{"report_id":"3ee38d71-f7b6-4276-878a-f78c9e8979b8","version":6,"status":"done","tags":[],"date":"2023-10-03T10:16:56Z","url":{"schema":"http","addr":"github.com/S3cur3Th1sSh1t/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.4","port":0,"asn":36459,"as":"GITHUB","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T20:55:26Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"github.com","ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"United States","country_code":"US"},"domain_registered":"2007-10-09","domain_rank":1423,"first_seen":"2016-07-13 12:28:22","last_seen":"2023-09-20 18:48:10","alert_count":0,"request_count":2,"received_data":6798,"sent_data":1488,"comment":"","tags":null,"fingerprints":null},{"fqdn":"raw.githubusercontent.com","ip":{"addr":"185.199.110.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"domain_registered":"2014-02-06","domain_rank":35802,"first_seen":"2014-03-01 08:08:08","last_seen":"2023-10-02 18:32:49","alert_count":4,"request_count":1,"received_data":2060156,"sent_data":534,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"e615c10b8676ae8cd10768beae1e41d4","sha1":"aee671334f6d7c53be7c0ea2b49ecbe7c204f0d6","sha256":"52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","sha512":"6f3d003f0fd1f1d38ab48116a668a27160f57afc049248d8e88787c2c2c9bf4dc99c88beb5ba7429e6efb241d68c405757030447a6f326dfd423c777a186d308","magic":"PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows\\012- data","size":2059264,"url":{"schema":"https","addr":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","fqdn":"raw.githubusercontent.com","domain":"raw.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.110.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","md5":"45736deb14f3a68e88b038183c23e597","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SAFETYKATZ_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"Detects c# red/black-team tools via typelibguid","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2020-12-13","description":"Detects c# red/black-team tools via typelibguid","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-04-06","reference":"https://github.com/GhostPack/SafetyKatz","rule":"HKTL_NET_GUID_SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2023-10-03","alert":"Windows.Hacktool.SafetyKatz","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-08-05","alert":"Scan result 54/71","trigger":"52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","verdict":"malicious","severity":"","comment":"malicious - 54/71","link":"https://www.virustotal.com/gui/file/52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","md5":"45736deb14f3a68e88b038183c23e597","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SAFETYKATZ_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"Detects c# red/black-team tools via typelibguid","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2020-12-13","description":"Detects c# red/black-team tools via typelibguid","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-04-06","reference":"https://github.com/GhostPack/SafetyKatz","rule":"HKTL_NET_GUID_SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2023-10-03","alert":"Windows.Hacktool.SafetyKatz","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"github.com/S3cur3Th1sSh1t/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-03T10:16:37.744Z","timestamp":1696328197744,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":"GitHub, Inc."},"issuer":{"commonName":"DigiCert TLS Hybrid ECC SHA384 2020 CA1","organization":"DigiCert Inc"},"validity":{"start":"Tue, 14 Feb 2023 00:00:00 GMT","end":"Thu, 14 Mar 2024 23:59:59 GMT"},"fingerprint":{"sha1":"A3:B5:9E:5F:E8:84:EE:1F:34:D9:8E:EF:85:8E:3F:B6:62:AC:10:4A","sha256":"92:A3:7F:BD:5E:21:A5:3A:95:C7:16:E1:14:4F:44:2F:58:2B:94:D0:FA:FC:67:3E:B6:71:7A:4E:B5:1A:88:A7"}}},"request":{"raw":"GET /S3cur3Th1sSh1t/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\nserver: GitHub.com\r\ndate: Tue, 03 Oct 2023 10:16:37 GMT\r\ncontent-type: text/html; charset=utf-8\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With\r\nlocation: https://github.com/S3cur3Th1sSh1t/Creds/raw/master/Ghostpack/SafetyKatz.exe\r\ncache-control: no-cache\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubcopilot.