Author Archives: pcsxcetrasupport3

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.

Pealing back the layers of a batch script ransomware

Our sample today comes from Ahmet Payaslioglu AT_Computeus7 in This twitter thread. I was tagged along with a few other people that may be interested in the sample. The main file was run on AnyRun Here. This is where I … Continue reading

Posted in Uncategorized | Tagged , , | 2 Comments

What’s the difference and why should I care ?

On occasion I go hunting in various sandboxes by scrolling down the list of submissions to look for something interesting to look at. I don’t normally see that many PowerPoint samples  So I took an interest in this one that … Continue reading

Posted in Uncategorized | Leave a comment

Peeling away the layers of obfuscation from Excel VBA to dll

When I first seen this Tweet here by FileScan.IO @filescan_itsec I thought this would be a easy target for deobfuscation. I was wrong. The layers just kept peeling away. Looking at the Twitter link you can get a pretty good … Continue reading

Posted in Uncategorized | Tagged , , , | 1 Comment

Excel 4 macro code obfuscation

This sample comes from a Twitter thread located Here by Frost @fr0s7_ and appears to be  “BazarLoader” Since this is a Xlsb file I usually just open it up in my Office 2010 Pro sandbox and then convert to Xlsm … Continue reading

Posted in Uncategorized | Tagged , , | 1 Comment

A deeper look at Office documents flat style

Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading

Posted in Malware, security, VBScript | Tagged , , | 1 Comment

More on Yara And Building Rules

I’ve been learning how to build and modify yara rules lately but my biggest pain was getting the formattting correct. In a recent Twitter thread Here James @James_inthe_box  posted where asyncrat was using pastebin  to host their encoded rat. My … Continue reading

Posted in Malware, Programming, VBScript | Tagged , , , | 2 Comments

SunCrypt, PowerShell obfuscation, shellcode and more yara

This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading

Posted in Malware, PowerShell | Tagged , , , , | 1 Comment

Ursa Loader and the many rabbit holes

On August 4th 2020 JAMESWT @JAMESWT_MHT posted on Twitter here about malware spam hitting Italy using ursa loader. I mainly look at the obfuscation and this vbscipt looked rather interesting. Little did I know what I was in for. So … Continue reading

Posted in Malware, security | Tagged , , , | 3 Comments

PowerShell Steganography

Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , , , | 1 Comment

Extracting Shellcode from VBA to PowerShell

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment