Adversaries love to use pre-made tools for remote access and one perennial favorite is the legitimate NetSupport Manager. This post is a short and sweet look at a malicious installer that distribut...
BATLoader, Ursnif, and Redline, oh my!
Earlier today, @MalwareHunterTeam posted on Twitter about a malicious MSI file masquerading as a Rufus installer. Searching for "rufus" in Google right now gives 2 ads that are obviously...
.NET Downloader Leading to OriginLogger
Earlier in January, Unit42 and Brad (@malware_traffic) posted tweets with some details on an instance of OriginLogger floating around in the wild. #pcap of the infection traffic, sanitized copy of...
Malware Weight Loss the Fast Way with Foremost
After writing the last post on bringing malware down to a manageable size for analysis, I got some good feedback on different ways to achieve the same results outside of using pecheck. In this post...
Bad Guys Hate This Trick for Malware Weight Loss!
Lately I’ve had to work with multiple malware samples that are extremely heavyweight in size. Usually about 300 MB and above, depending on the sample. This large sample size can significantly hinde...
Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)
This post is dedicated to my colleague Matt Graeber (@mattifestation) who showed me how to do the manual calculations and carving of PEs using CFF Explorer and a hex editor, making me think “there ...
Analyzing a Pirrit adware installer
While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file ...
Shortcut to Emotet, an odd TTP change
The adversary behind Emotet made a really interesting TTP change around 4/22 to use Windows shortcut files, and it definitely got noticed by multiple researchers. #Emotet New TTPs 🚨[+] LNK with em...
Snip3 Crypter used with DCRat via VBScript
Adversaries love using free or cheap RATs or stealers, and I see a lot of RATs such as AsyncRAT during my daily malware analysis tasks. In this detection I want to examine a fairly recent sample fr...
An AgentTesla Sample Using VBA Macros and Certutil
AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes furthe...