CAPE-parsers 0.1.47__py3-none-any.whl → 0.1.49__py3-none-any.whl

cape_parsers/CAPE/community/Amadey.py

@@ -0,0 +1,213 @@
+import base64
+import yara
+import pefile
+import json
+import struct
+import re
+
+
+RULE_SOURCE_KEY = """
+rule Amadey_Key_String
+{
+    meta:
+        author = "YungBinary"
+        description = "Find decryption key in Amadey."
+    strings:
+        $chunk_1 = {
+            6A 20
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
+
+RULE_SOURCE_ENCODED_STRINGS = """
+rule Amadey_Encoded_Strings
+{
+    meta:
+        author = "YungBinary"
+        description = "Find encoded strings in Amadey."
+    strings:
+        $chunk_1 = {
+            6A ??
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
+
+
+def contains_non_printable(byte_array):
+    for byte in byte_array:
+        if not chr(byte).isprintable():
+            return True
+    return False
+
+
+def yara_scan_generator(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                yield instance.offset, block.identifier
+
+
+def get_keys(pe, data):
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    keys = []
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_KEY):
+        try:
+            key_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            key_string_dword_offset = pe.get_offset_from_rva(key_string_rva - image_base)
+            key_string = pe.get_string_from_data(key_string_dword_offset, data)
+
+            if b"=" not in key_string:
+                keys.append(key_string.decode())
+
+            if len(keys) == 2:
+                return keys
+
+        except Exception:
+            continue
+
+    return []
+
+
+def get_encoded_strings(pe, data):
+    encoded_strings = []
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_ENCODED_STRINGS):
+
+        try:
+            encoded_string_size = data[offset + 1]
+            encoded_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            encoded_string_dword_offset = pe.get_offset_from_rva(encoded_string_rva - image_base)
+            encoded_string = pe.get_string_from_data(encoded_string_dword_offset, data)
+
+            # Make sure the string matches length from operand
+            if encoded_string_size != len(encoded_string):
+                continue
+
+            encoded_strings.append(encoded_string.decode())
+
+        except Exception:
+            continue
+
+    return encoded_strings
+
+
+def decode_amadey_string(key: str, encoded_str: str) -> bytes:
+    """
+    Decode Amadey encoded strings that look like base64
+    """
+    alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "
+
+    decoded = ""
+    for i in range(len(encoded_str)):
+        if encoded_str[i] == "=":
+            decoded += "="
+            continue
+
+        index_1 = alphabet.index(encoded_str[i % len(encoded_str)])
+        index_2 = alphabet.index(key[i % len(key)])
+
+        index_result = (index_1 + (0x3F - index_2) + 0x3F) % 0x3F
+
+        decoded += alphabet[index_result]
+
+    decoded = base64.b64decode(decoded)
+
+    return decoded
+
+
+def find_campaign_id(data):
+    pattern = br'\x00\x00\x00([0-9a-f]{6})\x00\x00'
+    matches = re.findall(pattern, data)
+    if matches:
+        return matches[0]
+
+
+def extract_config(data):
+    pe = pefile.PE(data=data, fast_load=True)
+    # image_base = pe.OPTIONAL_HEADER.ImageBase
+
+    keys = get_keys(pe, data)
+    if not keys:
+        return {}
+
+    decode_key = keys[0]
+    rc4_key = keys[1]
+    encoded_strings = get_encoded_strings(pe, data)
+
+    decoded_strings = []
+    for encoded_string in encoded_strings:
+        try:
+            decoded_string = decode_amadey_string(decode_key, encoded_string)
+            if not decoded_string or contains_non_printable(decoded_string):
+                continue
+            decoded_strings.append(decoded_string.decode())
+        except Exception:
+            continue
+
+    if not decoded_strings:
+        return {}
+
+    decoded_strings = decoded_strings[:10]
+    final_config = {}
+    version = ""
+    install_dir = ""
+    install_file = ""
+    version_pattern = r"^\d+\.\d{1,2}$"
+    install_dir_pattern = r"^[0-9a-f]{10}$"
+
+    for i in range(len(decoded_strings)):
+        s = decoded_strings[i]
+        if s.endswith(".php"):
+            c2 = decoded_strings[i-1]
+            final_config.setdefault("CNCs", []).append(f"http://{c2}{s}")
+        elif re.match(version_pattern, s):
+            version = s
+        elif re.match(install_dir_pattern, s):
+            install_dir = s
+        elif s.endswith(".exe"):
+            install_file = s
+
+    if version:
+        final_config["version"] = version
+    if install_dir:
+        final_config.setdefault("raw", {})["install_dir"] = install_dir
+    if install_file:
+        final_config.setdefault("raw", {})["install_file"] = install_file
+
+    final_config["cryptokey"] = rc4_key
+    final_config["cryptokey_type"] = "RC4"
+
+    campaign_id = find_campaign_id(data)
+    if campaign_id:
+        final_config["campaign_id"] = campaign_id.decode()
+
+    return final_config
+
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(json.dumps(extract_config(f.read()), indent=4))

