Home
Tony Lambert
Cancel

Aggah PPAM macros renaming MSHTA

In this quick post I’m taking a look at a PowerPoint file with macros on board! According to MalwareBazaar’s tags, it was reported in association with the group “Aggah”. If you want to follow along...

Analyzing a Stealer MSI using msitools

This post is dedicated to Josh Rickard (@MSAdministrator on Twitter) since his feedback on my blog posts has cut my triage time on MSI files down in a massive way! After writing an analysis of a MS...

XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets

Just like with RTF documents, adversaries can use XLSX spreadsheets to exploit the Microsoft Office Equation Editor. To add a little bit of complication on top, adversaries also sometimes like to e...

AgentTesla From RTF Exploitation to .NET Tradecraft

When adversaries buy and deploy threats like AgentTesla you often see this functional and entertaining chain of older exploitation activity with some .NET framework tradecraft you’d expect from som...

njRAT Installed from a MSI

In my last post I walked through the analysis of an unusual MSI file that an adversary had tacked a STRRAT Java ARchive file to the end of the MSI contents. In this post, I want to walk through a m...

STRRAT Attached to a MSI File

Adversaries can get really creative with ways to hide and execute payloads. In this post I’ll cover one instance where an adversary appended STRRAT to a MSI file to make it look legitimate during a...

GuLoader Executing Shellcode Using Callback Functions

I personally despise trying to analyze shellcode, but shellcode is becoming more common in malware of all types. From Metasploit and Cobalt Strike to GuLoader, loads of malicious tools include shel...

HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET

One of my colleagues made a statement recently about how commonplace process injection has become among malware, to the point where it seems adversaries don’t have to think about the injection tech...

BazarISO Analysis - Loading with Advpack.dll

Malware comes in all shapes and sizes, and in the case of BazarISO it comes in the form of an ISO file that contains a malicious shortcut and an executable. In this post I’ll tear apart the ISO to ...

Extracting Payloads from Excel-DNA XLL Add-Ins

A few different malware families have included Excel XLL add-in files as distribution mechanisms lately. These include IcedID and some commodity threats that HP’s security team documented as using ...