commit 4625878297556eb5d6166a189f1df2031faf1f34
Author: ALittlePatate <maxime.goyheneche@gmail.com>
Date:   Mon Aug 29 13:54:43 2022 +0200

    initial commit of the files

diff --git a/Hancitor/extract_config.py b/Hancitor/extract_config.py
new file mode 100644
index 0000000..f2e1c63
--- /dev/null
+++ b/Hancitor/extract_config.py
@@ -0,0 +1,86 @@
+#everything is from here : https://www.youtube.com/watch?v=OQuRwpUTBpQ
+#i added comments so i can understand the code better
+
+import pefile   #working with a pe file
+import re       #regular expression search
+import struct   #convert data to numbers
+import hashlib  #sha1 hash
+import sys      #arg
+
+def rc4crypt(data, key):
+    #If the input is a string convert to byte arrays
+    if type(data) == str:
+        data = data.encode('utf-8')
+    if type(key) == str:
+        key = key.encode('utf-8')
+    x = 0
+    box = list(range(256))
+    for i in range(256):
+        x = (x + box[i] + key[i % len(key)]) % 256
+        box[i], box[x] = box[x], box[i]
+    x = 0
+    y = 0
+    out = []
+    for c in data:
+        x = (x + 1) % 256
+        y = (y + box[x]) % 256
+        box[x], box[y] = box[y], box[x]
+        out.append(c ^ box[(box[x] + box[y]) % 256])
+    return bytes(out)
+
+if len(sys.argv) != 2 :
+    print("Usage : python extract_config.py [sample.bin]")
+    exit(0)
+
+sample_path = sys.argv[1]
+data = open(sample_path,"rb").read()
+
+pe = pefile.PE(data=data)
+
+"""
+6A 08                                   push    8               ; dwDataLen
+68 10 50 57 00                          push    offset pbData   ; pbData
+68 00 20 00 00                          push    2000h           ; pdwDataLen
+"""
+sig = rb"\x6A(.)\x68(....)\x68\x00\x20\x00\x00" #'.' is a wildcard, same as '?', '()' is for a capture group, so we can catch their values
+match = re.search(sig, data)
+
+if match == None :
+    """
+    Signature got updated
+    6A 08                                   push    8               ; dwDataLen
+    68 10 40 00 10                          push    offset pbData   ; pbData
+    56                                      push    esi             ; pdwDataLen
+    """
+    sig = rb"\x6A(.)\x68(....)\x56" #'.' is a wildcard, same as '?', '()' is for a capture group, so we can catch their values
+    match = re.search(sig, data)
+
+print("key length: %r" % match.group(1))
+print("key address: %r" % match.group(2))
+
+key_len = struct.unpack('b', match.group(1))[0]
+key_addr = struct.unpack('<I', match.group(2))[0] #'<I' : little endian
+key_rva = key_addr - pe.OPTIONAL_HEADER.ImageBase #RVA : Relative Virtual Address, we need that so we can translate it to a file offset
+key_offset = pe.get_offset_from_rva(key_rva)
+key_data = data[key_offset:key_offset+key_len]
+
+print("key data: %r" % key_data)
+
+config_data = data[key_offset+key_len:key_offset+key_len+0x2000]
+
+m = hashlib.sha1()
+m.update(key_data)      #sha1 the key data
+key = m.digest()[:5]    #keeping only the first 5 bytes of the sha1 of key_data
+
+config = rc4crypt(config_data, key)
+build_id = config.split(b'\x00')[0].decode()
+
+c2_string = ''
+for s in config.split(b'\x00')[1:]:
+    if s != b'':
+        c2_string = s.decode()
+        break
+
+c2_list = c2_string.split("|")[:-1]
+print("build id: %s" % build_id)
+print("C2: %s" % c2_list)
\ No newline at end of file
diff --git a/Hancitor/hancitor.yara b/Hancitor/hancitor.yara
new file mode 100644
index 0000000..45a5156
--- /dev/null
+++ b/Hancitor/hancitor.yara
@@ -0,0 +1,11 @@
+rule hancitor : rat
+{
+    meta:
+        description = "Hancitor"
+        threat_level = 3
+        in_the_wild = true
+    strings:
+        $config_params = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)"
+    condition:
+        $config_params
+}
\ No newline at end of file
diff --git a/Hancitor/sample.bin b/Hancitor/sample.bin
new file mode 100644
index 0000000..65981f9
Binary files /dev/null and b/Hancitor/sample.bin differ
diff --git a/Hancitor/sample.bin.idb b/Hancitor/sample.bin.idb
new file mode 100644
index 0000000..67094e6
Binary files /dev/null and b/Hancitor/sample.bin.idb differ
diff --git a/Hancitor/sample2.bin b/Hancitor/sample2.bin
new file mode 100644
index 0000000..a3f2058
Binary files /dev/null and b/Hancitor/sample2.bin differ
diff --git a/Hancitor/sample2.bin.idb b/Hancitor/sample2.bin.idb
new file mode 100644
index 0000000..aff9d7b
Binary files /dev/null and b/Hancitor/sample2.bin.idb differ
diff --git a/Nanocore/nanocore_rat.yara b/Nanocore/nanocore_rat.yara
new file mode 100644
index 0000000..a076972
--- /dev/null
+++ b/Nanocore/nanocore_rat.yara
@@ -0,0 +1,13 @@
+rule nanocore_rat : rat
+{
+    meta:
+        description = "Nanocore rat"
+        threat_level = 3
+        in_the_wild = true
+    strings:
+        $nanocore_name = "NanoCore"
+        $get_StartupPath = "get_StartupPath"
+        $ConnectDone = "ConnectDone"
+    condition:
+        $nanocore_name and $get_StartupPath and $ConnectDone
+}
diff --git a/Quasar/quasar_rat.yara b/Quasar/quasar_rat.yara
new file mode 100644
index 0000000..431fa40
--- /dev/null
+++ b/Quasar/quasar_rat.yara
@@ -0,0 +1,13 @@
+rule quasar_rat : rat
+{
+    meta:
+        description = "Quasar rat"
+        threat_level = 3
+        in_the_wild = true
+    strings:
+        $quasar_name = "Quasar"
+        $add_DownloadFileCompleted = "add_DownloadFileCompleted"
+        $reverse_proxy_data = "ReverseProxyData"
+    condition:
+        $quasar_name and $add_DownloadFileCompleted and $reverse_proxy_data
+}
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..feaab3e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,12 @@
+# Malware research
+I am learning about reverse engineering and malware analysis, here you'll find all of my work, including my IDA database (for IDA Pro 7.5), my config extractors, and my Yara rules !
+
+# Samples
+Here you can find a list of the samples present in this repo :
+
+* [Quasar rat](https://github.com/ALittlePatate/Malware-Research/tree/main/Quasar)
+* [Nanocore rat](https://github.com/ALittlePatate/Malware-Research/tree/main/Nanocore)
+* [Hancitor](https://github.com/ALittlePatate/Malware-Research/tree/main/Hancitor)
+
+# Special thanks
+I want to thank [herrcore](https://github.com/herrcore) for his [videos](https://www.youtube.com/c/OALabs/videos) and [streams](https://www.twitch.tv/oalabslive) about malware analysis, also he was super kind responding to my weird begginer questions on [his discord](https://discord.gg/uBk7wyE8) !
\ No newline at end of file