├── Readme.txt ├── Type1 ├── Script │ ├── Deobfuscate.py │ ├── Deobfuscate_stage2.py │ └── ReadMe.txt └── Test_Type1 │ ├── ASEAN Summit 26-06-2020 Conference │ ├── ASEAN Summit 26-06-2020 Conference.doc.exe.7z │ ├── ASEAN Summit 26-06-2020 Conference.doc.exe.md5 │ ├── Denis_dump.bin.7z │ ├── Denis_dump.bin.md5 │ ├── Denis_dump.bin.output.7z │ ├── Denis_dump.bin.output.md5 │ └── unzip.pass │ ├── ESET_2018 │ ├── Denis_payload.bin.7z │ ├── Denis_payload.bin.md5 │ ├── Denis_payload.bin.output.7z │ ├── Denis_payload.bin.output.md5 │ ├── log1_Denis_payload.txt │ ├── log2_Denis_payload.txt │ ├── rastls.dll.7z │ ├── rastls.dll.md5 │ ├── rastls.dll.output.7z │ ├── rastls.dll.output.md5 │ ├── rastls_laucher.bin.7z │ ├── rastls_laucher.bin.md5 │ ├── rastls_laucher.bin.output.7z │ ├── rastls_laucher.bin.output.md5 │ ├── robototfontupdate_RealDropper.bin.7z │ ├── robototfontupdate_RealDropper.bin.md5 │ ├── robototfontupdate_RealDropper.bin.output.7z │ └── robototfontupdate_RealDropper.bin.output.md5 │ └── Wuhan_2020_krpl │ ├── krpt.dll.7z │ ├── krpt.dll.md5 │ ├── krpt_payload_dump.bin.7z │ ├── krpt_payload_dump.bin.md5 │ ├── krpt_payload_dump.ouput.7z │ ├── krpt_payload_dump.ouput.md5 │ ├── log1.txt │ └── log2.txt └── Type2 ├── Sample ├── CobaltStrike │ ├── beacon_dump.bin.7z │ ├── beacon_dump.bin.md5 │ ├── beacon_dump.bin.out.7z │ ├── beacon_dump.bin.out.md5 │ ├── beacon_dump.bin2.7z │ ├── beacon_dump.bin2.md5 │ ├── beacon_dump.bin2.out.7z │ └── beacon_dump.bin2.out.md5 ├── Hopdong │ ├── Downloader.exe.bin.7z │ ├── Downloader.exe.bin.md5 │ ├── Dropper.exe.bin.7z │ ├── Dropper.exe.bin.md5 │ ├── Hopdong.doc.7z │ ├── Hopdong.doc.md5 │ ├── MpSvc.dll.7z │ ├── MpSvc.dll.md5 │ ├── MpSvc.dll.out.7z │ ├── MpSvc.dll.out.md5 │ ├── recital.db.7z │ ├── recital.db.md5 │ ├── recital.db.out.7z │ └── recital.db.out.md5 ├── Report_tieccuoi │ ├── MpSvc.dll.7z │ ├── MpSvc.dll.md5 │ ├── MpSvc.dll.out.7z │ ├── MpSvc.dll.out.md5 │ ├── Report_tieccuoi.doc.7z │ ├── Report_tieccuoi.doc.md5 │ ├── mpsvc_beacon_dump.bin.7z │ └── mpsvc_beacon_dump.bin.md5 └── Thumoigapmatbaochi │ ├── Beacon.dump.7z │ ├── Beacon.dump.md5 │ ├── wwlib.dll.7z │ ├── wwlib.dll.md5 │ ├── wwlib.dll.out.7z │ └── wwlib.dll.out.md5 └── Script ├── DeobfuscateString_Beacon_IDAScript.py ├── DeobfuscateString_IDAScript.py ├── Readme.txt └── Type2_Deobfuscate.py /Readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Readme.txt -------------------------------------------------------------------------------- /Type1/Script/Deobfuscate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Script/Deobfuscate.py -------------------------------------------------------------------------------- /Type1/Script/Deobfuscate_stage2.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Script/Deobfuscate_stage2.py -------------------------------------------------------------------------------- /Type1/Script/ReadMe.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Script/ReadMe.txt -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/ASEAN Summit 26-06-2020 Conference.doc.exe.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/ASEAN Summit 26-06-2020 Conference.doc.exe.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/ASEAN Summit 26-06-2020 Conference.doc.exe.md5: -------------------------------------------------------------------------------- 1 | 7579AEDE6A223C96231AD30472A060DB -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.md5: -------------------------------------------------------------------------------- 1 | 3701D884F62E3E41CCC72DAF3D7FB739 -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.output.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.output.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/Denis_dump.bin.output.md5: -------------------------------------------------------------------------------- 1 | 8DBF25164DAFA167A4695B1710D3714D -------------------------------------------------------------------------------- /Type1/Test_Type1/ASEAN Summit 26-06-2020 Conference/unzip.pass: -------------------------------------------------------------------------------- 1 | infected -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/Denis_payload.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/Denis_payload.bin.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/Denis_payload.bin.md5: -------------------------------------------------------------------------------- 1 | 527B90CBBF50A454C4DC77D8ACB9C6C3 -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/Denis_payload.bin.output.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/Denis_payload.bin.output.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/Denis_payload.bin.output.md5: -------------------------------------------------------------------------------- 1 | 99E742126A1C56548F9F9F44D3B655C2 -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/log1_Denis_payload.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/log1_Denis_payload.txt -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/log2_Denis_payload.