This is a small update, to add extra statistical information for decoded items.
base64dump_V0_0_24.zip (http)MD5: 47FDC47A9235CEF2DF95D1FC12BC166E
SHA256: FAF376E267CE6937BAB7544EA4AF9DD40499886992E7DA3855C16C73C02276B1
Thursday 13 October 2022
Update: base64dump.py Version 0.0.24
MD5: 47FDC47A9235CEF2DF95D1FC12BC166E
SHA256: FAF376E267CE6937BAB7544EA4AF9DD40499886992E7DA3855C16C73C02276B1
Wednesday 28 September 2022
Update: rtfdump.py Version 0.0.11
This new version of rtfdump, my tool to analyze RTF files, brings json output for options -O and -F.
rtfdump_V0_0_11.zip (http)MD5: AFC884082B251BF288B05203DD5D4F69
SHA256: CB3984924137897F75E62C3A835BB9197CBF1DDBD6BCFB3E18423999B06A36C8
Sunday 25 September 2022
Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3
Here’s a new beta version of my tool pngdump.py, a tool to analyze PNG files.
I took a look at all files on MalwareBazaar with a PNG tag, and made updates to pngdump.py to handle them.
I found 3 types of “PNG” files.
First, files spoofing PNG files: files that are not PNG files, but have a .png extension.
Like .exe and .rar files:
Second, valid PNG files with an appended payload:
Third, invalid PNG files. For example, PNG files with the right record structure, but where the Zlib compressed image is replaced by an RC4 encrypted payload (IcedID):
I also have other samples, but that’s for another blog post.
Beta version 0.0.3 is available on GitHub.
Tuesday 20 September 2022
Update: My Python Templates Version 0.0.8
This update adds the option –trim to template process-text-files.py.
python-templates_V0_0_8.zip (http)MD5: 6C845823BB8AC4DB42993B994E93AF66
SHA256: 20EC1E6540DF31939686CA4B54C5312DF3724EB756B16BA724722C3196BDF93F
Monday 19 September 2022
Update: strings.py Version 0.0.8
This version of my strings.py program adds option -N to select strings that end with a NUL character (C-strings).
strings_V0_0_8.zip (http)MD5: 29015239E6385FFA63C2E33755C34CD9
SHA256: 449AC9AA39A464D7C5883DED3FE9CB21A2E8E700F7763AD4199C25D37DCBD296
Thursday 15 September 2022
Update: virustotal-search.py Version 0.1.7
A new option was added to limit the amount of requests: -l (–limitrequests).
virustotal-search_V0_1_7.zip (http)MD5: BB6E9D480F7BCF0FD3F0CB8EED1B49FE
SHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D
Wednesday 7 September 2022
Update: hex-to-bin.py Version 0.0.6
This is a small update: when non-hexadecimal characters are found, they are listed before an exception is raised.
hex-to-bin_V0_0_6.zip (http)MD5: 9939263DCF538BBF5FC98DB2EC83F247
SHA256: 94B2B23BCA5C000CA85EEE8AE1A16AEEDB77E72057111C8207A683BD4DDF4581
Tuesday 6 September 2022
Update: xor-kpa.py Version 0.0.6
This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py.
The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations.
cs-key is the header of the configuration entry for the public key.
cs-key-dot is the header of the configuration entry for the public key XORed with value 0x2E (a dot).
cs-key-i is the header of the configuration entry for the public key XORed with value 0x69 (letter i).
MD5: 4BA5EDEAEF6C8D528227607E78A2A797
SHA256: F7BE170D09E8B8A5B4127F64EC66FFF69EFD3EFA3B4EAC0304B39905A75CDE2A
Monday 5 September 2022
Update: translate.py Version 2.5.12
A small update for my translate.py program.
Python function Xor takes now 2 extra, optional arguments:
hexadecimal: a boolean, by default False.
When True, the key is provided as an hexadecimal string.
rotation: an integer, by default 0
This is the number of bytes to rotate the key to the left. For example, when the key is ABCD, a rotation value of 1 yiels key BCDA.
translate_v2_5_12.zip (http)MD5: 4B0C79AF8A1D41BA735C5030912E6C28
SHA256: 899109A9D787D6781AEB0569330A01709063BB3FD58F4AED068A57951B230F88
Sunday 4 September 2022
Update: oledump.py Version 0.0.70
This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p.
You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin:
MD5: D6EC4FD6B7BE60E01A98922BC06A1E8F
SHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678
Didier Stevens 