Skip to content

Instantly share code, notes, and snippets.

@IlluminatiFish
IlluminatiFish / crypto_draining_eth_wallets.csv
Last active September 20, 2023 23:54
To effectively catalog data concerning cryptocurrency phishing pages, that utilise the same drainer kit to conduct these attacks. This gist will encompass vital information related to each campaign such as attacker wallet addresses, associated page domains, and additional details.
page_domain drainer_configuration_domain drainer_wallet_address drainer_file_url drainer_file_hash
metagirls.icu beryeurverviug.shop 0x252166461CBe83cbe69D7baF9344a74E64F5BC3F https://metagirls.icu/assets/web3-provider.js 07d1084b129749718a1a4fde33f276a046e575d285d30bb313e88cce2150d656
verify-collab.info airdrop-alert.net 0xc45c2FC0Eae87263F4055c7838a93730eDabEBB6 https://airdrop-alerts.net/assets/web3-provider.js 8847744dfc114287eaa7edf4e28bc61d8472547e630d9ae1c719c5638c528e81
crytdgroup.com register-sui.io 0x000812de2241aB594aE154060028F70F39DAE000 https://crytdgroup.com/assets/web3-provider.js 23a7b90a5c7eb8a461ba2dd70f5796a38d84aafcd0c2f8892da312bbfe2dbe9c
avaxloot.com network.berynaof.online 0x9a9Cdb3747b2F280fd809f62A20AbC8256Ea650a https://avaxloot.com/assets/web3-provider.js 0f104d024e9b4a3c815fa47662cc503027f086b0df6aafd8578af5e14c525f15
thetipcoin.fun claims-service.net 0x000099fe5C0867Ddd4344a44cE730d438B6f0000 https://thetipcoin.fun/2aaf5c4a-a8f7-40da-aaf8-78e44425d676.js 2bc284bfc884c9b4e5a1b682e
@IlluminatiFish
IlluminatiFish / crypto_draining_eth_wallets.json
Last active March 6, 2023 01:37
A list full of ETH wallets that I find in Crypto Drainers
{
"0x753536e5AAE0254558d26F8B34b90cE39ECe07b2": "DRAINER_00001",
"0xede26742364289d24a3c17d11b293b09ff63db1c": "DRAINER_00002",
"0x121446e4E694199C809585b7ECf64cAC385e108F": "DRAINER_00003",
"0x0c0fD96c0E058E89cd81DFfF454c98B920b24B6F": "DRAINER_00004",
"0x42c99e69C77a3083da981130628B51E56638B447": "DRAINER_00005",
"0x31089bD92c78374125C69B83365827108337F96A": "DRAINER_00006",
"0xC7819d29c30B23b04d509A7D3B35aA1DbFCF3DE4": "DRAINER_00007",
"0x68098977199926b11127ccE67136992b7961FFe1": "DRAINER_00008",
"0x07cC89444DDf587D94cc9e0d12C92F87cFC4c771": "DRAINER_00009",
@IlluminatiFish
IlluminatiFish / tjx6_stealer_writeup.md
Created August 9, 2022 02:02
A small write up of what the tjx6 stealer is and what it does.

Introduction

I was casually using my YouTube crawling bot (Kaelego) as I usually do to find new fake Hypixel Skyblock modifications that are present in YouTube video descriptions, when I stumbled upon this peculiar sample (Video: https://www.youtube.com/watch?v=akZl0ZajV-Y).

The channel from which the video was uploaded, "Tutpeter", has another video, uploaded July 23. The video shows a "duping mod", but the download links (MediaFire) showed that both files were uploaded from Germany on July 24 at 8:51 AM. Both files are also exactly the same size (756.3 KB). It is possible that the link was changed in the first video to a fresh link, with a new sample of tjx6.

The JAR file was very weird from the get go as neither Java decompilation software such as Recaf

@IlluminatiFish
IlluminatiFish / YoutubeMalware.yara
Last active November 10, 2022 00:29
A yara rule written by myself to detect the apparent pattern that most videos spreading malware have
rule MALWARE_VIDEO {
strings:
$password = /(PASS|PASSWORD)( )?(:|-)?( )?[0-9A-Za-z]{3,10}/i
$download = /(http|https):\/\/(yt\.sv|shorturl\.at|clck\.ru|sites\.google\.com|bit\.ly|bit\.do|cutt\.ly|mega\.nz|(www\.)?mediafire\.com|gg\.gg|(www\.)?sendspace\.com|t\.ly|telegra\.ph|split\.to|actgames\.site|goo\.su|easyupload\.io)\/(.*)/i
$keywords = /(crack|hack|cheat)/i
condition:
(all of them) or ($download and $keywords)
}
@IlluminatiFish
IlluminatiFish / JNDIPayloadDeobfuscator.py
Last active April 26, 2023 10:24
A quick and short python script to deobfuscate JNDI payloads that are used in log4j exploitation which leverage on default value assignment, character manipulation syntaxes & other methods, licensed under GNU LGPLv3
import re
class DeobfuscatorException(Exception):
"""
DeobfuscatorException class to be raised
"""
pass
class JNDIPayloadDeobfuscator:
@IlluminatiFish
IlluminatiFish / blacklist.txt
Last active February 26, 2022 01:46
A list of IP addresses that have been seen to have large amounts of domains hosting the very infamous steam/discord themed phishing that is spread via discord
[
"2.56.59.7",
"2.56.59.115",
"2.56.59.242",
"45.133.1.45",
"45.138.72.93",
"45.138.72.103",
"45.138.72.104",
"45.138.72.107",
"45.138.72.110",
@IlluminatiFish
IlluminatiFish / Terminator.py
Last active June 30, 2021 23:32
A little class to terminate those pesky token loggers that exist unfortunately in the discord community
import requests, pprint, json, base64, magic
class Nuker:
def __init__(self, webhook_url):
chunks = webhook_url.split("/")
self.webhook_id = chunks[5]
self.webhook_token = chunks[6]
@IlluminatiFish
IlluminatiFish / Centauri.py
Last active June 5, 2021 03:34
A quick python class, to find and identify a favicon for a given URL and calculating the favicon's murmur3 hash, which can be later used for favicon hash matching via services like Shodan
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#
@IlluminatiFish
IlluminatiFish / YAMLNodePreloader.py
Last active June 4, 2021 00:47
A short utility to use YAML configurations in Python and access their node data using the node1.node2.node3 format
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#
@IlluminatiFish
IlluminatiFish / EntropyAnalyzer.py
Last active June 4, 2021 00:48
A short python script that uses Shannon Entropy to analyse a file to find any readable text and/or code and extracts it out
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#