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/log2_Denis_payload.txt -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls.dll.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/rastls.dll.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls.dll.md5: -------------------------------------------------------------------------------- 1 | BF9B7058804E290A627C3F96B1F82E72 -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls.dll.output.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/rastls.dll.output.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls.dll.output.md5: -------------------------------------------------------------------------------- 1 | BDB9B5AB1CC12BD857107EDCBEAE196A -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls_laucher.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/rastls_laucher.bin.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls_laucher.bin.md5: -------------------------------------------------------------------------------- 1 | 5781C928AE7492105C7B4AAA8EBF3AAB -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls_laucher.bin.output.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/rastls_laucher.bin.output.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/rastls_laucher.bin.output.md5: -------------------------------------------------------------------------------- 1 | 2BD9F2D4665B7DE667DB8630C140C246 -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.md5: -------------------------------------------------------------------------------- 1 | 55E1A3F71D13CA9904231926BD76B41D -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.output.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.output.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/ESET_2018/robototfontupdate_RealDropper.bin.output.md5: -------------------------------------------------------------------------------- 1 | 7E64256FBC344A0C61B221A07C85207C -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt.dll.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/Wuhan_2020_krpl/krpt.dll.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt.dll.md5: -------------------------------------------------------------------------------- 1 | D739F10933C11BD6BD9677F91893986C -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.bin.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.bin.md5: -------------------------------------------------------------------------------- 1 | 4C9A38DD9BED877B428BBF43CABBBD64 -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.ouput.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.ouput.7z -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/krpt_payload_dump.ouput.md5: -------------------------------------------------------------------------------- 1 | 0AD8F34B91E9A92F3F201B935479D636 -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/log1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/Wuhan_2020_krpl/log1.txt -------------------------------------------------------------------------------- /Type1/Test_Type1/Wuhan_2020_krpl/log2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type1/Test_Type1/Wuhan_2020_krpl/log2.txt -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/CobaltStrike/beacon_dump.bin.7z -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin.md5: -------------------------------------------------------------------------------- 1 | 7C2326D2295BCE483F07E52258581AC6 -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/CobaltStrike/beacon_dump.bin.out.7z -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin.out.md5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/CobaltStrike/beacon_dump.bin.out.md5 -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin2.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/CobaltStrike/beacon_dump.bin2.7z -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin2.md5: -------------------------------------------------------------------------------- 1 | 308DDD5A8D2788C98C5E1ABFC7F71B3A -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin2.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/CobaltStrike/beacon_dump.bin2.out.7z -------------------------------------------------------------------------------- /Type2/Sample/CobaltStrike/beacon_dump.bin2.out.md5: -------------------------------------------------------------------------------- 1 | 1F1EBE22EB5200B1D18678EEBDDBE26D -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Downloader.exe.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/Downloader.exe.bin.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Downloader.exe.bin.md5: -------------------------------------------------------------------------------- 1 | 201FABEF76B145B28FE6C46D1B9C4008 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Dropper.exe.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/Dropper.exe.bin.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Dropper.exe.bin.md5: -------------------------------------------------------------------------------- 1 | B51A00B26E7A2D42B1C41F5967CF2167 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Hopdong.doc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/Hopdong.doc.