Summary ========= Decided that I would take a crack at trying to deobfuscate the VBScript that was in a sample of Remcos malspam since I haven’t been doing it for a long while. The VBScript can be found over at Any.Run inside a zip file (malspam attachment). I’ll do a…
Summary ======== Looking at the mail filters yesterday to see if there was anything interesting while having “some” downtime during the late part of my shift, I was able to come across a sample of some Emotet malspam leveraging the usual hacked/injected email thread. The sample was an encrypted zip…
Summary ======== As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I…
Note: It took me a little longer to get this post written and my VM had crashed on me, so the logs seen from Chrome or Edge may reflect more data than I had initially. This is going to be slightly off topic from what I usually post about (malware)…
Yeah, this picture sums it up very nicely for me… It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… This post will cover the downloader script from a Remcos maldoc that I was playing…
It has been a long while since I have done any blogging. Since it has been a hot minute since I have done a post I thought that I would take this opportunity to learn something new and expand my tool-belt. So this first step back into the blogging world…
Summary ======== This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For…
Summary ======== Looking through some of the email filters today looking for anything interesting, I ran into some emails that all had the same characteristics. All the emails were Fedex themed and had an attachment named “IMG-10227821963777100026367819.zip.” Once the file had been unzipped, it was actually a JAR file (IMG-10227821963777100026367819.jar).…
Summary ========= In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample. The maldoc can be found here. Analysis ========== With this, I started off with the tried and true OleTools suite to see if I could get…
Summary ========= This is just a quick writeup of how I managed to get the macro script decoded out of what appears to be an IcedID malspam campaign based on what I am seeing from URLHaus and this tweet from @p5yb34m. The link to the artifacts for this can be…