Tag Archives: Obfuscation

Pealing back the layers of a batch script ransomware

Our sample today comes from Ahmet Payaslioglu AT_Computeus7 in This twitter thread. I was tagged along with a few other people that may be interested in the sample. The main file was run on AnyRun Here. This is where I … Continue reading

Posted in Uncategorized | Tagged , , | 2 Comments

Excel 4 macro code obfuscation

This sample comes from a Twitter thread located Here by Frost @fr0s7_ and appears to be  “BazarLoader” Since this is a Xlsb file I usually just open it up in my Office 2010 Pro sandbox and then convert to Xlsm … Continue reading

Posted in Uncategorized | Tagged , , | 1 Comment

A deeper look at Office documents flat style

Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading

Posted in Malware, security, VBScript | Tagged , , | 1 Comment

SunCrypt, PowerShell obfuscation, shellcode and more yara

This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading

Posted in Malware, PowerShell | Tagged , , , , | 1 Comment

Ursa Loader and the many rabbit holes

On August 4th 2020 JAMESWT @JAMESWT_MHT posted on Twitter here about malware spam hitting Italy using ursa loader. I mainly look at the obfuscation and this vbscipt looked rather interesting. Little did I know what I was in for. So … Continue reading

Posted in Malware, security | Tagged , , , | 3 Comments

PowerShell Steganography

Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , , , | 1 Comment