Home
Tony Lambert
Cancel

BATLoader, Ursnif, and Redline, oh my!

Earlier today, @MalwareHunterTeam posted on Twitter about a malicious MSI file masquerading as a Rufus installer. Searching for "rufus" in Google right now gives 2 ads that are obviously...

.NET Downloader Leading to OriginLogger

Earlier in January, Unit42 and Brad (@malware_traffic) posted tweets with some details on an instance of OriginLogger floating around in the wild. #pcap of the infection traffic, sanitized copy of...

Malware Weight Loss the Fast Way with Foremost

After writing the last post on bringing malware down to a manageable size for analysis, I got some good feedback on different ways to achieve the same results outside of using pecheck. In this post...

Bad Guys Hate This Trick for Malware Weight Loss!

Lately I’ve had to work with multiple malware samples that are extremely heavyweight in size. Usually about 300 MB and above, depending on the sample. This large sample size can significantly hinde...

Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)

This post is dedicated to my colleague Matt Graeber (@mattifestation) who showed me how to do the manual calculations and carving of PEs using CFF Explorer and a hex editor, making me think “there ...

Analyzing a Pirrit adware installer

While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file ...

Shortcut to Emotet, an odd TTP change

The adversary behind Emotet made a really interesting TTP change around 4/22 to use Windows shortcut files, and it definitely got noticed by multiple researchers. #Emotet New TTPs 🚨[+] LNK with em...

Snip3 Crypter used with DCRat via VBScript

Adversaries love using free or cheap RATs or stealers, and I see a lot of RATs such as AsyncRAT during my daily malware analysis tasks. In this detection I want to examine a fairly recent sample fr...

An AgentTesla Sample Using VBA Macros and Certutil

AgentTesla is a .NET stealer that adversaries commonly buy and combine with other malicious products for deployment. In this post I’m tearing into a XLSM document that downloads and executes furthe...

Formbook Distributed Via VBScript, PowerShell, and C# Code

Formbook is one of the threats that I categorize as part of the “background noise of exploitation” on the internet. While targeted attacks occur in scoped areas, anyone can go buy access for Formbo...