Category Archives: Uncategorized

In this post, we’ll walk through the process of decoding and analyzing a simple DarkGate loader .vbs script. Although this script uses minimal obfuscation and isn’t highly complex, it does employ some decoy tactics that can be challenging for less experienced analysts. We’ll cover basic techniques to strip away decoy code and reveal the core […]

In this post, we’ll showcase the Garbageman analysis tool—a powerful resource for extracting information from packed or obfuscated .NET malware. Garbageman works by intercepting .NET’s memory management components and saving relevant data for later analysis. For a detailed look at its inner workings, check out this excellent blog post on Garbageman’s architecture. With this approach, […]

In this post, we’ll use regular expressions and TLS certificate analysis to identify 83 scattered Qakbot servers. These servers are crafted to avoid traditional detection methods—there are few consistent patterns in ports, service names, or ASNs that could be used for simple signatures. Instead, we’ll focus on shared attributes within the subject_dn and issuer_dn fields […]

In this post, we’ll examine a Vidar malware sample containing suspicious encrypted strings. Using Ghidra’s cross-referencing features, we’ll analyze these strings to pinpoint where they are utilized within the code. With this approach, we’ll identify the string decryption function and use a debugger to intercept inputs and outputs, allowing us to retrieve the decrypted strings. […]

In previous posts, we decoded various malicious scripts to retrieve Cobalt Strike shellcode. After acquiring the shellcode, we utilized SpeakEasy emulation to understand its functionality—a helpful approach, though relying solely on automated tools isn’t always ideal, even when effective. In this post, we’ll take a more hands-on approach, diving deeply into a Cobalt Strike shellcode […]