In this post, we’ll analyze a suspicious IP address identified in our previous discussion on Amadey Bot malware. We’ll use Shodan and Censys to pivot to additional Amadey infrastructure. You’ll learn how to craft queries based on HTML content and certificate information from a known C2, ultimately identifying 12 unique servers. The original sample can […]
Author Archives: Emin Baylarov
10
Sep
Sep
An informal page for storing Censys/Shodan queries that have returned interesting results. Including examples for – AsyncRAT – Common x509 Certificates Hardcoded values in x509 certificates used for TLS communication. (Link) Solarmarker/Jupyter – SSH Configuration Commonalities Commonalities between ssh host key and running ports. Typically only ports 22 and 80. SSH host key is the […]
10
Aug
Aug
n this post, we’ll demonstrate how to manually decode a SmokeLoader Visual Basic (.vbs) script using Procmon. We’ll walk through the process of extracting additional stages using PowerShell and show how to identify the malware sample using sandbox analysis tools. The initial file can be downloaded from malware bazaar and unzipped using the password infected. SHA256:375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936 Initial Analysis […]
10
Jul
Jul
“This is a collection of code snippets that I’ve found useful when developing configuration extractors for .NET-based malware.Here are some examples where I have applied these snippets. This page would not exist without the work of these folk. Much of this work is based on their blogs and scripts. Enumerate DotNet File For Call Instruction […]
10
Jun
Jun
In this post, we’ll walk through the process of decoding and analyzing a simple DarkGate loader .vbs script. Although this script uses minimal obfuscation and isn’t highly complex, it does employ some decoy tactics that can be challenging for less experienced analysts. We’ll cover basic techniques to strip away decoy code and reveal the core […]