Short Summary:
This article discusses the use of CyberChef to deobfuscate a .vbs loader for Nanocore malware. It details the obfuscation techniques used and provides a step-by-step guide on how …
Author: Embee-research
Short Summary:
This article discusses the use of CyberChef to deobfuscate a .vbs loader for Nanocore malware. It outlines the obfuscation techniques used in the malware and provides a step-by-step …
“`html
Short SummaryThis article discusses the decoding process of a .HTA script linked to the Cobalt Strike toolkit, focusing on the methods of obfuscation used, including Base64URL encoding and …
In this post, we'll demonstrate the Garbageman analysis tool. Garbageman is a .NET analysis tool that can be used to obtain information from packed or obfuscated .NET malware.
Here is …
This post is a continuation of "Malware Unpacking With Hardware Breakpoints".
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted …
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is a great technique for working …
In this blog, we'll use Ghidra to analyse a suspicious imported function identified with PeStudio.
This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to …
In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they …
We're all used to the regular CyberChef operations like "From Base64", From Decimal and the occasional magic decode or xor. But what happens when we need to do something more …
In this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware. We will identify these domains through the usage of hardcoded subdomains in the TLS Certificate …
In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode.
After obtaining the Shellcode, we used SpeakEasy emulation to determine the functionality of the Shellcode. This is …
____________________ Summary: This post discusses the process of removing junk comments and self-referencing code in a Latrodectus loader. It explores the stages of the sample and provides insights into the …
In this blog we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X.
The initial reported domain leverages 302 redirects to send users …
In this post we leverage passive DNS analysis tools to expand on an ACTINIUM intelligence report published by Microsoft.
This analysis will leverage the initial domains provided in the report …
I recently became aware of an awesome DNS Analysis tool called Validin which can be used to analyse malicious domains and show related infrastructure using DNS records.
This has been …
This post will dive into a Latrodectus loader that leverages junk comments and wmi commands to obfuscate functionality and download a remote .msi file.
There are three “stages” to this …
We’re all used to the regular CyberChef operations like “From Base64”, From Decimal and the occasional magic decode or xor. But what happens when we need to do something more …
In previous posts we decoded some Malicious scripts and obtained Cobalt Strike Shellcode.
After obtaining the Shellcode, we used SpeakEasy emulation to determine the functionality of the Shellcode. This is …
In this post, we will investigate a Vidar Malware sample containing suspicious encrypted strings. We will use Ghidra cross references to analyse the strings and identify the location where they …
In this blog, we’ll use Ghidra to analyse a suspicious imported function identified with PeStudio.
This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to …
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is great technique for working with …
This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted …
In this post, we’ll demonstrate the Garbageman analysis tool. Garbageman is a .NET analysis tool that can be used to obtain information from packed or obfuscated .NET malware.
Here is …
In previous posts here and here, we explored methods for extracting cobalt strike shellcode from script-based malware.
In this post, we’ll explore a more complex situation where Cobalt Strike shellcode …
Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.
In this post, I'll demonstrate an easy method that can be used to …
In a previous post, we demonstrated a method for unpacking an Asyncrat malware sample by utilising Process Hacker and Dnspy.
We leveraged Process Hacker to identify a suspicious process, then …
Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.
In this post, I’ll demonstrate an easy method that can be used to …
In this post, we’ll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded Powershell Script used to download Remcos malware from a Google Drive.
We’ll …
Intermediate
Improving Malware Analysis Workflows by Modifying the default Ghidra UI.
MatthewOct 25, 2023 — 4 min read
The Ghidra User interface can be intimidating and complicated for users …
Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.
The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by …
In this post. we will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and …
In this post. I will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and …