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/\r\nset-cookie: _gh_sess=pwJwGybgoZ9KDeLLNjLXYTIvyHq3Tvf6xnnFpCeY5d47EqrW6HkH3o0pkHyTo0H%2FhOYUTEO423BqMgIejnkUWaW7oLPgukLv6ElTe6fgA9JSH5fvqAIOvMZcUXq67SItMmNqLNa8P4DDMwtr945YB9SdeqirJ0qXX0NwydgBbZO9%2FluPFFox%2FPrF%2FmZnvEhT0GePpcfkOwtnt1tMqNcZl5VKkerJDVF%2BF2DAgI2PoMwfd8fURZSNyqJXKyLc%2FqVl4gbdYUcwC9doC%2B%2BzKcJhJg%3D%3D--p%2FmYiduNruSGWam1--xzep2Wwp2T0B8ILOA561gg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax\n_octo=GH1.1.1503389047.1696328197; Path=/; Domain=github.com; Expires=Thu, 03 Oct 2024 10:16:37 GMT; Secure; SameSite=Lax\nlogged_in=no; Path=/; Domain=github.com; Expires=Thu, 03 Oct 2024 10:16:37 GMT; HttpOnly; Secure; SameSite=Lax\r\ncontent-length: 0\r\nx-github-request-id: 51AC:5528:4948C17:4A6294C:651BEA05\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/octet-stream","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-20T08:12:38.600474Z","times_seen":15476219,"resource_available":true,"data":null}},"time_used":453,"timings":{"blocked":146,"dns":1,"connect":25,"send":0,"wait":158,"receive":1,"ssl":119},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"github.com/S3cur3Th1sSh1t/Creds/raw/master/Ghostpack/SafetyKatz.exe","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-03T10:16:38.077Z","timestamp":1696328198077,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":"GitHub, Inc."},"issuer":{"commonName":"DigiCert TLS Hybrid ECC SHA384 2020 CA1","organization":"DigiCert Inc"},"validity":{"start":"Tue, 14 Feb 2023 00:00:00 GMT","end":"Thu, 14 Mar 2024 23:59:59 GMT"},"fingerprint":{"sha1":"A3:B5:9E:5F:E8:84:EE:1F:34:D9:8E:EF:85:8E:3F:B6:62:AC:10:4A","sha256":"92:A3:7F:BD:5E:21:A5:3A:95:C7:16:E1:14:4F:44:2F:58:2B:94:D0:FA:FC:67:3E:B6:71:7A:4E:B5:1A:88:A7"}}},"request":{"raw":"GET /S3cur3Th1sSh1t/Creds/raw/master/Ghostpack/SafetyKatz.exe HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: _gh_sess=pwJwGybgoZ9KDeLLNjLXYTIvyHq3Tvf6xnnFpCeY5d47EqrW6HkH3o0pkHyTo0H%2FhOYUTEO423BqMgIejnkUWaW7oLPgukLv6ElTe6fgA9JSH5fvqAIOvMZcUXq67SItMmNqLNa8P4DDMwtr945YB9SdeqirJ0qXX0NwydgBbZO9%2FluPFFox%2FPrF%2FmZnvEhT0GePpcfkOwtnt1tMqNcZl5VKkerJDVF%2BF2DAgI2PoMwfd8fURZSNyqJXKyLc%2FqVl4gbdYUcwC9doC%2B%2BzKcJhJg%3D%3D--p%2FmYiduNruSGWam1--xzep2Wwp2T0B8ILOA561gg%3D%3D; _octo=GH1.1.1503389047.1696328197; logged_in=no\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\nserver: GitHub.com\r\ndate: Tue, 03 Oct 2023 10:16:38 GMT\r\ncontent-type: text/html; charset=utf-8\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With\r\naccess-control-allow-origin: https://render.githubusercontent.com\r\nlocation: https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe\r\ncache-control: no-cache\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubcopilot.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/\r\ncontent-length: 0\r\nx-github-request-id: 51AC:5528:4948D60:4A62A88:651BEA05\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/octet-stream","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-20T08:12:38.600474Z","times_seen":15476219,"resource_available":true,"data":null}},"time_used":700,"timings":{"blocked":16,"dns":0,"connect":0,"send":0,"wait":684,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","fqdn":"raw.githubusercontent.com","domain":"raw.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.110.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-03T10:16:38.786Z","timestamp":1696328198786,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.github.io","organization":"GitHub, Inc."