2024-01-14 Remcos RAT Infection

Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…

Continue reading

2022-05-13 Quick Remcos Deobfusction

Summary ========= Decided that I would take a crack at trying to deobfuscate the VBScript that was in a sample of Remcos malspam since I haven’t been doing it for a long while. The VBScript can be found over at Any.Run inside a zip file (malspam attachment). I’ll do a post going over the analysis in the coming days since it seems pretty straight forward. The link to the scripts can be found at my Github. NOTE: Wherever there is a “&” it is meant to be just the & symbol. Analysis ========= The script is a LONG one and…

Continue reading

2022-04-22 Emotet Malspam Using Excel 4 Macro

Summary ======== Looking at the mail filters yesterday to see if there was anything interesting while having “some” downtime during the late part of my shift, I was able to come across a sample of some Emotet malspam leveraging the usual hacked/injected email thread. The sample was an encrypted zip file that had an Excel spreadsheet using the Excel 4 macro once the macro was enabled. All the files and artifacts from this can be found over at my Github repo located here. Analysis ======== Host ———- This infection chain is very much like the one that I detailed in…

Continue reading

2022-03-14 Emotet Malspam

Summary ======== As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found…

Continue reading

2022-02-26 Quick Post – Push Notifications And Files Written To Disk

Note: It took me a little longer to get this post written and my VM had crashed on me, so the logs seen from Chrome or Edge may reflect more data than I had initially. This is going to be slightly off topic from what I usually post about (malware) and is not deep in the weeds for someone that is wanting to do forensics. The lens that I am viewing this from is as a defender/SOC analyst. For a more in-depth look into this topic from a forensics perspective please see these awesome resources below: Jai Minton’s Digital Forensics and…

Continue reading

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

Yeah, this picture sums it up very nicely for me… It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… This post will cover the downloader script from a Remcos maldoc that I was playing with from the beginning of the month. The email itself was your standard fare – a Wells Fargo phishing email that had an Excel XLSB attachment that was encrypted. The Excel XLSB can be found over at Any.Run or over at my Github here. A special shoutout to @Ledtech3 for…

Continue reading

2022-01-09 First Round with Brim Using December’s Malware Traffic Exercise

It has been a long while since I have done any blogging. Since it has been a hot minute since I have done a post I thought that I would take this opportunity to learn something new and expand my tool-belt. So this first step back into the blogging world is going to be about a tool called Brim using the latest malware exercise from Brad found over at his site here and the SANS site here. So let’s start with what Brim is – a tool that helps visualize PCAP data in a different way with WAY faster indexing…

Continue reading

2020-12-08 Hancitor Malspam

Summary ======== This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this Pastebin. The others did what they have always done in the past – redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this here. Analysis ======== Once the maldoc was obtained,…

Continue reading

2020-11-03 Node.JS QRAT

Summary ======== Looking through some of the email filters today looking for anything interesting, I ran into some emails that all had the same characteristics. All the emails were Fedex themed and had an attachment named “IMG-10227821963777100026367819.zip.” Once the file had been unzipped, it was actually a JAR file (IMG-10227821963777100026367819.jar). Also, since I had not seen any kind of malware like this before, I came across some interesting posts about this that you can review. Trustwave did a great write up about this, along with TrendMicro. For the PCAPs, ProcMon, and strings2 artifacts from this, please see the Github repo…

Continue reading

2020-09-22 Deobfuscating Emotet Script

Summary ========= In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample. The maldoc can be found here. Analysis ========== With this, I started off with the tried and true OleTools suite to see if I could get anything from this sample. Unfortunately I got a lot of Python errors when trying to run this. I then tried to run it through OfficeMalscanner and got nothing back as well. Looking at the Word doc via “file” I could see that there was a macro in the file and…

Continue reading