Skip to content
Github Twitter YouTube
Lost in Security (and mostly everything else)
Skip to content
  • About me
  • My GitHub Repos
  • Packet Analysis
  • SecurityOnion
  • Challenges
Home Archive by category "Code"

Category: Code

2022-05-13 Quick Remcos Deobfusction

Herbie Zimmerman May 17, 2022 May 17, 2022Code Deobfuscation, Remcos RAT 0

Summary ========= Decided that I would take a crack at trying to deobfuscate the VBScript that was in a sample of Remcos malspam since I haven’t been doing it for a long while. The VBScript can be found over at Any.Run inside a zip file (malspam attachment). I’ll do a…

Continue reading

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

Herbie Zimmerman February 15, 2022 February 14, 2022Code De-obfuscation, Deobfuscating Code, Remcos 0

Yeah, this picture sums it up very nicely for me… It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… This post will cover the downloader script from a Remcos maldoc that I was playing…

Continue reading

2020-09-22 Deobfuscating Emotet Script

Herbie Zimmerman September 22, 2020 September 22, 2020Code Deobfuscating Code, Emotet 1

Summary ========= In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample. The maldoc can be found here. Analysis ========== With this, I started off with the tried and true OleTools suite to see if I could get…

Continue reading

2020-07-31 Deobfuscating IcedID Macro Script

Herbie Zimmerman August 2, 2020 August 2, 2020Code Deobfusc, IcedID 0

Summary ========= This is just a quick writeup of how I managed to get the macro script decoded out of what appears to be an IcedID malspam campaign based on what I am seeing from URLHaus and this tweet from @p5yb34m. The link to the artifacts for this can be…

Continue reading

2020-07-17 ZLoader Malspam (Excel 4 Macros)

Herbie Zimmerman July 21, 2020 July 21, 2020Code, Packet Analysis ZLoader 1

Summary ======== This is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was…

Continue reading

2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

Herbie Zimmerman March 20, 2020 March 20, 2020Code Deobfuscating Code, Predator the Thief 0

Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my…

Continue reading

2020-03-18 Deobfuscation of MalDoc script – Possibly Predator the Thief

Herbie Zimmerman March 19, 2020 March 19, 2020Code Deobfuscating Code, Predator the Thief 0

Meta ====== From: Debt Collections Agency Houston Subject: Collection letter for Account Identification number 021621495WZ Attachment: Word file I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus,…

Continue reading

2019-10-16 Emotet maldoc deobfuscated

Herbie Zimmerman October 16, 2019 October 16, 2019Code Deobfuscating Code, Emotet 0

This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this…

Continue reading

2019-08-23 WSHRat Javascript de-obfuscation

Herbie Zimmerman August 23, 2019 August 23, 2019Code Deobfuscating Code, RAT, WshRAT 2

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came…

Continue reading

2019-04-02 Interesting obfuscation from Emotet

Herbie Zimmerman April 4, 2019 April 4, 2019Code 0

So yesterday while going through the mail filters, I cam across this email: Looks to be pretty standard stuff to be honest. So the first thing that I did was run this through decalage2’s Vipermonkey to see if I could get at the macro script. Unfortunately Vipermonkey died and was…

Continue reading

123
Powered by Nirvana & WordPress.