},"issuer":{"commonName":"DigiCert TLS RSA SHA256 2020 CA1","organization":"DigiCert Inc"},"validity":{"start":"Tue, 21 Feb 2023 00:00:00 GMT","end":"Wed, 20 Mar 2024 23:59:59 GMT"},"fingerprint":{"sha1":"A1:46:14:C7:2A:1D:52:79:F6:AA:2B:B2:C5:0A:3B:D3:F5:02:06:75","sha256":"38:2C:D4:2D:33:C0:2B:C6:67:8E:65:7C:E1:7B:84:6D:04:73:A7:E7:91:CD:B3:5B:8E:AD:90:1A:F1:E1:1A:08"}}},"request":{"raw":"GET /S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe HTTP/1.1\r\nHost: raw.githubusercontent.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncache-control: max-age=300\r\ncontent-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox\r\ncontent-type: application/octet-stream\r\netag: W/\"d435389429e59e74a1cf693cec2104d64769364f1095ee136c29bd68111597f7\"\r\nstrict-transport-security: max-age=31536000\r\nx-content-type-options: nosniff\r\nx-frame-options: deny\r\nx-xss-protection: 1; mode=block\r\nx-github-request-id: 6E3A:DBA6:744627:7983A4:651BEA04\r\naccept-ranges: bytes\r\ndate: Tue, 03 Oct 2023 10:16:38 GMT\r\nvia: 1.1 varnish\r\nx-served-by: cache-bma1651-BMA\r\nx-cache: MISS\r\nx-cache-hits: 0\r\nx-timer: S1696328198.405801,VS0,VE397\r\nvary: Authorization,Accept-Encoding,Origin\r\naccess-control-allow-origin: *\r\ncross-origin-resource-policy: cross-origin\r\nx-fastly-request-id: 4bf4a15877745ccd962ade44ac72dfd64008a0be\r\nexpires: Tue, 03 Oct 2023 10:21:38 GMT\r\nsource-age: 0\r\ncontent-length: 2059264\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2059264,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows\\012- data","md5":"e615c10b8676ae8cd10768beae1e41d4","sha1":"aee671334f6d7c53be7c0ea2b49ecbe7c204f0d6","sha256":"52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","sha512":"6f3d003f0fd1f1d38ab48116a668a27160f57afc049248d8e88787c2c2c9bf4dc99c88beb5ba7429e6efb241d68c405757030447a6f326dfd423c777a186d308","ssdeep":"24576:z7vtyzUSAHBxtVCRV86F84P42Yl87c+XwrXpznu:z7qG7VR0F","tlshash":"6b9538342dea502ab173ef698be475dada6fb7733b07545d10a1038a0b23a42edc153d","first_seen":"2023-05-20T03:56:36Z","last_seen":"2025-05-08T22:05:41.775768Z","times_seen":122,"resource_available":false,"data":null}},"time_used":918,"timings":{"blocked":25,"dns":1,"connect":8,"send":0,"wait":405,"receive":463,"ssl":13},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"FireEye","description":"The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project.","md5":"45736deb14f3a68e88b038183c23e597","reference":"https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html","rule":"HackTool_MSIL_SAFETYKATZ_4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-03","alert":"Detects c# red/black-team tools via typelibguid","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2020-12-13","description":"Detects c# red/black-team tools via typelibguid","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-04-06","reference":"https://github.com/GhostPack/SafetyKatz","rule":"HKTL_NET_GUID_SafetyKatz"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2023-10-03","alert":"Windows.Hacktool.SafetyKatz","trigger":"raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/Ghostpack/SafetyKatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-11-20","fingerprint":"f0d11341fc91d2c45c07c6079aad24a11da03320286216be0a68461b6bf55b02","id":"072b7370-517b-45dc-af23-ba3adbd32fbd","last_modified":"2023-01-11","license":"Elastic License v2","os":"windows","reference_sample":"89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9","rule":"Windows_Hacktool_SafetyKatz_072b7370","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.SafetyKatz"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-08-05","alert":"Scan result 54/71","trigger":"52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","verdict":"malicious","severity":"","comment":"malicious - 54/71","link":"https://www.virustotal.com/gui/file/52779c376bb2803a0bac90302d5bc82a4213aca88a0072166b04ef0fdccb7814","meta":null}],"urlquery":null}}]}