Author Archives: pcsxcetrasupport3
Pealing back the layers of a batch script ransomware
Our sample today comes from Ahmet Payaslioglu AT_Computeus7 in This twitter thread. I was tagged along with a few other people that may be interested in the sample. The main file was run on AnyRun Here. This is where I … Continue reading
What’s the difference and why should I care ?
On occasion I go hunting in various sandboxes by scrolling down the list of submissions to look for something interesting to look at. I don’t normally see that many PowerPoint samples So I took an interest in this one that … Continue reading
Peeling away the layers of obfuscation from Excel VBA to dll
When I first seen this Tweet here by FileScan.IO @filescan_itsec I thought this would be a easy target for deobfuscation. I was wrong. The layers just kept peeling away. Looking at the Twitter link you can get a pretty good … Continue reading
Excel 4 macro code obfuscation
This sample comes from a Twitter thread located Here by Frost @fr0s7_ and appears to be “BazarLoader” Since this is a Xlsb file I usually just open it up in my Office 2010 Pro sandbox and then convert to Xlsm … Continue reading
A deeper look at Office documents flat style
Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading
More on Yara And Building Rules
I’ve been learning how to build and modify yara rules lately but my biggest pain was getting the formattting correct. In a recent Twitter thread Here James @James_inthe_box posted where asyncrat was using pastebin to host their encoded rat. My … Continue reading
SunCrypt, PowerShell obfuscation, shellcode and more yara
This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading
Ursa Loader and the many rabbit holes
On August 4th 2020 JAMESWT @JAMESWT_MHT posted on Twitter here about malware spam hitting Italy using ursa loader. I mainly look at the obfuscation and this vbscipt looked rather interesting. Little did I know what I was in for. So … Continue reading
PowerShell Steganography
Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading
Extracting Shellcode from VBA to PowerShell
This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading
PC's Xcetra Support 