Category Archives: Uncategorized

Introduction Ransomware attacks are becoming increasingly devastating, but one constant remains: the tools used by cybercriminals. The Ransomware Tool Matrix is a comprehensive resource that highlights the tactics, techniques, and procedures (TTPs) frequently employed by ransomware and extortionist groups. This repository equips defenders with actionable intelligence on the tools commonly utilized by adversaries, drawing insights […]

In this post, we’ll analyze a suspicious IP address identified in our previous discussion on Amadey Bot malware. We’ll use Shodan and Censys to pivot to additional Amadey infrastructure. You’ll learn how to craft queries based on HTML content and certificate information from a known C2, ultimately identifying 12 unique servers. The original sample can […]

An informal page for storing Censys/Shodan queries that have returned interesting results. Including examples for – AsyncRAT – Common x509 Certificates Hardcoded values in x509 certificates used for TLS communication. (Link) Solarmarker/Jupyter – SSH Configuration Commonalities Commonalities between ssh host key and running ports. Typically only ports 22 and 80. SSH host key is the […]

n this post, we’ll demonstrate how to manually decode a SmokeLoader Visual Basic (.vbs) script using Procmon. We’ll walk through the process of extracting additional stages using PowerShell and show how to identify the malware sample using sandbox analysis tools. The initial file can be downloaded from malware bazaar and unzipped using the password infected. SHA256:375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936 Initial Analysis […]

“This is a collection of code snippets that I’ve found useful when developing configuration extractors for .NET-based malware.Here are some examples where I have applied these snippets. This page would not exist without the work of these folk. Much of this work is based on their blogs and scripts. Enumerate DotNet File For Call Instruction […]