Tag Archives: PowerShell

Peeling away the layers of obfuscation from Excel VBA to dll

Posted on December 7, 2021 by pcsxcetrasupport3

When I first seen this Tweet here by FileScan.IO @filescan_itsec I thought this would be a easy target for deobfuscation. I was wrong. The layers just kept peeling away. Looking at the Twitter link you can get a pretty good … Continue reading

Posted in Uncategorized | Tagged , , , | 1 Comment

SunCrypt, PowerShell obfuscation, shellcode and more yara

Posted on March 28, 2021 by pcsxcetrasupport3

This didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they were looking at called SunCrypt ransomware. Looking up the name I ran across a couple of interesting blog post, one by … Continue reading

Posted in Malware, PowerShell | Tagged , , , , | 1 Comment

PowerShell Steganography

Posted on July 22, 2020 by pcsxcetrasupport3

Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes. The less of a degree you modify the pixel data … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , , , | 1 Comment

Extracting Shellcode from VBA to PowerShell

Posted on March 26, 2020 by pcsxcetrasupport3

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment

Those Pesky Powershell Shellcode’s And How To Understand Them

Posted on July 7, 2019 by pcsxcetrasupport3

Shellcode comes in various forms for different operating systems. Some can just be dropped into a hex editor and get the needed understanding what it is doing , some may require looking at the generated assembly code generated by a … Continue reading

Posted in Malware, Networking, PowerShell | Tagged , , | 1 Comment

A look at a Word document macro using Invoke-DOSfuscation

Posted on July 28, 2018 by pcsxcetrasupport3

The sample from this one comes from  Packet Wire @packet_Wire. Twitter thread here  After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , | Comments Off on A look at a Word document macro using Invoke-DOSfuscation

PowerShell encoding used for Emotet Downloader

Posted on April 2, 2018 by pcsxcetrasupport3

I first ran across the SecureString usage in this twitter thread where  @Anyrun_app is talking about a version of “Fake Net” to get all of the C2’s here https://twitter.com/anyrun_app/status/966227622899351552 There are a few methods listed in this thread by different … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , , | Comments Off on PowerShell encoding used for Emotet Downloader

Peeling away the layers of a word document macro

Posted on November 18, 2017 by pcsxcetrasupport3

The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman  and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100 This one peaked my interest … Continue reading

Posted in Malware, PowerShell, security, VBScript | Tagged , , | Comments Off on Peeling away the layers of a word document macro