Archives

2022

• 13 05 Analyzing a Pirrit adware installer
• 24 04 Shortcut to Emotet, an odd TTP change
• 16 04 Snip3 Crypter used with DCRat via VBScript
• 26 03 An AgentTesla Sample Using VBA Macros and Certutil
• 25 03 Formbook Distributed Via VBScript, PowerShell, and C# Code
• 04 03 Aggah PPAM macros renaming MSHTA
• 12 02 Analyzing a Stealer MSI using msitools
• 11 02 XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
• 06 02 AgentTesla From RTF Exploitation to .NET Tradecraft
• 03 02 njRAT Installed from a MSI
• 02 02 STRRAT Attached to a MSI File
• 27 01 GuLoader Executing Shellcode Using Callback Functions
• 23 01 HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
• 22 01 BazarISO Analysis - Loading with Advpack.dll
• 18 01 Extracting Payloads from Excel-DNA XLL Add-Ins
• 17 01 Emotet's Excel 4.0 Macros Dropping DLLs
• 16 01 Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
• 09 01 Inspecting a PowerShell Cobalt Strike Beacon
• 07 01 Looking at PowerPoint Macros with Olevba
• 06 01 Decoding an Encoded Webshell Using NodeJS
• 05 01 Adventures in YARA Hashing and Entropy
• 04 01 Extracting Indicators from a Packed Mirai Sample
• 03 01 A Tale of Two Dropper Scripts for Agent Tesla
• 02 01 Analyzing a Magnitude EK Appx Package Dropping Magniber
• 01 01 Analyzing an IcedID Loader Document

2021

• 12 12 Analyzing a Log4Shell log4j Exploit from Muhstik
• 05 09 Smarter, Not Harder: Getting Malware to Help You Analyze It
• 02 09 Getting PE Rich Header Hashes with pefile in Python
• 10 07 Extracting Malicious Payloads from SFX Self-Extracting Installers
• 08 02 Analyzing an Empire macOS PKG Stager
• 01 02 How Qbot Uses Esentutl

2020

• 06 02 Linux EDR Evasion With Meterpreter and LD_PRELOAD
• 13 01 Exploiting Yum and DNF Plugins for Persistence
• 09 01 When Local Password Resets Aren't Local

2019

• 29 08 Whitelisting LD_PRELOAD for Fun and No Profit
• 28 08 Adding Process Hiding to Merlin
• 18 01 Making Meterpreter Look Google Signed

2018

• 26 08 My SANS DFIR NetWars Experience