diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 0ba6684..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: CI - -on: - pull_request: - branches: - - master - push: - branches: - - master - -jobs: - malware-sample-tests: - name: Run malware sample tests - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: "3.13" - - - name: Install dependencies - run: | - sudo apt-get update - sudo apt-get install -y p7zip-full - pip install ".[dev]" - - - name: Decrypt malware samples - run: | - 7z x tests/samples.enc.zip -p'${{ secrets.SAMPLES_ZIP_PASSWORD }}' -otests/samples/ - ls -la tests/samples/ - - - name: Run malware pytest suite - run: pytest tests/ --maxfail=1 --disable-warnings -q - - - name: Clean up samples - run: rm -rf tests/samples - - # Run the workflow on approved pull request merges from forked repositories - # and any pull requests from the main repository - if: github.event_name == 'pull_request' && (github.event.pull_request.merged == true || github.repository == github.event.pull_request.head.repo.full_name) diff --git a/.gitignore b/.gitignore index b989d55..36aa713 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,3 @@ __pycache__/ build/ *.egg-info/ -bin/ -tests/samples/ diff --git a/pyproject.toml b/pyproject.toml index f5262fa..b96923b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [build-system] build-backend = "setuptools.build_meta" -requires = ["setuptools"] +requires = [ "setuptools" ] [project] name = "rat-king-parser" @@ -34,10 +34,10 @@ classifiers = [ "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", ] -dynamic = ["version"] -dependencies = ["dnfile", "pycryptodomex", "yara-python"] -optional-dependencies.dev = ["pre-commit", "pytest"] -optional-dependencies.maco = ["maco", "validators"] +dynamic = [ "version" ] +dependencies = [ "dnfile", "pycryptodomex", "yara-python" ] +optional-dependencies.dev = [ "pre-commit" ] +optional-dependencies.maco = [ "maco", "validators" ] urls."Bug Reports" = "https://github.com/jeFF0Falltrades/rat_king_parser/issues" urls."Homepage" = "https://github.com/jeFF0Falltrades/rat_king_parser" urls."Say Thanks!" = "https://www.buymeacoffee.com/jeff0falltrades" @@ -47,15 +47,15 @@ scripts.rat-king-parser = "rat_king_parser:main" version = { attr = "rat_king_parser._version.__version__" } [tool.setuptools.packages.find] -where = ["src"] -include = ["rat_king_parser*"] +where = [ "src" ] +include = [ "rat_king_parser*" ] namespaces = false [tool.setuptools.package-data] -"rat_king_parser.yara_utils" = ["*.yar", "*.yarc"] +"rat_king_parser.yara_utils" = [ "*.yar", "*.yarc" ] [tool.ruff] -lint.extend-select = ["I"] +lint.extend-select = [ "I" ] [tool.pre-commit] hook-config = "file:.pre-commit-config.yaml" diff --git a/src/rat_king_parser/_version.py b/src/rat_king_parser/_version.py index ec9a29c..92ec535 100644 --- a/src/rat_king_parser/_version.py +++ b/src/rat_king_parser/_version.py @@ -23,4 +23,4 @@ # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. -__version__ = "4.2.2" +__version__ = "4.2.1" diff --git a/tests/expected/034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e.json b/tests/expected/034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e.json deleted file mode 100644 index e26d2c9..0000000 --- a/tests/expected/034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "config": { - "An_ti": "false", - "Anti_Process": "false", - "BS_OD": "false", - "Certifi_cate": "MIICMDCCAZmgAwIBAgIVANpXtGwt9qBbU/pdFz8d/Pt6kzb7MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDIxNzA5MjAzM1oXDTMxMTEyNzA5MjAzM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt8nE3x/0XYeyDBrDPxdpVH1EMWSVyndAkdVChKaWQFOAAs4r/UeTmw8POG3jUz/XczWBWJt9Vu4Vl0HJN3ZmRIMr75FDGyieel0Vb8sn0hZcABsNr8dbbzfi+eoocVAyZKd79S0mOUinl4PBhldyUJCvanCnguHux8c2F5vnQlAgMBAAGjMjAwMB0GA1UdDgQWBBRjACzYO/EcXaKzlTz8Oq34J5Zq8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACA8urqJU44+IpPcx9i0Q0Eu9+qWMPdZ09y+6YdumC6dun1OHn1I5F03YqYCfCdq0l3XpszJlYYzPnPB4ThOfiKUwJ1HJWS2lgWKfd+CdSWCch0c2dEE1Pao+xyNcNpuphBraHZYc4ojekgeQ8MSdHVo/YCYpmaJbxFWDhFgr3Lh", - "De_lay": "1", - "Group": "16JUNIO-PJOAO", - "Hos_ts": "20.200.63.2", - "Hw_id": "null", - "In_stall": "false", - "Install_File": "", - "Install_Folder": "%AppData%", - "Key": "dU81ekM1S2pQYmVOWWhQcjV4WlJwcWRkSnVYR2tTQ0w=", - "MTX": "DcRatMutex_qwqdanchun", - "Paste_bin": "null", - "Por_ts": "2525", - "Server_signa_ture": "c+KGE0Aw1XRgjGe2Kvay1H3VgUgqKRYGit46DnCR6eW/g+kO+H5oRsfBNkVizj0Q862zTXvLkWZ+ON84bmYhBy3o5YQOPaPyAIXha4ByY150rYRXKkzBR47RkTx616bLYUhqO+PqqNOii9THobbo3zAtwjxEoEWr8s0MLGm2AfE=", - "Ver_sion": " 1.0.7" - }, - "key": "3915b12d862a41cce3da2e11ca8cefc26116d0741c23c0748618add80ee31a5c", - "salt": "4463526174427971777164616e6368756e", - "sha256": "034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e", - "yara_possible_family": "dcrat" -} \ No newline at end of file diff --git a/tests/expected/0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4.json b/tests/expected/0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4.json deleted file mode 100644 index c47ed8c..0000000 --- a/tests/expected/0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "config": { - "Anti": "false", - "BDOS": "false", - "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", - "Delay": "3", - "Group": "Default", - "Hosts": "127.0.0.1", - "Hwid": "null", - "Install": "false", - "InstallFile": "", - "InstallFolder": "%AppData%", - "Key": "Uk9tU0hKZUlVdXBwek1tV3NqYnBLYVRYcklWQXB5c0I=", - "MTX": "AsyncMutex_6SI8OkPnk", - "Pastebin": "null", - "Ports": "6606,7707,8808", - "Serversignature": "b4TmzraaQMXPVpdfH6wgqDtnXhWP9SP6GdUMgvKSpjPlWufiGM88XWg3Wnv1bduWRMUOAIBN31gAe/SRIhAhdCJU0h6nvqjBUKQsnrg3kT6d2beUtwLDhWWqGa3i9Nta72fkbikM65DIkUwjGtnZy3THx83+doN/+cwe9ZlhKc7TqGF9klOT0nQ9JFUi3Gn6uDzwhA7vicj1WyfM15QxLp0ZvTojgjjFUC2BVkr+mDvuuQ4OR0h4qOgl/AXOYfZwKMfvnwijdP/qqpeG+X73rXZxeDawcTMYqvWH+hOiksgsh2C9V/iN8Sjye/A6rKewmHMUozpakMjP+TjES8kwT70+vJ/uS3ugCZUjT6sOqqLl+LyQyzSpGdVJJQB/fPrYTlWTJwpXdxk8V+eqcdCf/mpeYyQnyGaFVc2whfLAN0r2aPigRQNmsY7Faom/CeNc98zIBf9Nt+KR3FfyFuYabZn5zQcYNAq6D0MVRbKQsU3eyGWN+JI24PQUloheBFJvimpBqMMRVWDLsQq82TpExWJoT47fBrzZj/6LE10vKwl6TNiE81fkglcc93ErbH1KCdXxUaxKVePUIypEaohzXkv88h7P6gjhm2Crey8mUkir408At+5Xl8hQE1ozQN0e5le2gIdxX+oFkTFDrzd65MAdKiZ7rqauNMb4aM+bEeM=", - "TelegramChatID": "1863892139", - "TelegramToken": "7153134069:AAHd4riTPdhAdVGBwo16vJQ5H3eORu5QAEo", - "Version": "" - }, - "key": "564eced38c73ee8089d8bcc951f28c0589a54388a4058b0da1d9c4d94514518f", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4", - "yara_possible_family": "asyncrat" -} \ No newline at end of file diff --git a/tests/expected/0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e.json b/tests/expected/0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e.json deleted file mode 100644 index d9e2fba..0000000 --- a/tests/expected/0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "config": { - "Anti": "%Anti%", - "BDOS": "%BDOS%", - "Certificate": "%Certificate%", - "Delay": "%Delay%", - "Group": "%Group%", - "Hosts": "%Hosts%", - "Hwid": "null", - "Install": "%Install%", - "InstallFile": "%File%", - "InstallFolder": "%Folder%", - "Key": "%Key%", - "MTX": "%MTX%", - "Pastebin": "%Pastebin%", - "Ports": "%Ports%", - "Serversignature": "%Serversignature%", - "Version": "%Version%" - }, - "key": "None", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e", - "yara_possible_family": "asyncrat" -} \ No newline at end of file diff --git a/tests/expected/6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412.json b/tests/expected/6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412.json deleted file mode 100644 index b290c29..0000000 --- a/tests/expected/6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "config": { - "Anti": "false", - "BDOS": "false", - "Certificate": "MIIE4DCCAsigAwIBAgIQAM+WaL4OeJIj4I0Usukl1TANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwNDA0MTYzMzA2WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhz3rO2b0ITSMGvwlS7uWZLVU7cuvYiIyB2WnGxe2SUlT5/pZrRxfX6CVL8t11S5CG3UFMdKDutLiA1amqLDbkqZAjG/g1J+7OPUOBrBWfzpEk/CFCFjmUTlMPwM00DtDp5Ju8ONc09JiaL9Ni3GeYsXza+HZB0WRrgpKnMNu+833ddBOaIgdvB4KicE/S8hSRq5kTNIhiNNZ0nrMFgzaQj0ijyXNTXN7nFCTqRSkWn/2pdveWZLqzTRZ5HsUkeXr2vhSdrrk7KOpHWjqNr2Nhl+bqsIRUhwnthLhj6N1Y94W25j3ATrLR6mjjZTGI2wRm95bMe/7V4DxqV30i6MVrwYMXKcaPO+NHoF9P1lErhCgttEGyWJz2dVJqVCXA+fE8hLyKSUeJSwaBJ36Of/OFGXXMXpUD7eFHNCN2yPVsW1ogS04/xkQUmbWbRjYx/l02+RK/kAK3YsZDuvcLsbKoDq7XJKoBVfvbv5W7jcmMvHHT54PNbmkAUasbtM/+/KhKQe1etOoYd+gOv7tgcNFRVH6N6eSuTxasCYjCr9tSLLmziNalWTknHgBtL/x49BJw6FWwrEE3wsl3C4ALfHQFbtI6sTLdCk7t/oNFUhpVE4kwql5xtOpYpkAj500jGfmVc9Wjy34tON2QLKnzAO87pt8XyANEFQdm3qUJX56KdAgMBAAGjMjAwMB0GA1UdDgQWBBRP67T1n4GPr5zJ0tsXMJ+gL7IawDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBMOPQsFZRxqhZZ344n0qBiatzq/jSmfMsMKWYMTiFHHccrgSc63C+nlVpTSCys2BZaMyocxeWKI+w7NklntQhp058+oN7PVC87xod6uZQyfYG1oCR58+Po4I3lWHVdOWQrkEKf4LTpCtyPXPTccZL3AjYcZWLOvP0gcjRsF2dSGnN1WdTPKHxj+OLSwSxlwTW4WN2wg++OV9cmT4wgaT2jPDqv3twxV+JVwEeXMM7XthJsG8ajToCS3Sf7pXnuOBIBoITQEbi7Iyqm/mJwFmAkcpEXb88rHZnKs+rRzjPRI/XsvlGVVuyiHtvPJL9X+R3VVltvrawBCbmN9K2W21E56Nryip0q4wdcF1jJUHXxAiQo/jcu8fO3RGfs9I6SN54PXSWABS7MvNJU8njC1N3J110cnjTgVMNrgRhBHe6r9CGnN4gm9oKvKL5+0/zZvhUPgYusOHIQmdOdfLo0r7tckUk2D18ufRILcaOqyaHLI7Mri1XEli8Brfjdtv/dlpssh/B2/o3bhBlRVD4oL+EX71Bm6cHEKoCLL6zGySSQosQyZpR2j4qVObb5fK1EnilJG4Qk6mNULZfWVPD9TLsJTHEioV8GibykF5O79kruha/pxFvVnoDJHbTPZEWfuR4cb6YIFbTg9pJrOhUsoyZg41leCrcqHR82XOVB755xfw==", - "Delay": "3", - "Group": "Default", - "Hosts": "minecraftdayzserver.ddns.net", - "Hwid": "null", - "Install": "true", - "InstallFile": "WinRar.exe", - "InstallFolder": "%AppData%", - "Key": "VUpkMU9UTEhRSEVSN2d2eWpLeDJud2Q0STFIcDRXS0U=", - "MTX": "LMAsmxp3mz2D", - "Pastebin": "null", - "Ports": "2400", - "Serversignature": "PBjqcvsYypDmnjgUVv1SkvtLx+jFt2V7NyZ+nHik0CWcLbwOwBXD6/3an89d/I7pFAxwZXgSiLunc1yCOocUvymhbMwqT5t/yuj4GdW3a16vZSUuPbvGEOuB2oCgUNrsLWzqshnd1yaTIbNoENLJNS3phGLnQXijbrE2/mSEWbSjLcCWMC7Q52c54RCiBuKPQEhFR1KMUBtSeskObCEqOKY9tYsKKTDYDrQPp32Ho4qArPCDIiefcNiT4k17Dw4srW1OkC3uhSCc7BV1dZA/HJw5gd34pFTeCnJnqY34OmE7sux8mhBjaIXSJMXD81272ngrmGwu6++6DkdLgIx2y3uE6IcUFDQmOgU6T9I0ulogZGGZa1PI3VjBjF4TK27EwzrkR0iKi8Ctn8z/HMXnskviCaui6RlxEzWqOytSfe4m0XHpNN2gHVhKbZwJUr5IwKASOWiXgsOVpkTn8K6PDN22X2rCUigjRsE4/45qhd6BFCa/pXMgCHljHKi5qp13yor91rO9n6NjbO2bP28cexUmUwf03lClGQ2og8q05WWiqHHvLlpHxmy8fZwzniJC3tr6htyPYhGpzo20BMOz/x66tA/+JTC8CFFilvf3PP97KwfqpVNqtnyHVui7QR39E6QvoyNzw+7AxpHCSYx6F9tyWu96pBeSbCrMzXaSV0k=", - "Version": "0.5.8" - }, - "key": "eebdb6b2b00c2501b7b246442a354c5c3d743346e4cc88896ce68485dd6bbb8f", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412", - "yara_possible_family": "asyncrat" -} \ No newline at end of file diff --git a/tests/expected/6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83.json b/tests/expected/6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83.json deleted file mode 100644 index bcaf384..0000000 --- a/tests/expected/6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "config": { - "ENABLELOGGER": true, - "ENCRYPTIONKEY": "O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr", - "HIDEFILE": true, - "INSTALL": false, - "INSTALLNAME": "INSTALL", - "MUTEX": "e4d6a6ec-320d-48ee-b6b2-fa24f03760d4", - "PASSWORD": "5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks", - "RECONNECTDELAY": 5000, - "SPECIALFOLDER": "APPLICATIONDATA", - "STARTUP": true, - "STARTUPKEY": "STARTUP", - "SUBFOLDER": "SUB", - "TAG": "RELEASE", - "VERSION": "1.0.00.r6", - "xor_decoded_strings": [ - "BPN - Nuestro Banco", - "Red Link - bpn", - "HB Judiciales BPN", - "Ingres\u00e1 a tu cuenta", - "Online Banking Web", - "Banca Empresa 3.0", - "Banco Ciudad", - "Banco Ciudad | Autogesti\u00f3n", - "Banca Empresa 3.0", - "Banco Comafi - Online Banking", - "Banco Comafi - eBanking Empresas", - "Online Banking Santander | Inicio de Sesi\u00f3n", - "Online Banking Empresas", - "Online Banking", - "Office Banking", - "HSBC Argentina", - "HSBC Argentina | Bienvenido", - "accessbanking.com.ar/RetailHomeBankingWeb/init.do?a=b", - "ICBC Access Banking | Home Banking", - "Banco Patagonia", - "ebankpersonas.bancopatagonia.com.ar/eBanking/usuarios/login.htm", - "P\u00e1gina