interesting command from #Awfulshred wiper to clear pagecache and reboot the system by using kernel system request. #malware #reverseengineering #int3 #blueteam #detect_and_response

been seeing a bat-crypter being used by #asyncrat #redline #dcrat and other malware as a loader. so might be this analysis and my simple python script to extract the enc payload on that .bat file might help. 😊 1/4 #int3 #malwareanalysis

https://github.com/tccontre/KnowledgeBase/tree/main/malware_re_tools/asyncrat-bat-crypter-extractor

2/4 the .bat crypter create a series of env variable containing a string that will be concatenated to generate the powershell that will decode, decrypt and load the actual payload. we can dump pwh in process or just exploit the technique by simple 'echo' 😊

3/4 upon running the modified .bat it will dump the pwh that will decode, decrypt (aes) and decompress the actual payload. you can either modified the actual powershell or use cyber chef to decrypt the actual payload.

4/4 doing it 1 by 1 might be exhausting, so I creates a simple python script (shared above) to automatically decrypt and extract the payload from this bat-crypter loader. (specifically designed for this bat-crypter format) it also generate dbg log.

trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering

trying to learn https://binref.github.io/#refinery.hexload tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of #formbook #int3 #malwareanalysis #reverseengineering

Sharing #STRT blog related to #AgentTesla malware analysis and detections. In this article we include some tip how you can use fakesmtp server to see the exfiltrated data in attacker side. 😀

https://splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html

1. modify #agenttesla smtp setup, disable smtp SSL

2. then setup your fake or dummy smtp server. In this analysis I use this great tool #smtpdev.

https://github.com/rnwood/smtp4dev

after the setup, you have the attacker's view as it sends the screenshot, keylogs and browser databases/info (in .zip) to your fake smtp.

for #Splunk analytics here is the link of the #agenttesla analytic story https://research.splunk.com/stories/agenttesla/

#malware #int3 #reverseengineering #BlueTeam #cybersecurity #incidentresponse

Sharing #STRT blog related to #AgentTesla malware analysis and detections. In this article we include some tip how you can use fakesmtp server to see the exfiltrated data in attacker side. 😀

https://splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html

1. modify #agenttesla smtp setup, disable smtp SSL

2. then setup your fake or dummy smtp server. In this analysis I use this great tool #smtpdev.

https://github.com/rnwood/smtp4dev

after the setup, you have the attacker's view as it sends the screenshot, keylogs and browser databases/info (in .zip) to your fake smtp.

for #Splunk analytics here is the link of the #agenttesla analytic story https://research.splunk.com/stories/agenttesla/

#malware #int3 #reverseengineering #BlueTeam #cybersecurity #incidentresponse