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/Hopdong.doc.md5: -------------------------------------------------------------------------------- 1 | B74C45A884B854B5A5E0EDD1067B2738 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/MpSvc.dll.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/MpSvc.dll.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/MpSvc.dll.md5: -------------------------------------------------------------------------------- 1 | 027F38F0C0EE7368C232D5C8E1F72582 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/MpSvc.dll.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/MpSvc.dll.out.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/MpSvc.dll.out.md5: -------------------------------------------------------------------------------- 1 | 74FF77803365F64F4169CFAC82CE5D79 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/recital.db.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/recital.db.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/recital.db.md5: -------------------------------------------------------------------------------- 1 | CE53BB171ECFDA4F014CBC93D8411C59 -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/recital.db.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Hopdong/recital.db.out.7z -------------------------------------------------------------------------------- /Type2/Sample/Hopdong/recital.db.out.md5: -------------------------------------------------------------------------------- 1 | D8FEA03D417C44F8ACC7C1544C18861E -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/MpSvc.dll.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Report_tieccuoi/MpSvc.dll.7z -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/MpSvc.dll.md5: -------------------------------------------------------------------------------- 1 | 11828E5044CFA64B338223C997344BB7 -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/MpSvc.dll.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Report_tieccuoi/MpSvc.dll.out.7z -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/MpSvc.dll.out.md5: -------------------------------------------------------------------------------- 1 | 7DCDAE5E8727BA333D19056C36B8BC45 -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/Report_tieccuoi.doc.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Report_tieccuoi/Report_tieccuoi.doc.7z -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/Report_tieccuoi.doc.md5: -------------------------------------------------------------------------------- 1 | 3646FEDACBC9258A1ACB835F8D7F25BF -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/mpsvc_beacon_dump.bin.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Report_tieccuoi/mpsvc_beacon_dump.bin.7z -------------------------------------------------------------------------------- /Type2/Sample/Report_tieccuoi/mpsvc_beacon_dump.bin.md5: -------------------------------------------------------------------------------- 1 | 5AAC92B8B168A4E83B8D4A7B0794371A -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/Beacon.dump.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Thumoigapmatbaochi/Beacon.dump.7z -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/Beacon.dump.md5: -------------------------------------------------------------------------------- 1 | 721254F41286717AA1CD9D7D652A9FA1 -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/wwlib.dll.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Thumoigapmatbaochi/wwlib.dll.7z -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/wwlib.dll.md5: -------------------------------------------------------------------------------- 1 | 30684FB951527EDC9BE330144BD3F8F1 -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/wwlib.dll.out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Sample/Thumoigapmatbaochi/wwlib.dll.out.7z -------------------------------------------------------------------------------- /Type2/Sample/Thumoigapmatbaochi/wwlib.dll.out.md5: -------------------------------------------------------------------------------- 1 | B8433A82FC266F8C056D7CE9FED2E2EF -------------------------------------------------------------------------------- /Type2/Script/DeobfuscateString_Beacon_IDAScript.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Script/DeobfuscateString_Beacon_IDAScript.py -------------------------------------------------------------------------------- /Type2/Script/DeobfuscateString_IDAScript.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Script/DeobfuscateString_IDAScript.py -------------------------------------------------------------------------------- /Type2/Script/Readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Script/Readme.txt -------------------------------------------------------------------------------- /Type2/Script/Type2_Deobfuscate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/levanvn/APT32_Deobfuscate/HEAD/Type2/Script/Type2_Deobfuscate.py --------------------------------------------------------------------------------