cape_parsers/CAPE/community/CobaltStrikeBeacon.py

@@ -360,11 +360,11 @@ class cobaltstrikeConfig:
             if parsed_setting == "Not Found" and quiet:
                 continue
             if not isinstance(parsed_setting, list):
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting)) # noqa: G001
             elif parsed_setting == []:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty"))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty")) # noqa: G001
             else:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0]))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0])) # noqa: G001
                 for val in parsed_setting[1:]:
                     log.debug(" " * COLUMN_WIDTH, end="")
                     print(val)

cape_parsers/CAPE/community/LokiBot.py

@@ -23,7 +23,7 @@
 import re
 import struct
 import sys
-
+from contextlib import suppress
 import pefile
 from Cryptodome.Cipher import DES3
 from Cryptodome.Util.Padding import unpad
@@ -128,7 +128,8 @@ def decoder(data):
     else:
         x = bytearray(img)
 
-    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+"
+    # ToDo add \.php
+    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+\.php"
     urls = re.findall(url_re, x)
     if not urls:
         for i in range(len(x)):
@@ -144,21 +145,23 @@ def decoder(data):
     confs = find_conf(img)
     if iv and iv not in (b"", -1) and confs != []:
         for conf in confs:
-            try:
+            with suppress(ValueError):
                 dec = DES3.new(key, DES3.MODE_CBC, iv)
                 temp = dec.decrypt(conf)
                 temp = unpad(temp, 8)
-                urls.append(b"http://" + temp)
-            except ValueError:
-                # wrong padding
-                pass
+                if not temp.endswith(b".php"):
+                    continue
+                urls.append("http://" + temp.decod())
     return urls
 
 
 def extract_config(filebuf):
 
     urls = decoder(filebuf)
-    return {"CNCs": [url.decode() for url in urls]}
+    if urls:
+        return {"CNCs": urls}
+    else:
+        return {}
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/community/Lumma.py

@@ -318,7 +318,7 @@ def extract_config(data):
                 decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config.setdefault("CNCs", []).append(decoded_c2.decode())
+                config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
 
@@ -351,7 +351,7 @@ def extract_config(data):
                         decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
-                            config["CNCs"].append(c2.decode())
+                            config["CNCs"].append("https://" + c2.decode())
                             break
 
                 except Exception:
@@ -384,7 +384,7 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
 
                     if not contains_non_printable(decoded_c2):
-                        config.setdefault("CNCs", []).append(decoded_c2.decode())
+                        config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
                 except Exception as e:
                     print(e)
                     continue

cape_parsers/CAPE/community/Snake.py

@@ -133,7 +133,7 @@ def extract_config(data):
     try:
         dotnet_file = dnfile.dnPE(data=data)
     except Exception as e:
-        log.debug(f"Exception when attempting to parse .NET file: {e}")
+        log.debug("Exception when attempting to parse .NET file: %s", str(e))
         log.debug(traceback.format_exc())
 
