{ "id": "f664b629-297e-442f-8a67-425015a91e6a", "created_at": "2026-04-06T01:29:02.732963Z", "updated_at": "2026-04-10T13:12:42.548429Z", "deleted_at": null, "sha1_hash": "8a334cf52006c753baa8e990275241ccfd7c7ec5", "title": "GitHub - Tera0017/TAFOF-Unpacker: TA505 unpacker Python 2.7", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86346, "plain_text": "GitHub - Tera0017/TAFOF-Unpacker: TA505 unpacker Python 2.7\r\nBy Tera0017\r\nArchived: 2026-04-06 00:18:14 UTC\r\nTA505 Unpacker is a python 2.7 script that is able to unpack statically, x86 and x64 TA505 packed samples.\r\nCurrently malware spotted to be packed with that packer:\r\nGetandGoDll\r\nSilence (https://twitter.com/Vishnyak0v/status/1199620846823890944)\r\nTinyMet (https://twitter.com/darb0ng/status/1202823405747073024)\r\nAzorult (https://twitter.com/Vishnyak0v/status/1204312402306752513)\r\nKBMiner (https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Eremin_Bot_with_rootkit.pdf)\r\n...\r\nUsage\r\n$ python ta505_unpacker.py -h\r\n▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███\r\n▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒█\r\n▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ █\r\n░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█\r\n ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░\r\n ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒\r\n ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒\r\n ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░\r\n ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░\r\n ░\r\n|--\u003eTA505 Unpacker.\r\nusage: ta505_unpacker.py [-h] [-f FILE] [-x] [-u]\r\nTA505 Unpacker.\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n -f FILE, --file FILE File to decrypt.\r\n -x, --xls Extract bin from XLS, default to False.\r\n -u, --upx UPX decryption to final payload, default to False.\r\nExample 1.1: GetandGoDLL from XLS file.\r\nhttps://github.com/Tera0017/TAFOF-Unpacker\r\nPage 1 of 4\n\n$ python ta505_unpacker.py -uxf tafof_xls_getandgodll.xls\r\n▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███\r\n▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒█\r\n▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ █\r\n░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█\r\n ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░\r\n ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒\r\n ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒\r\n ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░\r\n ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░\r\n ░\r\n|--\u003eTA505 Unpacker.\r\n|--\u003e Extracting binaries from XLS.\r\n|--\u003e Extracted TA505 binary from XLS: TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Extracted TA505 binary from XLS: TA505_XLS_bin_x64_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Starting TA505 Unpacker\r\n|--\u003e Loaded Packed Exe Data: TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Encrypted Layer One size: 0X3C960\r\n|--\u003e Found Encrypted Code\r\n|--\u003e Found XOR KEY: 0X79AA\r\n|--\u003e Layer One encryption: rol_4\r\n|--\u003e Decrypted TA505 First Layer\r\n|--\u003e Unpacked TA505: TA505_unpacker_TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Unpacked TA505 UPX: TA505_UPX_unpacker_TA505_XLS_bin_x86_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Unpacked Successfully\r\nExample 1.2: GetandGoDLL from XLS file (updated version x86/x64).