9a

Poseidon Stealer:

The configuration extractor was tested on the following samples:

935bab8750187b584e23fb8a522200bcdf526db3c7ece0c6e909ee6e48f4321f

Vidar Stealer:

The configuration extractor was tested on the following samples:

37c74886ce85682039bced4a6423e233aebd962921d9a76008d19ff75483a52c 6956fb2dd65d6627c23b680d4149983017bcb8e8b8fc1d30a5210998ca8cf801 3a7512884d5e269a6c9d74a0af38c0d4d4b95bdbe5c7cc8d8608e84a725d2134 bd6370870671ccc61bb9a7ae5d31abc446e893dce15eeaff13deeb64f9317926 ed28af0855aa6e00776f3633c15663e4a930f54ac399b48369f485e31250849b b30bdc75d85cac464fcc59df6a1db4c7ca19c93c2b42db961b41fd814c230d80 505e21494deb4e828da8bdfa386fa59a2599f89dc87276f25bd6d923aed13f83 eba331ce626b9c6ca338c439b608d5234bfd0d0d5408de9e8b64e131435e4216

WhiteSnake Stealer - XOR:

The configuration extractor was tested on the following samples:

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50 c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7

Extractor Usage

Ensure you have all the appropriate Python packages installed on your host before running the extractors.

Note: If running on a Linux system, ensure to install mono and dnlib

Directly via Python

python <python_extractor_path> <sample_path>

Using the MACO CLI

Since the extractors have been ported to the MACO extractor framework, you can run extractors by:

maco <python_extractor_path_or_directory> <sample_path>

Using ConfigExtractor-py CLI (Supports MACO extractors)

cx <python_extractor_path_or_directory> <sample_path>

About

Configuration Extractors for Malware

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%