Category Archives: Uncategorized

In this post, we’ll examine a Vidar malware sample containing suspicious encrypted strings. Using Ghidra’s cross-referencing features, we’ll analyze these strings to pinpoint where they are utilized within the code. With this approach, we’ll identify the string decryption function and use a debugger to intercept inputs and outputs, allowing us to retrieve the decrypted strings. […]

In previous posts, we decoded various malicious scripts to retrieve Cobalt Strike shellcode. After acquiring the shellcode, we utilized SpeakEasy emulation to understand its functionality—a helpful approach, though relying solely on automated tools isn’t always ideal, even when effective. In this post, we’ll take a more hands-on approach, diving deeply into a Cobalt Strike shellcode […]

Practical queries for identifying malware infrastructure with FOFA. AsyncRAT Hardcoded Certificate Values cert.subject.cn=”AsyncRAT Server” || cert.issuer.cn=”AsyncRAT Server” – Link Cobalt Strike Default Certificate Values cert.issuer.cn=”Major Cobalt Strike” – Link cert.issuer.org=”cobaltstrike” – Link Amadey Bot Re-used certificate values cert.subject.cn=”desas.digital” – Link Quasar RAT Default certificate values. cert.subject.cn=”Quasar Server CA” – Link Laplas Clipper Certificate values and favicon hash. cert.subject.cn=”Laplas.app” – Link icon_hash=”1123908622″ – Link Sliver C2 Default Certificate values cert.subject.cn=”multiplayer” […]

We’re all familiar with basic CyberChef operations like ‘From Base64,’ ‘From Decimal,’ and the occasional magic decode or XOR. But what happens when we need to tackle more complex tasks? CyberChef offers a range of advanced operations that are often overlooked in favor of Python scripting. Many are unaware of its more powerful features, such […]

This post will examine a Latrodectus loader that uses junk comments and WMI commands to obfuscate its functionality, ultimately downloading a remote .msi file. The sample operates in three distinct stages, which can be decoded using a combination of regular expressions and CyberChef. Obtaining the Initial SampleThe initial sample can be found on Malware Bazaar, […]