2024-01-14 Remcos RAT Infection

Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…

Continue reading

2022-04-22 Emotet Malspam Using Excel 4 Macro

Summary ======== Looking at the mail filters yesterday to see if there was anything interesting while having “some” downtime during the late part of my shift, I was able to come across a sample of some Emotet malspam leveraging the usual hacked/injected email thread. The sample was an encrypted zip file that had an Excel spreadsheet using the Excel 4 macro once the macro was enabled. All the files and artifacts from this can be found over at my Github repo located here. Analysis ======== Host ———- This infection chain is very much like the one that I detailed in…

Continue reading

2022-03-14 Emotet Malspam

Summary ======== As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found…

Continue reading

2022-02-26 Quick Post – Push Notifications And Files Written To Disk

Note: It took me a little longer to get this post written and my VM had crashed on me, so the logs seen from Chrome or Edge may reflect more data than I had initially. This is going to be slightly off topic from what I usually post about (malware) and is not deep in the weeds for someone that is wanting to do forensics. The lens that I am viewing this from is as a defender/SOC analyst. For a more in-depth look into this topic from a forensics perspective please see these awesome resources below: Jai Minton’s┬áDigital Forensics and…

Continue reading

2022-01-09 First Round with Brim Using December’s Malware Traffic Exercise

It has been a long while since I have done any blogging. Since it has been a hot minute since I have done a post I thought that I would take this opportunity to learn something new and expand my tool-belt. So this first step back into the blogging world is going to be about a tool called Brim using the latest malware exercise from Brad found over at his site here and the SANS site here. So let’s start with what Brim is – a tool that helps visualize PCAP data in a different way with WAY faster indexing…

Continue reading

2020-12-08 Hancitor Malspam

Summary ======== This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this Pastebin. The others did what they have always done in the past – redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this here. Analysis ======== Once the maldoc was obtained,…

Continue reading

2020-11-03 Node.JS QRAT

Summary ======== Looking through some of the email filters today looking for anything interesting, I ran into some emails that all had the same characteristics. All the emails were Fedex themed and had an attachment named “IMG-10227821963777100026367819.zip.” Once the file had been unzipped, it was actually a JAR file (IMG-10227821963777100026367819.jar). Also, since I had not seen any kind of malware like this before, I came across some interesting posts about this that you can review. Trustwave did a great write up about this, along with TrendMicro. For the PCAPs, ProcMon, and strings2 artifacts from this, please see the Github repo…

Continue reading

2020-07-17 ZLoader Malspam (Excel 4 Macros)

Summary ======== This is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was one that I had not seen before but had read about on several different occasions – an Excel 4 macro. The interesting thing about this attack vector is the fact that it doesn’t rely on an embedded VB macro in the Excel spreadsheet per se, but uses the native built-in…

Continue reading

2020-05-27 Netsupport RAT Malspam

Summary ======== Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results….

Continue reading

2020-04-06 Qealler RAT Malspam

Meta ===== From: Bharti Ladwa Subject: EFT Supplier Number: 0003697 Link in the email: hxxps://jfreecss.co.uk/ Malware type: Qealler ———————- Basically this is a Java RAT. Below are some additional resources that explain how this type of malware works. http://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer http://securityboulevard.com/2019/10/hiding-in-plain-sight-new-adwind-jrat-variant-uses-normal-java-commands-to-mask-its-behavior/ http://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/ Earlier today I came across a phishing email that had contained an embedded image which had a malicious link in it. Once it was clicked on, the site automatically redirected to another site which then proceeded to download a JAR file. I tried to deobfuscate the Java code in my VM but did not get anywhere fast. Knowing that…

Continue reading