     # ldstr, stsfld
@@ -165,7 +165,7 @@ def extract_config(data):
             else:
                 user_strings[field_name] = string_index
         except Exception as e:
-            log.debug(f"There was an exception parsing user strings: {e}")
+            log.debug("There was an exception parsing user strings: %s", str(e))
             log.debug(traceback.format_exc())
 
     if c2_type is None:

cape_parsers/CAPE/community/Stealc.py

@@ -1,6 +1,7 @@
 import struct
 import pefile
 import yara
+import ipaddress
 from contextlib import suppress
 
 
@@ -42,6 +43,13 @@ def yara_scan(raw_data):
                 yield block.identifier, instance.offset
 
 
+def _is_ip(ip):
+    try:
+        ipaddress.ip_address(ip)
+        return True
+    except Exception:
+        return False
+
 def xor_data(data, key):
     decoded = bytearray()
     for i in range(len(data)):
@@ -67,6 +75,8 @@ def parse_text(data):
         for line in lines:
             if line.startswith("http") and "://" in line:
                 domain = line
+            elif _is_ip(line):
+                domain = line
             if line.startswith("/") and line[-4] == ".":
                 uri = line
 

cape_parsers/CAPE/core/AuraStealer.py

@@ -0,0 +1,93 @@
+import json
+import struct
+from contextlib import suppress
+from typing import Any, Dict, Tuple
+
+import pefile
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import unpad
+
+
+def parse_blob(data: bytes):
+    """
+    Parse the blob according to the scheme:
+      - 32 bytes = AES key
+      - Next 16 bytes = IV
+      - Next 2 DWORDs (8 bytes total) = XOR to get cipher data size
+      - Remaining bytes = cipher data of that size
+    """
+    offset = 0
+    aes_key = data[offset:offset + 32]
+    offset += 32
+    iv = data[offset:offset + 16]
+    offset += 16
+    dword1, dword2 = struct.unpack_from("<II", data, offset)
+    cipher_size = dword1 ^ dword2
+    offset += 8
+    cipher_data = data[offset:offset + cipher_size]
+    return aes_key, iv, cipher_data
+
+
+def decrypt(data: bytes) -> Tuple[bytes, bytes, bytes]:
+    aes_key, iv, cipher_data = parse_blob(data)
+    cipher = AES.new(aes_key, AES.MODE_CBC, iv)
+    plaintext_padded = cipher.decrypt(cipher_data)
+    return aes_key, iv, unpad(plaintext_padded, AES.block_size)
+
+
+def extract_config(data: bytes) -> Dict[str, Any]:
+    cfg: Dict[str, Any] = {}
+    plaintext = ""
+    pe = pefile.PE(data=data, fast_load=True)
+    try:
+        data_section = [s for s in pe.sections if s.Name.find(b".data") != -1][0]
+    except IndexError:
+        return cfg
+
+    if not data_section:
+        return cfg
+
+    data = data_section.get_data()
+    block_size = 4096
+    zeros = b"\x00" * block_size
+    offset = data.find(zeros)
+    if offset == -1:
+        return cfg
+
+    while offset > 0:
+        with suppress(Exception):
+            aes_key, iv, plaintext = decrypt(data[offset : offset + block_size])
+            if plaintext and b"conf" in plaintext:
+                break
+
+        offset -= 1
+
+    if plaintext:
+        parsed = json.loads(plaintext.decode("utf-8", errors="ignore").rstrip("\x00"))
+        conf = parsed.get("conf", {})
+        build = parsed.get("build", {})
+        if conf:
+            cfg = {
+                "CNCs": conf.get("hosts"),
+                "user_agent": conf.get("useragents"),
+                "version": build.get("ver"),
+                "build": build.get("build_id"),
+                "cryptokey": aes_key.hex(),
+                "cryptokey_type": "AES",
+                "raw": {
+                    "iv": iv.hex(),
+                    "anti_vm": conf.get("anti_vm"),
+                    "anti_dbg": conf.get("anti_dbg"),
+                    "self_del": conf.get("self_del"),
+                    "run_delay": conf.get("run_delay"),
+                }
+            }
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/core/BumbleBee.py

