Home
Tony Lambert
Cancel

Emotet's Excel 4.0 Macros Dropping DLLs

It’s been a little while since I checked in on Emotet to see how its first stage loaders are doing. Lately the first stage has been using Excel 4.0 macros to drop payloads, so in this post I’ll wal...

Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike

There are loads of different ways adversaries can distribute Cobalt Strike beacons and other malware. One of the common methods includes using HTML Application (HTA) files. In this post I’m going t...

Inspecting a PowerShell Cobalt Strike Beacon

In this post I want to take a look at a PowerShell-based Cobalt Strike beacon that appeared on MalwareBazaar. This particular beacon is representative of most PowerShell Cobalt Strike activity I se...

Looking at PowerPoint Macros with Olevba

In this post I want to walk through analysis of a malicious PowerPoint file using olevba. This tool allows you to view macros within Office documents without opening them. If you want to follow alo...

Decoding an Encoded Webshell Using NodeJS

In this post I want to walk through a process of using the NodeJS REPL (Read, Eval, Print Loop) to safely decode portions of malware during analysis. If you want to follow along at home, the sample...

Adventures in YARA Hashing and Entropy

In this post I’m going to take a look at a couple of simple YARA rules that excited me during my daily analysis tasks. These rules were inspired by the #100DaysOfYARA hashtag, and if you’re not fol...

Extracting Indicators from a Packed Mirai Sample

Packing is really commonly used by adversary to stump analysis, so in this post I’m going to look at a sample that is really easy to unpack and get indicators from. In this case the sample is Mirai...

A Tale of Two Dropper Scripts for Agent Tesla

In this post I want to look at two script files that drop Agent Tesla stealers on affected systems and show how adversary decisions affect malware analysis and detection. If you want to follow alon...

Analyzing a Magnitude EK Appx Package Dropping Magniber

In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber. This adventure comes courtesy of a tweet from @JAMESWT_MHT: Some #Magniber sampleshttps://t...

Analyzing an IcedID Loader Document

In this post I’m going to walk through an analysis of a malicious document that distributes and executes an IcedID DLL payload. The original document can be found on MalwareBazaar here: https://ba...