Author Archives: pcsxcetrasupport3
A deeper look into a wild VBA Macro
This Sample comes from Brad Duncan @malware_traffic from his SANS ICS Diary located Here and the Files on His blog Here. For this session I will be using “2019-01-23-example-of-attached-Word-doc-1-of-7” word document. I ended up looking at this from different directions … Continue reading
A Look under the hood of a batch encrypted file
The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading
Understanding Invoke- “X” Special Character Encoding
I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading
What is in this file ?
The other day I was pinged about a very large .jason file that appeared to contain a large Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading
A look at a Word document macro using Invoke-DOSfuscation
The sample from this one comes from Packet Wire @packet_Wire. Twitter thread here After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading
A closer look at “NetSupport”(Rat) top 2 layers
This post is based on the blog post by FireEye located Here. I was given a private .saz to look at by someone else that gave me the entire infection chain. In this post I will only be doing 2 … Continue reading
PowerShell encoding used for Emotet Downloader
I first ran across the SecureString usage in this twitter thread where @Anyrun_app is talking about a version of “Fake Net” to get all of the C2’s here https://twitter.com/anyrun_app/status/966227622899351552 There are a few methods listed in this thread by different … Continue reading
Hidden .Net Resources “Are Your Tools Finding Them” ?
This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to … Continue reading
Peeling away the layers of a word document macro
The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100 This one peaked my interest … Continue reading
De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation
Here I will be trying to deep dive on how the obfuscation works and what is required to de-obfuscate it. This sample comes from @James_inthe_box posted here https://twitter.com/James_inthe_box/status/928644055054946305 on November 9th 2017. Here is the link to the “pastebin” of … Continue reading