\r\nhttps://github.com/Tera0017/TAFOF-Unpacker\r\nPage 2 of 4\n\n$ python ta505_unpacker.py -uxf tafof_xls_getandgodll.xls\r\n▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███\r\n▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒█\r\n▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ █\r\n░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█\r\n ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░\r\n ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒\r\n ░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒\r\n ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░\r\n ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░\r\n ░\r\n|--\u003e TA505 Unpacker.\r\n|--\u003e Extracting binaries from XLS.\r\n|--\u003e Extracted TA505 binary from XLS: TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Extracted TA505 binary from XLS: TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Starting TA505 x86 Unpacker\r\n|--\u003e Loaded Packed Exe Data: TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Encrypted Layer One size: 0X3C960\r\n|--\u003e Found Encrypted Code\r\n|--\u003e Found XOR KEY: 0X79AA\r\n|--\u003e Layer One encryption: rol_4\r\n|--\u003e Decrypted TA505 First Layer\r\n|--\u003e Unpacked TA505 x86: TAFOF_unpacker_TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Unpacked TA505 UPX Layer 2: TAFOF_UPX2_unpacker_TAFOF_XLS_bin_x86_1_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Unpacked x86 Successfully\r\n|--\u003e Starting TA505 x64 Unpacker\r\n|--\u003e Unpacked TA505 UPX Layer 1: TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Loaded Packed Exe Data: TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Encrypted Layer One size: 0X34FB0\r\n|--\u003e Found Encrypted Code\r\n|--\u003e Found XOR KEY: 0X7D74\r\n|--\u003e Layer One encryption: rol_7\r\n|--\u003e Decrypted TA505 First Layer\r\n|--\u003e Unpacked TA505 x64: TAFOF_unpacker_TAFOF_UPX1_unpacker_TAFOF_XLS_bin_x64_2_tafof_xls_getandgodll.xls.bin\r\n|--\u003e Unpacked x64 Successfully\r\nExample 2: Silence.\r\n$ python ta505_unpacker.py -uf tafof_silence.bin\r\n▄▄▄█████▓▄▄▄ █████▒█████ █████▒ █ ██ ███▄ █ ██▓███\r\n▓ ██▒ ▓▒████▄ ▓██ ▒██▒ ██▓██ ▒ ██ ▓██▒██ ▀█ █▓██░ ██▒█\r\n▒ ▓██░ ▒▒██ ▀█▄ ▒████ ▒██░ ██▒████ ░ ▓██ ▒██▓██ ▀█ ██▓██░ █\r\n░ ▓██▓ ░░██▄▄▄▄██░▓█▒ ▒██ ██░▓█▒ ░ ▓▓█ ░██▓██▒ ▐▌██▒██▄█\r\n ▒██▒ ░ ▓█ ▓██░▒█░ ░ ████▓▒░▒█░ ▒▒█████▓▒██░ ▓██▒██▒ ░\r\n ▒ ░░ ▒▒ ▓▒█░▒ ░ ░ ▒░▒░▒░ ▒ ░ ░▒▓▒ ▒ ▒░ ▒░ ▒ ▒▒▓▒░ ░ ░ ░▒\r\nhttps://github.com/Tera0017/TAFOF-Unpacker\r\nPage 3 of 4\n\n░ ▒ ▒▒ ░░ ░ ▒ ▒░ ░ ░░▒░ ░ ░░ ░░ ░ ▒░▒ ░ ░ ▒ ░ ░▒ ▒\r\n ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░░░ ░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░\r\n ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░\r\n ░\r\n|--\u003eTA505 Unpacker.\r\n|--\u003e Starting TA505 Unpacker\r\n|--\u003e Loaded Packed Exe Data: tafof_silence.bin\r\n|--\u003e Encrypted Layer One size: 0X23280\r\n|--\u003e Found Encrypted Code\r\n|--\u003e Found XOR KEY: 0X5EFE\r\n|--\u003e Layer One encryption: rol_7\r\n|--\u003e Decrypted TA505 First Layer\r\n|--\u003e Unpacked TA505: TA505_unpacker_tafof_silence.bin\r\n|--\u003e Unpacked Successfully\r\nRequirements\r\nyara-python (latest tested version \"4.0.1\")\r\npefile (latest tested version \"2019.4.18\")\r\nUPX\r\nSupport\r\nIn case some files are not working, please make sure its packed with TA505 packer, if yes please provide me the\r\nhash in a DM @Tera0017.\r\nRegards\r\nSource: https://github.com/Tera0017/TAFOF-Unpacker\r\nhttps://github.com/Tera0017/TAFOF-Unpacker\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/Tera0017/TAFOF-Unpacker" ], "report_names": [ "TAFOF-Unpacker" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438942, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a334cf52006c753baa8e990275241ccfd7c7ec5.pdf", "text": "https://archive.orkl.eu/8a334cf52006c753baa8e990275241ccfd7c7ec5.txt", "img": "https://archive.orkl.eu/8a334cf52006c753baa8e990275241ccfd7c7ec5.jpg" } }