del Banco de la Provincia de Buenos Aires", - "Red Link", - "bind - finanzas felices :)", - "BindID Ingreso", - "BBVA Net Cash | Empresas | BBVA Argentina", - "Bienvenido a nuestra Banca Online | BBVA Argentina", - "Ingres\u00e1 tu e-mail, tel\u00e9fono o usuario de Mercado Pago", - "Mercado Pago | De ahora en adelante, hac\u00e9s m\u00e1s con tu dinero.", - "Mercado Pago", - "Home Banking", - "Office Banking", - "Banco Santa Cruz Gobierno - Una propuesta para cada Comuna o Municipio | Banco Santa Cruz", - "Home banking", - "Office Banking", - "Banco de Santa Cruz", - "Red Link", - "Banco de la Naci\u00f3n Argentina", - "Red Link - BANCO DE LA NACION ARGENTINA", - "Red Link", - "Macro | Agenda powered by Whyline", - "Banco Macro | Banca Internet Personas", - "Banco Macro | NUEVA Banca Internet Empresas", - "https://argentina-e4162-default-rtdb.firebaseio.com/user.json", - "C:\\\\Users\\\\", - "\\\\AppData\\\\Local\\\\Aplicativo Itau", - "C:\\\\Program Files\\\\Topaz OFD\\\\Warsaw", - "C:\\\\ProgramData\\\\scpbrad", - "C:\\\\ProgramData\\\\Trusteer", - "dd.MM.yyyy HH:mm:ss", - "application/json", - "Sistema no disponible, intente nuevamente m\u00e1s tarde.", - "SENHA DE 6 BPN", - "SENHA DE 6 NB", - "SENHA DE 6 CIUDAD", - "SENHA DE 6 COMAFI", - "SENHA DE 6 GALACIA", - "SENHA DE 6 HSBC", - "SENHA DE 6 ICBC", - "SENHA DE 6 PATAGONIA", - "SENHA DE 6 PROVINCIA", - "SENHA DE 6 SANTANDER", - "SENHA DE 6 BIND", - "SENHA DE 6 BBVA", - "driftcar.giize.com:443", - "adreniz.kozow.com:443" - ] - }, - "key": "526f35346a62726168486530765a6266487a7039685575526637684a737575794b4c7933654e5a3465644c415a71455861676b3078357767563277364d544b5339367279367959664d6a66456f35653934784e396c684e346b514c4e7479317442704974", - "salt": "None", - "sha256": "6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83", - "yara_possible_family": "quasarrat" -} \ No newline at end of file diff --git a/tests/expected/83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce.json b/tests/expected/83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce.json deleted file mode 100644 index 1bc7eff..0000000 --- a/tests/expected/83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "config": { - "obfuscated_key_1": false, - "obfuscated_key_10": "qztadmin.duckdns.org:9782;", - "obfuscated_key_11": "1WvgEMPjdwfqIMeM9MclyQ==", - "obfuscated_key_12": "NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==", - "obfuscated_key_13": "SubDir", - "obfuscated_key_14": "Client.exe", - "obfuscated_key_15": "QSR_MUTEX_YMblzlA3rm38L7nnxQ", - "obfuscated_key_16": "Quasar Client Startup", - "obfuscated_key_17": "mDf8ODHd9XwqMsIxpY8F", - "obfuscated_key_18": "Office04", - "obfuscated_key_19": "Logs", - "obfuscated_key_2": false, - "obfuscated_key_3": false, - "obfuscated_key_4": true, - "obfuscated_key_5": true, - "obfuscated_key_6": false, - "obfuscated_key_7": 3000, - "obfuscated_key_8": "APPLICATIONDATA", - "obfuscated_key_9": "1.3.0.0" - }, - "key": "ff230bfb57fecad4bd59d4d97f6883b4", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce", - "yara_possible_family": "quasarrat" -} \ No newline at end of file diff --git a/tests/expected/9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4.json b/tests/expected/9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4.json deleted file mode 100644 index 57ebc33..0000000 --- a/tests/expected/9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "config": { - "An_ti": "true", - "Anti_Process": "false", - "BS_OD": "false", - "Certifi_cate": "MIICNjCCAZ+gAwIBAgIVALWZXeRliC16frxuoSrGsVJO4U2tMA0GCSqGSIb3DQEBDQUAMGcxFTATBgNVBAMMDHNwZWVkeSBkcmVhbTETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDYyNjEzNDc0OFoXDTM0MDQwNDEzNDc0OFowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2DCquy6CwL8H/T1Wi72pbKLyGQdoXBDSKpGyIfLgX5091jBQYbvFbROqt6FjbN52GSpnmd4N8TnQE6KGqTmmSmaf/nxMSNcV1sjhxm7NTfnP9vo/vnZngCmzVr91S9REqlKCiotdkIYWqbdwkmYTuqSdHaicP7Tf0H8oOYZIc5AgMBAAGjMjAwMB0GA1UdDgQWBBS/OFCWU/dcBWOe+i6ERcFdHDOwITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIT79sUZm5Je3T7yc9GS+pgzsgtf8OXakm0DrY41uytJgXzgi2E/bWIBja4DyuAddL0ziDCamqDQuFA1MhFNki/X0uKgu1ArxZeXlwKqpDv7ihWRqWrE3rHYha0ALSP8DN0Asmpc4FGnrfhoeoLYXRo8EqH+6ctIkggM8OiBYSTm", - "De_lay": "1", - "Group": "Default", - "Hos_ts": "127.0.0.1", - "Hw_id": "null", - "In_stall": "false", - "Install_File": "speedy", - "Install_Folder": "%AppData%", - "Key": "TzY1S0thald3UGNURmJTYjNSQVdBYlBQR2tTdUFaTTg=", - "MTX": "ypxcfziuep", - "Paste_bin": "null", - "Por_ts": "4449", - "Server_signa_ture": "Sn1WeJuN+Ypb6kUw4QirT1RzbwUEoeSYTmJAIlg0LayMd/VSwAo+0LnnT/g5HFx4QrqaM689CvKqUNfotQb9cPj05dfgrV3SplVDt5twnK6f8nnScqI8trTCmprH1gnOcoKcY8039kFo9dEj+eOiaBF451W181I5fPJd4Uug1bY=", - "Ver_sion": "Venom RAT + HVNC + Stealer + Grabber v6.0.3" - }, - "key": "86cfd98ca989924e7a9439902dc6a72e315da09c11b100c39cd59b9c9372b192", - "salt": "56656e6f6d524154427956656e6f6d", - "sha256": "9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4", - "yara_possible_family": "venomrat" -} \ No newline at end of file diff --git a/tests/expected/a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e.json b/tests/expected/a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e.json deleted file mode 100644 index 0135315..0000000 --- a/tests/expected/a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "config": { - "ENABLELOGGER": true, - "ENCRYPTIONKEY": "O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr", - "HIDEFILE": true, - "INSTALL": false, - "INSTALLNAME": "INSTALL", - "MUTEX": "e4d6a6ec-320d-48ee-b6b2-fa24f03760d4", - "PASSWORD": "5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks", - "RECONNECTDELAY": 5000, - "SPECIALFOLDER": "APPLICATIONDATA", - "STARTUP": true, - "STARTUPKEY": "STARTUP", - "SUBFOLDER": "SUB", - "TAG": "RELEASE", - "VERSION": "1.0.00.r3", - "hardcoded_hosts": [ - "kilofrngcida.xyz:443", - "sartelloil.lat:443", - "fostlivedol.xyz:443", - "comerciodepeixekino.org:443", - "cartlinkfoltrem.xyz:443", - "trucks-transport.xyz:443" - ] - }, - "key": "None", - "salt": "None", - "sha256": "a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e", - "yara_possible_family": "quasarrat" -} \ No newline at end of file diff --git a/tests/expected/a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b.json b/tests/expected/a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b.json deleted file mode 100644 index f335e36..0000000 --- a/tests/expected/a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "config": { - "obfuscated_key_1": true, - "obfuscated_key_10": "1.4.1", - "obfuscated_key_11": "10.0.0.61:4782;24.67.68.3:4782;", - "obfuscated_key_12": "SubDir", - "obfuscated_key_13": "GloomTool.exe", - "obfuscated_key_14": "9fdd3e80-d560-431b-b526-3ebbc1799110", - "obfuscated_key_15": "WindowsAV", - "obfuscated_key_16": "5F91B88C67A9ACF78B2396771B3B6F2B4615CA57", - "obfuscated_key_17": "Office04", - "obfuscated_key_18": "Logs", - "obfuscated_key_19": "KQrwmpZSwOF20ZdNZlVJ7YjgErzUf9cophPOCAULRI4gSid7qeSaRL4LhhUXzEq1JuUlkRR7WTjztBsmwCRqORdxEBFwd1fMTsYFf4COj4yN1sbvc5Yb1qvk6IELnzse14eXVS+y1AbwCOGBEa1P6H2C2X2xH6jZRBMPaFsohcV0z20ZzWpdJw+aQZ/SSbMvE1YFN5o37y3MzAW/nErdZyxLA7t9eTsca+RLT8uHgqU0iEd4Mz1iHUWA2gYY+uPzV1I3oU8LHrWhXnXRhutbShZ80KbE+tfr7XLAIwwol00moTd7GaL4vd/ZeOa3z3nmVO2GxIRMWCmiX52l5MutcuR/nAAR1k+W2ScaAoxXzpb6pwOwccooFty0lpRoO6RMT+g1ux+jwKn4RpH1baEAmA6cu8W2l1mr8dwZ3ra094dUKEdITKRKEviworYIRWDS9w2618tVfRhccHNsbIIp5qZMumne0OVE+FK6rjPZM/Q4OR7++1AQUNiavCOsY6/sbxdb+K43x2PrxzJAPoU33qF2fzXaSIEgbmlqkZFdFOhSVHay5F4lmuvHUGRXmhs37quo874DaCA5phI3aCP8VXIFkHyjOJelIR9wlfsdNY5yOoA2POnFt1Y24YzoPZt3Mc/Nqv74z/cE3LXrJHsgivyZV25nqpiCHL704AfoRpo=", - "obfuscated_key_2": true, - "obfuscated_key_20": "MIIE9DCCAtygAwIBAgIQAIhqXB+nLwd+VvEk3rjLsTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQwNTIyNDkxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArk3R4LAyzBp+YXIUqxBNyT/R94en+jU7NTtJGsCG7I6Tp2ZV6mdTOynApeBLs6RvgIpzxPIbjA7HMoQqRxBDKREcRZJCnK3NdMl+8ZMKU4OLBWINwW4fvZRu2spC79MYiIsKOXRDsfCelPs1llHTbD4b4c+PzbpcGA5gI+luZ6+OKajkGbAKdppse5EdPh+KrE6r74nAJiK9PdvfF1H7XwOVpFChxcYZJmZTG8hfrSFQ/0mSi0CobU71vj8fVkhX0EOVSv/KoilBScsXRYbvNY/uEzS+9f0xsYK5AgJQcUYWLthqKSZbo3T1WecBHKynExf8LbFpC42ACyPbZXtAYt1lyBXyLW8TZS65yquhcVio/ZgAG05WGn+TeA6M+CxNkEZNvgd5PDuBkF6X13w3OXGFOL7i4KBJifSMRyJaqp9i6ksAY8epDRHP1WOXDxnQ8ak+4jyPC6WSZFnGV3DT7lZahvkIaNR8OPR8suOoUWk8Jl9Fxx+DBa6RK3Ht96YkPAf8rY84Hjjp4xp1OF6q88W1YaYo9NtPK+5fkf2pFqa+RC7v3RKgsis3/1xYeBZ8expiCdm5hKTRx0tAkG5bLzC6/Em8cHqCR6lmbPuHgA4ijByU6fLD1JdmwqAcjpy9OIdB8L+G7X8kAu5+WUe5BMiIE6EYvJi3Rpg2fz5Nt9UCAwEAAaMyMDAwHQYDVR0OBBYEFI40k9gCti/BlRy3dUVqsbe3OhMxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAXYckulFdYnmtdh24egkttF9h/0AD87o9kAnRwJVu3nu12R+FwJgaihvAQZiKQ4kgTkP//ag9E60xwyzEcj00/yZGzjMAAXONZoEyeCxEF5cMjbtmqLWsFkRaHEpWtcczJ2BChEnFDgoGF2I6TOlr7OGoJnzHmz43bY9dkpDJ+tqIZu5AwoMG4WMoNe+by66G2S1AjyVVimIJA7at12EMIUizO0Qov+iBFHSDiVwOZlUxhfu9TNKwIgQdSLHnTaBg03VFHpLZ63Qtmr12LwTEOUyVSnJXEsgZISQ0abMCaped6jwpR7+VlpU4SGfyBU8caFphJafdgVzhmztrTpYMUJE44d50+5ue9us2H2IH+26/+yBbQdffzp1LAFfYgjOE7k8EFjU3ayPaTN7ORtjCyNzhYRvjUCuopb0rWhJsQQRQJzkblrYJ/ocSfNGUQOoJpykyD1QiGboE11xIPheLYetZrRtkmNtFuVeKg9z7AB1ahxEcNGT/MW/wkxUe500cBLVTFeZtsMl7WYB6iUSxboQ8zZ8eWCDS2hYOxKfxfr54p4AW24Y267djKnAfpnMIsgJzjcDxvGGMBlwcrxb0vM0w+9K2R+M17r4bldxnStJj2Wtgal1TBVP1XexZgarfXw3HstKjhbFH6cb4g7ZW4wdCYE5XA6qZL00XpuSy4t", - "obfuscated_key_21": "", - "obfuscated_key_22": "", - "obfuscated_key_3": true, - "obfuscated_key_4": true, - "obfuscated_key_5": true, - "obfuscated_key_6": true, - "obfuscated_key_7": true, - "obfuscated_key_8": 3000, - "obfuscated_key_9": "APPLICATIONDATA" - }, - "key": "b30cea630f7fac6c2e066ce7f29e1b4bab548ee95b20ff6aa7387ce14df5dc30", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b", - "yara_possible_family": "quasarrat" -} \ No newline at end of file diff --git a/tests/expected/b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e.json b/tests/expected/b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e.json deleted file mode 100644 index 57c3d05..0000000 --- a/tests/expected/b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "config": { - "Groub": "NeverLoseCrack", - "Hosts": "act-cleaning.gl.at.ply.gg", - "InstallDir": "%ProgramData%", - "InstallStr": "svchost.exe", - "KEY": "<123456789>", - "LoggerPath": "\\Log.tmp", - "Mutex": "OkWVOTioL6k3Fg3w", - "Port": "37158", - "SPL": "", - "Sleep": 3, - "USBNM": "USB.exe" - }, - "key": "c527ac2a4eeb6039d9477583d0f4f2c527ac2a4eeb6039d9477583d0f4f2ee00", - "salt": "None", - "sha256": "b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e", - "yara_possible_family": "xworm" -} \ No newline at end of file diff --git a/tests/expected/beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5.json b/tests/expected/beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5.json deleted file mode 100644 index 0709807..0000000 --- a/tests/expected/beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "config": { - "obfuscated_key_1": true, - "obfuscated_key_10": "1.4.1", - "obfuscated_key_11": "91.92.241.122:6969;", - "obfuscated_key_12": "", - "obfuscated_key_13": "Client.exe", - "obfuscated_key_14": "fcf2be0a-a426-40c6-b153-1a354814f80d", - "obfuscated_key_15": "Quasar Client Startup", - "obfuscated_key_16": "26A6C07FE7354BCD244B108D2E3538DCF04477F5", - "obfuscated_key_17": "Fab", - "obfuscated_key_18": "Logs", - "obfuscated_key_19": "U/jVlmjpH/9zMrLFla8LcLavxUQe9wt9L6qGAh9zYqPdqDW0e0fRlnxEST/s3HTVlAyuqIyn5yKrWKaXCMUHKcjpAWVQ9jPLAteKNgIRz5Soa8qxWgD215NTswSL/tYwdPW2svV9y6ELPKScSacDyZlBp47bv299XhxjeUkAXIli59EHnHxAIlOS/Ag51onRTlEkGYIVQO1IJjGoGQe8pND5JwWOVi072s67A16SNYJmPrCNqDjCMVjYDRwLqusbuDPF2K0wIVLn4RzLr+F1O5e5Rh8GFIj/7qa8gOy2kjAbczo3AAKZG3sghrut27P2ldxGcWpsms5w97k7WJ91goBms0n/hV29sRDiYG51xey3KqcTp2UspvLUzNJek21CZk+EgCQ3Q7+aZxdLAIEfwAo0cq7lJkq3iEZuZ+86sts1D3YToM9+mRtIDAeb/op2oxvWbJOqeA9YME2A7PWDVI6bH9kcru5UolqfxPRIH7Aa8BVzAbctghbaVZCiwkI0lxc9hijCLZugOnKXtFU3A+hPVyc/aDqZcWPDu7u9jWbrWIk6JqLGbnJYiU6a4p7IwdGnVwkA49aD4ZnKqWo8tSKLCd+dvP4nx+pqYWiUpf+rdy/xH1MBbPj/lPlphmrFFHijlBufVoSLa88/rBv+Fb9ox2Ei2t5RJYTLDEoP0oY=", - "obfuscated_key_2": true, - "obfuscated_key_20": "MIIE9DCCAtygAwIBAgIQAJMC1KOnf3PAJ47sO2MclTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgwMjE5MzAwMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAk9yV4zXwIw2x7ZZyu2WnaWGwrq2laEP44y9HMM/PYRQCmkMr/L4bqPIgee+trkTOK2T/yd37YISYQSsfQXONYG5JZy1DsZgWAy177xEUoLNAv/TmWrovdVhFSIN0FtQo4ED1AMSOeRWPYw3fdFplPo25TqiZnJuC76fu04Sfl5/B5RqZUy3FKkVlZRL/99zAKjQvFIFvX/riz7pwYPoKSNzRB+SPebLJgYlG7qaxb11C/oiJu1AuEcrmjjr8Ph/nYAqY4EzsjWw6mBUEKTAdCptz78Xpj2qZ/DO//6rDIkw2HWyvvJ4qC2jhv4d2LL/LVSof2SDkMY2NRweMtwnmI8mYIf6mF6pOuH7l6IONc+W2LahqbDImjijmYOJnED/4mV3QRvXHZlwwn/qwf4Fc98VdNayqw1SdKyWqSEIFaa8ZtbSvGj1RQWwzJXQ0sr7EVcv26GUorfX4y5wXhVu5DQfAIZkhZoGSOUPVh0E/NnSqFA10M7TcTz0+fwxLjZ93vi0D0dBcyWvMwTUjy1FHZMu7ZXPsrGbDMmhwmNSsqCqV3SGLZEwaSI2Wtzi1SgElz9+GSh3twxi6O+kaOtP8vu6jbzYi8QSLbn+APkX4XXetIms76fRT6c0yjgnr8NNhdATN3NIAy2AIBfRB9+WkmEEzWf35oLIb0WaNIXtRS5MCAwEAAaMyMDAwHQYDVR0OBBYEFJnfWehSzSmr6K0SenBX6AyNEZUqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEsJnW/h1UmS2DsvTd6vhMwSVZjtK5PKYx8HRL1KPrhDa4WVdYvXu9DaO0BHs5dad+EMTuhWirWXv1oG4TUBVwwZ9ka95ooIZhrZdjLe1sXHeRTubU9yO5bl/6fhHUvPcDsktCgBxboI40t6YcJk+wtIdobhhO0dIHK7OAkJMXQMv7bWX6xy2HwPk0tzkHSskWe160kUiNdxZomd6VSL5FnJ9aB6erznl1WABJNRNwIksM1xlrgyCFAMRvJwpJi823H/ApWwAosQo9qstOo2e+OMrCAzexGJL93JANAXAf7xa5TXzcTPd+n9QhYSDWW7EqDim8vguQzHkHkDNRMP0poqTHFYovcupr2zBjkhPC6sP/f0Rq/aQ6Dyqqoj0cW/nH2wl4eFXvQnSHTbbVIo2qzb+Ud1qFhXxkGzuP//V/wBgEAhLcFraqgQ/b4kX0hkhV0yYaTWpqVemg4Aki7RYz9nGIRMcdr+APFeXo49FHjerk0lqszbKd6IJn3CR9U+ZLpzp3M9NLdeTPpjGal8IgMjuO6MXmt/ybz1fAfM0shKsq4+3nUI0TMGBgYhrPdS5VoA29Xg84hAVj7wewNZKJ43d/poHQnrjWkuN/Ii66IaKVyKofoMiHyfHIy0ee456vDYvxbPv+k9euEhv4OiK8dTWwvDr2XlJZWfq+pukDEk", - "obfuscated_key_21": "", - "obfuscated_key_22": "", - "obfuscated_key_3": false, - "obfuscated_key_4": true, - "obfuscated_key_5": false, - "obfuscated_key_6": false, - "obfuscated_key_7": true, - "obfuscated_key_8": 3000, - "obfuscated_key_9": "APPLICATIONDATA" - }, - "key": "b5580a84ddadcf548713dd64fedbbe067f931e6ce4699271de572acbd52f4074", - "salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941", - "sha256": "beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5", - "yara_possible_family": "quasarrat" -} \ No newline at end of file diff --git a/tests/expected/d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e.json b/tests/expected/d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e.json deleted file mode 100644 index b6f2942..0000000 --- a/tests/expected/d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "config": { - "DoStartup": 2222, - "EncryptionKey": "03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4", - "Install_path": "appdata", - "ServerIp": "77.221.152.198", - "ServerPort": 4444, - "delay": 5000, - "mutex_string": "Xeno_rat_nd89dsedwqdswdqwdwqdqwdqwdwqdwqdqwdqwdwqdwqd12d", - "startup_name": "nothingset" - }, - "key": "650f47cdd14eaef8c529f2a03fa7744c", - "salt": "None", - "sha256": "d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e", - "yara_possible_family": "xenorat" -} \ No newline at end of file diff --git a/tests/expected/db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa.json b/tests/expected/db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa.json deleted file mode 100644 index fef2bf4..0000000 --- a/tests/expected/db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "config": { - "An_ti": "false", - "Anti_Process": "false", - "BS_OD": "false", - "Certifi_cate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", - "De_lay": "1", - "Group": "Default", - "Hos_ts": "127.0.0.1", - "Hw_id": "null", - "In_stall": "false", - "Install_File": "", - "Install_Folder": "%AppData%", - "Key": "M1NoWkREazBvNTNGUkRlT0s4TjE1QlRRQmx4bW1zd2U=", - "MTX": "qmhvogiycvwh", - "Paste_bin": "null", - "Por_ts": "4449,7772", - "Server_signa_ture": "BW9mNNWdLZ+UgmfSTOot753DE24GfE+H6HYG5yl4IFszdMLpfQXijxVlt3bcz68PrHwYG2R70J+h9EVUXPjNw2GgCH5I8BvOw6Luh09VjE3YrfERSa2NKJ7baO9U9NDhM4HaSUCUvXGbR6J0itLe+2YthV7GXSCEbbmfZI9UYKU=", - "Ver_sion": "Venom RAT + HVNC + Stealer + Grabber