CAPE-parsers 0.1.41__py3-none-any.whl → 0.1.44__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- cape_parsers/CAPE/community/Lumma.py +6 -4
- cape_parsers/CAPE/core/Stealc.py +21 -0
- {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.44.dist-info}/METADATA +2 -2
- {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.44.dist-info}/RECORD +6 -5
- {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.44.dist-info}/LICENSE +0 -0
- {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.44.dist-info}/WHEEL +0 -0
|
@@ -43,13 +43,15 @@ RULE_SOURCE_LUMMA_NEW_KEYS = """rule LummaConfigNewKeys
|
|
|
43
43
|
author = "YungBinary"
|
|
44
44
|
strings:
|
|
45
45
|
$key_nonce = {
|
|
46
|
-
B8
|
|
47
|
-
BF ?? ?? ?? ??
|
|
46
|
+
B8 [4]
|
|
47
|
+
(BF ?? ?? ?? ??
|
|
48
|
+
B9 08 00 00 00|
|
|
48
49
|
B9 08 00 00 00
|
|
50
|
+
BF ?? ?? ?? ??)
|
|
49
51
|
96
|
|
50
52
|
F3 A5
|
|
51
53
|
96
|
|
52
|
-
B8
|
|
54
|
+
B8
|
|
53
55
|
}
|
|
54
56
|
condition:
|
|
55
57
|
uint16(0) == 0x5A4D and $key_nonce
|
|
@@ -63,7 +65,7 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
|
|
|
63
65
|
$encrypted_array = {
|
|
64
66
|
C1 E? 07
|
|
65
67
|
8D 8? [4]
|
|
66
|
-
8D 74 24
|
|
68
|
+
8D 74 24 ??
|
|
67
69
|
FF [1-3]
|
|
68
70
|
56
|
|
69
71
|
5?
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import socket
|
|
2
|
+
from contextlib import suppress
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
def _is_ip(ip):
|
|
6
|
+
try:
|
|
7
|
+
socket.inet_aton(ip)
|
|
8
|
+
return True
|
|
9
|
+
except Exception:
|
|
10
|
+
return False
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
def extract_config(data):
|
|
14
|
+
config_dict = {"C2s": []}
|
|
15
|
+
with suppress(Exception):
|
|
16
|
+
if data[:2] == b"MZ":
|
|
17
|
+
return
|
|
18
|
+
for line in data.decode().split("\n"):
|
|
19
|
+
if _is_ip(line) and line not in config_dict["C2s"]:
|
|
20
|
+
config_dict["C2s"].append(line)
|
|
21
|
+
return config_dict
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.3
|
|
2
2
|
Name: CAPE-parsers
|
|
3
|
-
Version: 0.1.
|
|
3
|
+
Version: 0.1.44
|
|
4
4
|
Summary: CAPE: Malware Configuration Extraction
|
|
5
5
|
License: MIT
|
|
6
6
|
Keywords: cape,parsers,malware,configuration
|
|
@@ -23,7 +23,7 @@ Requires-Dist: pefile
|
|
|
23
23
|
Requires-Dist: pycryptodomex (>=3.20.0)
|
|
24
24
|
Requires-Dist: rat-king-parser (>=4.1.0)
|
|
25
25
|
Requires-Dist: ruff (>=0.7.2)
|
|
26
|
-
Requires-Dist: unicorn (
|
|
26
|
+
Requires-Dist: unicorn (>=2.1.1)
|
|
27
27
|
Requires-Dist: yara-python (>=4.5.1)
|
|
28
28
|
Description-Content-Type: text/markdown
|
|
29
29
|
|
|
@@ -14,7 +14,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4
|
|
|
14
14
|
cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
|
|
15
15
|
cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
|
|
16
16
|
cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
|
|
17
|
-
cape_parsers/CAPE/community/Lumma.py,sha256=
|
|
17
|
+
cape_parsers/CAPE/community/Lumma.py,sha256=Q0n7Tl4WLUvW3Btg2jgPLQ2pmWejIMNJzWrhWO-fFAc,12028
|
|
18
18
|
cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
|
|
19
19
|
cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
|
|
20
20
|
cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
|
|
@@ -72,6 +72,7 @@ cape_parsers/CAPE/core/Rhadamanthys.py,sha256=TuhWqOssRiTOEuCk_UXBd3SPz-V71pOCYL
|
|
|
72
72
|
cape_parsers/CAPE/core/SmokeLoader.py,sha256=y3PGuAhGkvRSlbi1-PViv66LW4N8AA2Rc5UzxV_nRvw,3889
|
|
73
73
|
cape_parsers/CAPE/core/Socks5Systemz.py,sha256=k5AdoNKl32m6g1MlOWw4EXvfqMJOFuyw5I0VkQicjRs,759
|
|
74
74
|
cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=ErCT5eeo5xiQTBzhpaS22PQ8pp-u-G4cjJ4bapjKT2U,3283
|
|
75
|
+
cape_parsers/CAPE/core/Stealc.py,sha256=LJivSCnho9KrSp5Lbw5oRa8vdKm3y7cNxXaev4tdl-8,488
|
|
75
76
|
cape_parsers/CAPE/core/Strrat.py,sha256=StKPm9Qx8iIIjWb-2P7Naow6sMSJ9tclXJcUQ8JUcWc,2243
|
|
76
77
|
cape_parsers/CAPE/core/UrsnifV3.py,sha256=Nu4X2l_zwlVMjvEa5gQRaR9SgYKL-C-C9onSmd2DtuU,5510
|
|
77
78
|
cape_parsers/CAPE/core/WarzoneRAT.py,sha256=Gk0eZVCNGgscNlpsbB123v4P5rvCeyf8avcTHRAd4aA,3725
|
|
@@ -105,7 +106,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
|
|
|
105
106
|
cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
|
|
106
107
|
cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
|
|
107
108
|
cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
|
|
108
|
-
cape_parsers-0.1.
|
|
109
|
-
cape_parsers-0.1.
|
|
110
|
-
cape_parsers-0.1.
|
|
111
|
-
cape_parsers-0.1.
|
|
109
|
+
cape_parsers-0.1.44.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
|
|
110
|
+
cape_parsers-0.1.44.dist-info/METADATA,sha256=4VjbNtdc_w3GCdccHiWb_--tggZS7VT0OpdUG-Cu9DQ,1149
|
|
111
|
+
cape_parsers-0.1.44.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
|
|
112
|
+
cape_parsers-0.1.44.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|