Category Archives: Uncategorized

n this post, we’ll demonstrate how to manually decode a SmokeLoader Visual Basic (.vbs) script using Procmon. We’ll walk through the process of extracting additional stages using PowerShell and show how to identify the malware sample using sandbox analysis tools. The initial file can be downloaded from malware bazaar and unzipped using the password infected. SHA256:375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936 Initial Analysis […]

“This is a collection of code snippets that I’ve found useful when developing configuration extractors for .NET-based malware.Here are some examples where I have applied these snippets. This page would not exist without the work of these folk. Much of this work is based on their blogs and scripts. Enumerate DotNet File For Call Instruction […]

In this post, we’ll walk through the process of decoding and analyzing a simple DarkGate loader .vbs script. Although this script uses minimal obfuscation and isn’t highly complex, it does employ some decoy tactics that can be challenging for less experienced analysts. We’ll cover basic techniques to strip away decoy code and reveal the core […]

In this post, we’ll showcase the Garbageman analysis tool—a powerful resource for extracting information from packed or obfuscated .NET malware. Garbageman works by intercepting .NET’s memory management components and saving relevant data for later analysis. For a detailed look at its inner workings, check out this excellent blog post on Garbageman’s architecture. With this approach, […]

In this post, we’ll use regular expressions and TLS certificate analysis to identify 83 scattered Qakbot servers. These servers are crafted to avoid traditional detection methods—there are few consistent patterns in ports, service names, or ASNs that could be used for simple signatures. Instead, we’ll focus on shared attributes within the subject_dn and issuer_dn fields […]