@@ -50,7 +50,7 @@ def extract_key_data(data, pe, key_match):
         # Read arbitrary number of byes from key offset and split on null bytes to extract key
         key = data[key_offset : key_offset + 0x40].split(b"\x00")[0]
     except Exception as e:
-        log.debug(f"There was an exception extracting the key: {e}")
+        log.debug("There was an exception extracting the key: %s", str(e))
         log.debug(traceback.format_exc())
         return False
     return key
@@ -70,7 +70,7 @@ def extract_config_data(data, pe, config_match):
         )
         campaign_id_ct = data[campaign_id_offset : campaign_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the campaign id: {e}")
+        log.debug("There was an exception extracting the campaign id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -84,7 +84,7 @@ def extract_config_data(data, pe, config_match):
         )
         botnet_id_ct = data[botnet_id_offset : botnet_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the botnet id: {e}")
+        log.debug("There was an exception extracting the botnet id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -99,7 +99,7 @@ def extract_config_data(data, pe, config_match):
         c2s_offset = pe.get_offset_from_rva(c2s_rva + int.from_bytes(config_match.group("c2s"), byteorder="little"))
         c2s_ct = data[c2s_offset : c2s_offset + 0x400]
     except Exception as e:
-        log.debug(f"There was an exception extracting the C2s: {e}")
+        log.debug("There was an exception extracting the C2s: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -243,7 +243,7 @@ def extract_config(data):
         if c2s:
             cfg["CNCs"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
     except Exception as e:
-        log.error("This is broken: %s", str(e), exc_info=True)
+        log.exception("This is broken: %s", str(e))
 
     if not cfg:
         cfg = extract_2024(pe, data)

cape_parsers/CAPE/core/Remcos.py

@@ -211,7 +211,7 @@ def extract_config(filebuf):
                 config.setdefault("raw", {})[k] = v
 
     except Exception as e:
-        logger.error(f"Caught an exception: {e}")
+        logger.error("Caught an exception: %s", str(e))
 
     return config
 

cape_parsers/__init__.py

@@ -129,7 +129,7 @@ def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
     except ImportError:
         log.info("Missed RATDecoders -> poetry run pip install malwareconfig")
     except Exception as e:
-        log.error(e, exc_info=True)
+        log.exception(e)
     return False, False, False
 
 

{cape_parsers-0.1.47.dist-info → cape_parsers-0.1.49.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.47
+Version: 0.1.49
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration

