De-obfuscation – Lost in Security (and mostly everything else)

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

February 15, 2022 October 13, 2024Code

It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… Shout out to David Ledbetter for the assist. Solid work as usual! This post will cover the downloader script from a Remcos maldoc that I was playing with from the beginning of the month. The email itself was your standard fare – a Wells Fargo phishing email that had an Excel XLSB attachment that was encrypted. The Excel XLSB can be found over at Any.Run or over at my Github here. A special shoutout to…

2018-09-18 Emotet maldocs labeled as “Invoices”

September 22, 2018 September 22, 2018Code, Packet Analysis

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small batch of emails, there were 2 different sets of hashes for the attachments. Below is the table showing the MD5 hashes associated with the maldoc: The artifacts from this can be found over in my Github found here. Another security researcher that has been activly maintaining emotet data (http://twitter.com/ps66uk/status/1042004723866509313) and…