Summary:
HawkEye, also known as PredatorPain, is a long-standing malware primarily functioning as a keylogger but has evolved to include functionalities typical of stealers. Initially emerging in 2008, it gained notoriety through spearphishing campaigns and has been utilized by various threat actors. Its delivery methods have diversified over time, and it has shown resilience in adapting to new evasion techniques and maintaining persistence on infected systems.…Author: AnyRun
Summary:
This article analyzes two infection techniques used by AsyncRAT malware via open directories. It highlights the evolving methods attackers employ to exploit publicly accessible files, showcasing the persistent threat posed by AsyncRAT and its diverse strategies for infiltration and control.Keypoints:
AsyncRAT is a Remote Access Trojan (RAT) used for spying and data theft.…Short Summary:
This article discusses packers and crypters, which are tools used to complicate malware analysis. It explains the differences between the two, their detection methods, and various tools that can assist in unpacking and analyzing malware samples.
Key Points:
Packer: Compresses files into a single executable, making detection difficult.…
Short Summary
Read More
The article from ANY.RUN discusses recent cyber threats identified in October 2024, focusing on the APT-C-36 group, known as BlindEagle, which targets the LATAM region through phishing attacks. It details their tactics, including the use of Remote Access Tools (RATs) like Remcos and AsyncRAT, and highlights other phishing campaigns exploiting fake CAPTCHA prompts and encoded JavaScript files.…
Short Summary:
The article provides a comprehensive analysis of the DarkComet Remote Access Trojan (RAT), detailing its capabilities, methods of infection, and the technical mechanisms it employs to evade detection and maintain persistence on infected systems. DarkComet allows attackers to remotely control systems, steal sensitive data, and execute various malicious activities while remaining stealthy and difficult to detect.…
Short Summary:
The article provides a detailed analysis of PhantomLoader, a malware loader that disguises itself as a legitimate DLL for antivirus software. It is used to deliver a rust-based malware called SSLoad, which employs various evasion techniques. The analysis outlines the infection chain, including the use of phishing emails, malicious Office documents, and advanced obfuscation methods.…
Short Summary: The article discusses how malware utilizes Telegram and Discord for data exfiltration, detailing methods to intercept and analyze this data using the Telegram API and Discord webhooks. It provides step-by-step instructions for setting up a bot, sending messages, and retrieving information to aid in identifying threat actors.…
Read More
Short Summary: The article provides a comprehensive analysis of AZORult, a sophisticated malware designed to steal credentials and payment card information. It highlights the malware’s evolution, behavior, evasion techniques, and operational tactics, emphasizing its adaptability and complexity.
Key Points:
AZORult is a credential and payment card information stealer that also functions as a downloader for other malware.…
Read More
Short Summary:
This article discusses recent phishing campaigns analyzed by ANY.RUN researchers, focusing on the Tycoon 2FA Phish-kit and its various evolutions. The campaigns utilize compromised Amazon SES accounts and employ sophisticated techniques to deceive victims into revealing their credentials through fake error messages and legitimate-looking links.…
“`html
Short SummaryThe DeerStealer distribution campaign involves malware spread through fake Google Authenticator websites. The malware captures user information and downloads a stealer hosted on GitHub. It communicates with a Telegram bot and employs obfuscation techniques to hinder analysis. The campaign is linked to previous malware families, suggesting a common author.…
Recent posts
HomeMalware Analysis
Brute Ratel C4 Badger Used to Load Latrodectus
Read More
Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X and LinkedIn.
Brute Ratel C4 (BRC4) is a customized, commercial command and control (C2) framework that was first introduced in December 2020.…
Recent posts
HomeMalware Analysis
Find Threats Exploiting CrowdStrike Outage with TI Lookup
Read More
A recent update by CrowdStrike on July 18, 2024, resulted in a worldwide outage, causing significant disruption for users who were left with blue screens of death (BSODs) on their devices.
Cybercriminals seized the opportunity to target affected users with phishing scams and malware disguised as updates or hotfixes. …
Recent posts
HomeMalware Analysis
Analysis of the Phishing Campaign: Behind the Incident
Read More
In this post we detail our comprehensive investigation into the phishing campaign encountered by our company. Our aim is to help others better understand this ongoing threat and take steps to protect themselves.
Here are some key findings:
We found around 72 phishing domains pretending to be real or fake companies.…
Recent posts
HomeMalware Analysis
Analyzing Malware Protected with Themida and VMprotect: Is It Really That Hard?
Read More
Malware authors use protectors like Themida and VMProtect in the hope that they will completely prevent analysts from reversing samples.
These protectors can use sophisticated techniques to hide malicious functionality: code virtualization, obfuscation, anti-debugging, compression, and encryption.…
Recent posts
HomeMalware Analysis
Windows 11 UAC Bypass in Modern Malware
Read More
In this article, we’ve prepared a brief overview of UAC bypass methods in Windows 11 that are used in modern malware and provided examples of their implementation in active threats. We’ll cover:
Exploitation of COM interfaces with the Auto-Elevate property Modification of the ms-settings registry branch Infinite UAC Prompt Loop (social engineering)Let’s investigate these methods. …
What is WebDav?
Read More
Attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods. One type of server attackers can leverage is WebDAV (Web Distributed Authoring and Versioning) — a file transfer protocol built on top of HTTP.…
Recent posts
HomeMalware Analysis
Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough
Introduction
Read More
In order to understand malware comprehensively, it is essential to employ various analysis techniques and examine it from multiple perspectives. These techniques include behavioral, network, and process analysis during sandbox analysis, as well as static and dynamic analysis during reverse engineering.…
Recent posts
HomeMalware Analysis
AsukaStealer: The Next Chapter in ObserverStealer’s Story
Read More
The following research was conducted by Anna Pham, also known as RussianPanda, a Senior Threat Intelligence researcher and a guest author for the ANY.RUN Blog. For more of her expert insights, follow her on Twitter/X.…
How to Set Up a Network Research Laboratory: MonikerLink (CVE-2024-21413) Case Study
Read More
Every now and then, you come across a situation where you need to get hands-on to understand how an exploit or malware works and then create a detection rule. Plus, there are times when it’s essential for the attacking machine to be on the local network to capture network traffic or utilize its own detection tools.…
We’re super excited to introduce Mizuho (@morimolymoly2 on X) today, a software engineer and malware analyst making their debut on the ANY.RUN blog. In today’s article, Mizuho guides us through surface, dynamic, and static analysis of DCRat. Let’s dive in.
Read More
In this article, I’ll guide you through the analysis process of DCRat using ANY.RUN.…
Recent posts
HomeMalware Analysis
A deep dive into .NET malware obfuscators: Part 1
As a preface
Read More
In the modern world, it is rare to encounter purely clean malware during analysis. Malware code is commonly modified to hinder researchers from analyzing and decompiling it.
Software that alters code to hinder analysis is known as obfuscators.…
Recent posts
HomeMalware Analysis
CrackedCantil: A Malware Symphony Breakdown
Read More
Lena aka LambdaMamba
I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…
Recent posts
HomeMalware Analysis
Detection with Suricata IDS
Read More
Editor’s note: The current article was originally published on May 13, 2021, and updated on January 26, 2024.
Today we face a growing number of cyberattacks. Analysts can use the intrusion detection system to identify, minimize, and stop threats.…
Recent posts
HomeMalware Analysis
A Full Analysis of the Pure Malware Family: Unique and Growing Threat
Read More
In this article, we’re analyzing one of the most unusual crypters— PureCrypter, and a multifunctional stealer — PureLogs. We’ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect PureCrypter and PureLogs. …