{cape_parsers-0.1.47.dist-info → cape_parsers-0.1.49.dist-info}/RECORD

@@ -1,37 +1,39 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/CAPE/community/AgentTesla.py,sha256=rHhTmINQ0bGZEiJ5NhCKPhGobcifq3FDWZItgHTpBC8,3796
+cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
 cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
 cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=C0j9SZDJRi107PbfYZ9G168MCyqYItrI-XK5k0Bp4tE,2632
 cape_parsers/CAPE/community/Carbanak.py,sha256=Smi_vTWDfWxYBQa661ZIy0624IYJA22LMHAJEQbstpk,5607
-cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=Z40uxQ_OExtky7dIC372golAiuW9bR-_5TDBMBqsCo0,19427
+cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=U4Q0ObCrPRpiO5B5fBmkgr63jXdizujNth8v6kUPnEQ,19466
 cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
 cape_parsers/CAPE/community/DCRat.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ5F0C1Iac,1875
 cape_parsers/CAPE/community/KoiLoader.py,sha256=F2gsgCvrVuwxY1bg8rlexsjCjikAP5HIGGOqU8zhT8E,4008
-cape_parsers/CAPE/community/LokiBot.py,sha256=YGYfQ7Wr8PA2QW37yfoyh5cFAz2zxgOmpHOHIvy9CsM,5657
-cape_parsers/CAPE/community/Lumma.py,sha256=Hz72U6i2apU6N5gj5IXnZ9HkbOqKDvW1EMnIge8sNQc,12167
+cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
+cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
 cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
 cape_parsers/CAPE/community/Nighthawk.py,sha256=8ss8yvslrwUt53zV6U0xuwGKU3hgYfOt13S5lkOVpNo,12105
 cape_parsers/CAPE/community/Njrat.py,sha256=GiwSENBB43RUqyJ7zT7ZPkPUYqo8Ew4kd5MJUj0jzdc,4702
 cape_parsers/CAPE/community/PhemedroneStealer.py,sha256=Z7_PdxC8bmd6P3AqOm7AHVRrbEVuREwMWbyLVHaAhK0,7095
 cape_parsers/CAPE/community/QuasarRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
 cape_parsers/CAPE/community/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
-cape_parsers/CAPE/community/Snake.py,sha256=-x3Bfhs2HAuxNakUnAX1mm-mgtarJkD9U_fucmVY3u4,6638
+cape_parsers/CAPE/community/Snake.py,sha256=v_MAPmg86ZdgGOkzc9GVHbi-lu4nLa1_0Lp90qiCg8s,6650
 cape_parsers/CAPE/community/SparkRAT.py,sha256=OVDty_1i9PTGuEumT0BHoDn0bD2UtdhHVNjThah80pg,2140
-cape_parsers/CAPE/community/Stealc.py,sha256=RddvMmFmq85J3pCqtpACT1n6k02P1_GsxXIidtveNa4,5102
+cape_parsers/CAPE/community/Stealc.py,sha256=A00EEMSubZGLhgRWhL_HWDZBu-EsLWrpBv_-JR3-yZE,5302
 cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cape_parsers/CAPE/community/monsterv2.py,sha256=eVEs4VIeS3PiZtRjNb69itmDq2Zkbrpn5k3M68GujiI,2995
 cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=40wMfrXt-7UG30WsLC5GxUtG6tSUaaP1OT-ntWzPZn0,2956
+cape_parsers/CAPE/core/AuraStealer.py,sha256=6mbS1MNsaULpTAlh2vNeZPQy6faYm8BMu0OQh5Vb0eI,2702
 cape_parsers/CAPE/core/Azorult.py,sha256=YkMIhC6zRTxEkLVMUdr2MMsbV9iAnZ8hUS8be9GZ5N4,2150
 cape_parsers/CAPE/core/BitPaymer.py,sha256=HQwoE0o7HMiXItxE08vBenf2ZWMxZp84-Hf_1eZ8QdE,3050
