Home
Tony Lambert
Cancel

Decoding an Encoded Webshell Using NodeJS

In this post I want to walk through a process of using the NodeJS REPL (Read, Eval, Print Loop) to safely decode portions of malware during analysis. If you want to follow along at home, the sample...

Adventures in YARA Hashing and Entropy

In this post I’m going to take a look at a couple of simple YARA rules that excited me during my daily analysis tasks. These rules were inspired by the #100DaysOfYARA hashtag, and if you’re not fol...

Extracting Indicators from a Packed Mirai Sample

Packing is really commonly used by adversary to stump analysis, so in this post I’m going to look at a sample that is really easy to unpack and get indicators from. In this case the sample is Mirai...

A Tale of Two Dropper Scripts for Agent Tesla

In this post I want to look at two script files that drop Agent Tesla stealers on affected systems and show how adversary decisions affect malware analysis and detection. If you want to follow alon...

Analyzing a Magnitude EK Appx Package Dropping Magniber

In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber. This adventure comes courtesy of a tweet from @JAMESWT_MHT: Some #Magniber sampleshttps://t...

Analyzing an IcedID Loader Document

In this post I’m going to walk through an analysis of a malicious document that distributes and executes an IcedID DLL payload. The original document can be found on MalwareBazaar here: https://ba...

Analyzing a Log4Shell log4j Exploit from Muhstik

In this post I set out to analyze a simple chunk of Log4Shell log4j exploit code to see how it works. Finding the Exploit I wasn’t running a honeypot or anything, I just figured I could rustle ar...

Smarter, Not Harder: Getting Malware to Help You Analyze It

When analyzing even non-advanced malware nowadays it’s common to find pretty heavy levels of obfuscation within samples. PowerShell and .NET malware for Windows can be obfuscated easily using vario...

Getting PE Rich Header Hashes with pefile in Python

If you’ve performed Windows malware analysis using Python tools, you’ve almost certainly worked with the Python pefile library. This library allows analysts to parse, manipulate, and dump informati...

Extracting Malicious Payloads from SFX Self-Extracting Installers

Self-extracting installers are an awesome way to distribute software because they require very little overhead and minimal configuration. Because of this, some malware threats use these SFX files t...