Loki-Bot: Come out, come out, wherever you are!
Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This...
View ArticleDefeating the VB5 Packer
In this post, I provide step-by-step instruction on how to unpack an executable that has been packed with a VB5 Packer. I will also cover the bypassing of multiple anti-analaysis controls that were...
View ArticleAnalyzing Malicious Password Protected Office Documents
Over the past year-or-so, there seems to have been an uptick of miscreants password protecting the malicious office documents that they send to their target victims. They do this in an effort to bypass...
View ArticleAutoIt Malware: From Compiled Binary to Plain-Text Script
AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT's website...
View ArticleLoki-Bot: Inside & Out
Everything you've ever wanted to know about Loki-Bot. Includes a Cheat Sheet, IDS signatures, python script, and a link to my 177 page research paper on the subject
View ArticleFrom Emotet, PSDecode is born!
It’s been way too long since my last post. DEFCON happened, then I got a new job, thanksgiving getaway to San Francisco, got sick (dirty airport people), excuse++. Things are starting to settle down a...
View ArticlePSDecode Update: New-Object override + Actions output
After I published the first iteration of PSDecode, my next goal with the tool was to figure out how to override methods within system classes typically used by malware authors, such as...
View ArticleString Hashing: Reverse Engineering an Anti-Analysis Control
String hashing is a method employed by malware authors to disguise strings that are critical to its (stealthy) execution such as library, function and/or process names. Being able to determine what...
View ArticleManual analysis of new PowerSplit maldocs delivering Emotet
Wow. It’s been a long time since my last blog post (~ 2 years). The new year has inspired me to dust off some cobwebs and produce a blog post that hopefully someone can learn from. In this post, I’ll...
View Article
More Pages to Explore .....