Tag Archives: Malware Analysis
Peeling away the layers of obfuscation from Excel VBA to dll
When I first seen this Tweet here by FileScan.IO @filescan_itsec I thought this would be a easy target for deobfuscation. I was wrong. The layers just kept peeling away. Looking at the Twitter link you can get a pretty good … Continue reading
Excel 4 macro code obfuscation
This sample comes from a Twitter thread located Here by Frost @fr0s7_ and appears to be “BazarLoader” Since this is a Xlsb file I usually just open it up in my Office 2010 Pro sandbox and then convert to Xlsm … Continue reading
A deeper look at Office documents flat style
Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading
More on Yara And Building Rules
I’ve been learning how to build and modify yara rules lately but my biggest pain was getting the formattting correct. In a recent Twitter thread Here James @James_inthe_box posted where asyncrat was using pastebin to host their encoded rat. My … Continue reading
SunCrypt, PowerShell obfuscation, shellcode and more yara
This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading
Ursa Loader and the many rabbit holes
On August 4th 2020 JAMESWT @JAMESWT_MHT posted on Twitter here about malware spam hitting Italy using ursa loader. I mainly look at the obfuscation and this vbscipt looked rather interesting. Little did I know what I was in for. So … Continue reading
PowerShell Steganography
Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading
Extracting Shellcode from VBA to PowerShell
This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading
More adventures with shell code and the Shikata Ga Nai Encoder
The other day I was given a sample vbscript file by Paul Melson @pmelson so I could take a look at the odd shell code in it. Here is the original script. This starts out as a normal script running … Continue reading
A quick look at the current emotet encoding
I have went thru several samples today of this type of encoding but todays sample will be from ExecuteMalware @executemalware located here and the Twitter reference is here. Here we can see that only 3 of the urls are displayed. … Continue reading
PC's Xcetra Support 