Author Archives: Emin Baylarov

“This is a collection of code snippets that I’ve found useful when developing configuration extractors for .NET-based malware.Here are some examples where I have applied these snippets. This page would not exist without the work of these folk. Much of this work is based on their blogs and scripts. Enumerate DotNet File For Call Instruction […]

In this post, we’ll walk through the process of decoding and analyzing a simple DarkGate loader .vbs script. Although this script uses minimal obfuscation and isn’t highly complex, it does employ some decoy tactics that can be challenging for less experienced analysts. We’ll cover basic techniques to strip away decoy code and reveal the core […]

In this post, we’ll showcase the Garbageman analysis tool—a powerful resource for extracting information from packed or obfuscated .NET malware. Garbageman works by intercepting .NET’s memory management components and saving relevant data for later analysis. For a detailed look at its inner workings, check out this excellent blog post on Garbageman’s architecture. With this approach, […]

In this post, we’ll use regular expressions and TLS certificate analysis to identify 83 scattered Qakbot servers. These servers are crafted to avoid traditional detection methods—there are few consistent patterns in ports, service names, or ASNs that could be used for simple signatures. Instead, we’ll focus on shared attributes within the subject_dn and issuer_dn fields […]

In this post, we’ll examine a Vidar malware sample containing suspicious encrypted strings. Using Ghidra’s cross-referencing features, we’ll analyze these strings to pinpoint where they are utilized within the code. With this approach, we’ll identify the string decryption function and use a debugger to intercept inputs and outputs, allowing us to retrieve the decrypted strings. […]