Here is a quick writeup for another Emotet maldoc that I saw. Unfortunately I did not get a copy of the email but it did have a link in it which lead to the maldoc. There were two things in this sample that I saw that were different: 1) no…
So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it…
This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a…
This is just a quick writeup for an Emotet malspam that I found in Triton. Nothing to detailed or anything of the sort. I was not able to obtain the initial malicious binary (73077.exe) from the Word document, so after getting all the details, I went back on a clean…
Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the…
A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/…
Quick post for today. I have been seeing a lot of malspam with malicious Javascript attachments zipped inside a 7zip archive for the past couple of days. The emails themselves all seem to revolve around the theme of a receipt or invoice as seen below. From what I can tell,…
So continuing from my update yesterday (see 2017-08-30 Trickbot Maldoc – Part One), it looks as if sometime last night while working on the writeup, and perhaps again this morning, Trickbot got cheeky and updated itself. It looks as if the file “Atpsijj.exe” is a new file with a different…
For today’s post, I will be looking at a malicious Word document that we got spoofing NatWest which led to Trickbot malware being installed on the system. After I found this sample, I started to see posts on Tweeter from people like @dvk01uk and @VK_Intel posting about Trickbot. For this…
For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running…