 cape_parsers/CAPE/core/BlackDropper.py,sha256=sCSu2T5oPvcFHlSAzSsLj_gCv2Tldl0UPguwy0MVg6A,3282
 cape_parsers/CAPE/core/Blister.py,sha256=wprcJMHixv4JHGqBjQeu26BJ6HgXeBMobh10Y-H6-Xg,18173
 cape_parsers/CAPE/core/BruteRatel.py,sha256=_hFAYLbOsHdekWPOMXRmIYNXTNeNQSs3LZqh7xAVI2U,1147
-cape_parsers/CAPE/core/BumbleBee.py,sha256=qyfvRw1pkc3lPsSrwg8y2W6_ciW3sluijdYcHe27iHY,10062
+cape_parsers/CAPE/core/BumbleBee.py,sha256=8a15OLAoNKs377ehdgx8R6kCAsJeG-_itt8xc_EMQes,10075
 cape_parsers/CAPE/core/DarkGate.py,sha256=ppSRDfw-u2NltzQlrVvRwqxGaprShuv5CrwbNbnSvaw,3477
 cape_parsers/CAPE/core/DoppelPaymer.py,sha256=LPAQ-7imcAWFciAd7Qb_r6js2PdIsTt9fRdYKoEkFMg,2537
 cape_parsers/CAPE/core/DridexLoader.py,sha256=8NKppvGz7tVXnNTGEgS7R3LGn5vtW4xslQYbo38wQUg,7087
@@ -47,7 +49,7 @@ cape_parsers/CAPE/core/QakBot.py,sha256=SmXRuwOiaDLL7uN9RwCiQP62P3ctxGJ6y54zJG9y
 cape_parsers/CAPE/core/Quickbind.py,sha256=5A077RFQQOL8dtr2Q9vmlTKsWk96JkRWuHGseApyTmU,3675
 cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS91k,17
 cape_parsers/CAPE/core/RedLine.py,sha256=bZeKLvxaS6HDpWY4RDXtSEBt93qTNzZG5iE6FNS0dOY,5734
-cape_parsers/CAPE/core/Remcos.py,sha256=nKn_4lwjX7xGkLGFmt3WAG1HEgmKCncIbkv7Je7W6vM,9477
+cape_parsers/CAPE/core/Remcos.py,sha256=MIpO2FwehBGIhO7hS0TT2hdDsgvxlI5ps4rAwyFwdTY,9483
 cape_parsers/CAPE/core/Rhadamanthys.py,sha256=mx7kEF1e8LJZbwh2uUwU56ZKgrpLqZvYVDoqm-Dvl9w,6075
 cape_parsers/CAPE/core/SmokeLoader.py,sha256=ruQ_GDiZvqtGxUTbN2N6fajUYWkIylFTvMXijgZ8L20,3890
 cape_parsers/CAPE/core/Socks5Systemz.py,sha256=jSt6QejL5K99dIB3qdItvUHL28w6N60xuwc8EQHM5Mk,783
@@ -60,7 +62,7 @@ cape_parsers/CAPE/core/test_cape.py,sha256=CrmghlO43hpnTLv0X8Dw4hTcrVHuJ0X20dPXc
 cape_parsers/RATDecoders/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
 cape_parsers/RATDecoders/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/RATDecoders/test_rats.py,sha256=swkWvbnCd6_2aUP6MnIF4hyPL8zsdhtjlsBfx5Phgk4,610
-cape_parsers/__init__.py,sha256=1xtenBXY23B8jf2x1fQ103qYFy0lBW12SN3HFJL7YfE,6243
+cape_parsers/__init__.py,sha256=yInPN6GBAPBgIDGTXVgWB1wrRZ3yJsMk0ywcWAGvop0,6232
 cape_parsers/deprecated/BackOffLoader.py,sha256=gIwNDsWm1xGR9whKEEj1eTBB1-KTLY0_yNE50xVScKo,1402
 cape_parsers/deprecated/BackOffPOS.py,sha256=lG7a_bXD3Exaoy-_lHpa90yiv_DesICFqClhqS_d8nk,1486
 cape_parsers/deprecated/BlackNix.py,sha256=NPqXiHWt_UtLm35gi58UriEJRt_L_UWGfS8jvblAECM,2667
@@ -106,7 +108,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.47.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.47.dist-info/METADATA,sha256=yygn1v4WJRq1aonL5anru3gnpJgkmQIAox6a_70zbKk,1753
-cape_parsers-0.1.47.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.47.dist-info/RECORD,,
+cape_parsers-0.1.49.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.49.dist-info/METADATA,sha256=JiiD9noZxpf8bqsPWQRJ2siYMcHkqo6VrpkwYD2r3MU,1753
+cape_parsers-0.1.49.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.49.dist-info/RECORD,,