v6.0.3" - }, - "key": "11ed70df5ce22de750c6e7496fa5c51985c321d2d9dd463979337af003644f41", - "salt": "56656e6f6d524154427956656e6f6d", - "sha256": "db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa", - "yara_possible_family": "venomrat" -} \ No newline at end of file diff --git a/tests/expected/fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d.json b/tests/expected/fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d.json deleted file mode 100644 index 2ccda2f..0000000 --- a/tests/expected/fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "config": { - "obfuscated_key_1": 3, - "obfuscated_key_2": "mo1010.duckdns.org", - "obfuscated_key_3": "7000", - "obfuscated_key_4": "<123456789>", - "obfuscated_key_5": "", - "obfuscated_key_6": "USB.exe", - "obfuscated_key_7": "%AppData%", - "obfuscated_key_8": "tBZ7NDtphvUCm0Dc", - "obfuscated_key_9": "\\Log.tmp" - }, - "key": "e5f7efe2fddd6755c92cbc39d5559ce5f7efe2fddd6755c92cbc39d5559c4000", - "salt": "None", - "sha256": "fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d", - "yara_possible_family": "xworm" -} \ No newline at end of file diff --git a/tests/samples.enc.zip b/tests/samples.enc.zip deleted file mode 100644 index 8546e1c..0000000 Binary files a/tests/samples.enc.zip and /dev/null differ diff --git a/tests/test_known_samples.py b/tests/test_known_samples.py deleted file mode 100644 index 13c03af..0000000 --- a/tests/test_known_samples.py +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/env python3 -# -# test_known_samples.py -# -# Author: jeFF0Falltrades -# -# Test runner for CI job against known samples (only available in main repo) -# -# MIT License -# -# Copyright (c) 2026 Jeff Archer -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in all -# copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -# SOFTWARE. -import json -import subprocess -from pathlib import Path - -import pytest - -SAMPLES_DIR = Path("tests/samples") -EXPECTED_DIR = Path("tests/expected") - -# Fields that are allowed to exist in parser output -ALLOWED_FIELDS = { - "sha256", - "yara_possible_family", - "key", - "salt", - "config", - "file_path", -} - - -def normalize_output(data: dict) -> dict: - """ - Strip non-deterministic or environment-specific fields - """ - return { - "sha256": data.get("sha256"), - "yara_possible_family": data.get("yara_possible_family"), - "key": data.get("key"), - "salt": data.get("salt"), - "config": data.get("config"), - } - - -@pytest.mark.skipif( - not SAMPLES_DIR.exists(), - reason="Malware samples not available (is this a fork PR?)", -) -@pytest.mark.parametrize( - "expected_file", - sorted(EXPECTED_DIR.glob("*.json")), - ids=lambda p: p.stem, -) -def test_parser_against_known_samples(expected_file): - with expected_file.open("r", encoding="utf-8") as f: - expected = json.load(f) - - assert isinstance(expected, dict), "Expected output must be a JSON object" - assert "sha256" in expected, "Expected output missing sha256" - - sha = expected["sha256"] - - sample_path = next((p for p in SAMPLES_DIR.iterdir() if p.is_file() and p.name.startswith(sha)), None) - - assert sample_path is not None, f"No sample file found for SHA {sha}" - - proc = subprocess.run( - ["rat-king-parser", str(sample_path)], - capture_output=True, - text=True, - check=True, - ) - - try: - parsed = json.loads(proc.stdout) - except json.JSONDecodeError: - pytest.fail( - "Parser did not emit valid JSON.\n" - f"STDOUT:\n{proc.stdout}\n\nSTDERR:\n{proc.stderr}" - ) - - assert isinstance(parsed, list), "Parser output must be a JSON array" - assert len(parsed) > 0, "Parser output array is empty" - - parsed = parsed[0] - - assert isinstance(parsed, dict), "Parser result must be a JSON object" - assert parsed.get("sha256") == sha, "SHA256 mismatch in parser output" - assert isinstance(parsed.get("config"), dict), "config must be a dictionary" - - unexpected_fields = set(parsed.keys()) - ALLOWED_FIELDS - assert not unexpected_fields, f"Unexpected output fields: {unexpected_fields}" - - normalized_actual = normalize_output(parsed) - normalized_expected = normalize_output(expected) - - assert normalized_actual == normalized_expected