Deobfuscation – Lost in Security (and mostly everything else)

2022-05-13 Quick Remcos Deobfusction

Herbie May 17, 2022 May 17, 2022Code

Summary ========= Decided that I would take a crack at trying to deobfuscate the VBScript that was in a sample of Remcos malspam since I haven’t been doing it for a long while. The VBScript can be found over at Any.Run inside a zip file (malspam attachment). I’ll do a post going over the analysis in the coming days since it seems pretty straight forward. The link to the scripts can be found at my Github. NOTE: Wherever there is a “&amp;” it is meant to be just the & symbol. Analysis ========= The script is a LONG one and…

Deobfuscating an Emotet MalDoc Script

Herbie December 5, 2017 December 5, 2017Code

So this post covers the malicious macro script that was found in an older writeup for Emotet which you can find here. While one could develop tools to help deobfuscate the macro script like @David Ledbetter did in his blog post, I wanted to show another way of doing it – manually without any programs or scripts. I wanted to do it this way and document it since I have no talent or skill in the ways of developing programs/scripts to do this kind of work and to show that it is possible to those of us that are “code…