In this post I want to take a look at a PowerShell-based Cobalt Strike beacon that appeared on MalwareBazaar. This particular beacon is representative of most PowerShell Cobalt Strike activity I se...

In this post I want to walk through analysis of a malicious PowerPoint file using olevba. This tool allows you to view macros within Office documents without opening them. If you want to follow alo...

In this post I want to walk through a process of using the NodeJS REPL (Read, Eval, Print Loop) to safely decode portions of malware during analysis. If you want to follow along at home, the sample...

In this post I’m going to take a look at a couple of simple YARA rules that excited me during my daily analysis tasks. These rules were inspired by the #100DaysOfYARA hashtag, and if you’re not fol...

Packing is really commonly used by adversary to stump analysis, so in this post I’m going to look at a sample that is really easy to unpack and get indicators from. In this case the sample is Mirai...

In this post I want to look at two script files that drop Agent Tesla stealers on affected systems and show how adversary decisions affect malware analysis and detection. If you want to follow alon...

In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber. This adventure comes courtesy of a tweet from @JAMESWT_MHT: Some #Magniber sampleshttps://t...

In this post I’m going to walk through an analysis of a malicious document that distributes and executes an IcedID DLL payload. The original document can be found on MalwareBazaar here: https://ba...

In this post I set out to analyze a simple chunk of Log4Shell log4j exploit code to see how it works. Finding the Exploit I wasn’t running a honeypot or anything, I just figured I could rustle ar...

When analyzing even non-advanced malware nowadays it’s common to find pretty heavy levels of obfuscation within samples. PowerShell and .NET malware for Windows can be obfuscated easily using vario...