Lost in Security (and mostly everything else)

2019-02-12 Deobfuscating an Emotet maldoc

Herbie Zimmerman February 14, 2019 February 14, 2019Code 0

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: https://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: https://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: https://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis:…

2019-01-18 Emotet Malspam

Herbie Zimmerman January 18, 2019 January 18, 2019Packet Analysis 0

Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File…

2019-01-03 Adwind RAT/Houdini Malspam

Herbie Zimmerman January 4, 2019 January 7, 2019Code, Packet Analysis 0

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The…

2018-11-05 DarkComet Malspam

Herbie Zimmerman November 6, 2018 November 6, 2018Packet Analysis 0

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: https://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at…

2018-10-31 Nanocore Malspam

Herbie Zimmerman November 1, 2018 November 1, 2018Packet Analysis 0

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the…

2018-10-24 Agent Telsa Malspam

Herbie Zimmerman October 24, 2018 October 24, 2018Packet Analysis 0

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: https://krebsonsecurity.com/2018/10/who-is-agent-tesla/ https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my…

2018-10-12 Using Visual Studio to debug VBScript

Herbie Zimmerman October 12, 2018 October 12, 2018Code 0

There was a phishing email that came in the other day that looked interesting. When I went to the URL found in the PDF, it linked to an ARJ archive file. Once i downloaded this file and extracted it, I saw that there was a VBScript file. Opening this file…

2018-09-18 Emotet maldocs labeled as “Invoices”

Herbie Zimmerman September 22, 2018 September 22, 2018Code, Packet Analysis 0

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…

2018-07-07 Remcos Malspam

Herbie Zimmerman July 7, 2018 July 7, 2018Packet Analysis 0

A quick write-up on this Remcos malspam. Some other previous entries that I have done aboutr Remcos can be found below: https://www.herbiez.com/?p=1106 https://www.herbiez.com/?p=1073 All the emails seem to come from the sender info@yusheng-wiremesh.com with the subject of “Returned Funds fort Invoice DFER4567 July Despatch.” The malspam also comes with an…

2018-06-20 Formbook Malspam

Herbie Zimmerman June 21, 2018 June 21, 2018Packet Analysis 0

For this post, I was able to find some Formbook malspam within the email filters. Formbook malware is considered to be a data theft/form grabber with some other add-ons under it’s tool belt. Based on the following deep dives into Formbook from FireEye (https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html) and ThisIsSecurity (https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/), this malware sample…