This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this…
Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came…
I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please…
Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it. This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that…
So yesterday while going through the mail filters, I cam across this email: Looks to be pretty standard stuff to be honest. So the first thing that I did was run this through decalage2’s Vipermonkey to see if I could get at the macro script. Unfortunately Vipermonkey died and was…
This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: https://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: https://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: https://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis:…
Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File…
**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The…
Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: https://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at…
While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the…