本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。 一部の記事は Google Bard を使い要約しています。4n6 は こちら からご確認いただけます。
MALWARE
0x70RVS
4 minute read On this page QuasarRAT Analysis General Inoformation: Basic Static Analysis Basic Dynamic Analysis Advanced analysis QuasarRAT Analysis General Inoformation: MD5 hash: 769a35589cdbb4c0893c0ec138d21e70 SHA256 hash: 2be793fba87cd5dbc7d1c89f31e2fa18ca34bbaf27a624e09a10f9b962f55373 Basic Static Analysis The output from DIE told us that this sample is written in .NET with high entropy and packing indication: Here are some suspicious strings from FLOSS output: CreateMutex GetTheResource ...
5 minute read On this page QuasarRAT Analysis pt2 Basic Analysis Advanced Analysis: IOCs: QuasarRAT Analysis pt2 Ok in the previous part, I analyzed the dropper that drop 3 binaries [RunAsDate.exe, svchost.exe, System.exe ] and start the first one and put the rest on the RUN registry. So, now we can assume that the second and third binaries will do continuously malicious activities for the first one I performed analysis for it and I found that it doesn’t perform mal activities just normal applic...
Any.Run
June 30, 2023 Add comment 264 views 6 min read HomeService UpdatesMonthly Updates: New Detection Rules, Increased Threat Coverage, and More Recent posts Monthly Updates: New Detection Rules, Increased Threat Coverage, and More 264 0 Hide Traces of Sandbox Usage from Your Traffic with Residential Proxy 527 0 Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery 4083 0 HomeService UpdatesMonthly Updates: New Detection Rules, Increased Threat Coverage, and More We’re e...
ASEC
AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware. DNS TXT record is a feature that allows domain administrators to input text into the DNS. Originally intended for the purpose of entering human-readable notes, the DNS TXT recor...
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from June 11th, 2023 to June 17th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engine...
AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 OneNote Malware Disguised ...
Avast Threat Labs
Michal Ziv, Or Mizrahi, and Danil Golubenko at Check Point
Filter by: Select category Research (521) Security (805) Securing the Cloud (250) Harmony (109) Company and Culture (8) Innovation (5) Customer Stories (4) Horizon (1) Securing the Network (3) Connect SASE (4) Harmony Email (12) Artificial Intelligence (10) SecurityJune 28, 2023 Don’t be fooled by app-earances: Check Point Researchers spot hidden malwares behind legitimate looking apps ByMichal Ziv, Or Mizrahi, and Danil Golubenko Share Highlights: A modified version of the popular messaging app...
Cyber Geeks
Fred Gutierrez, James Slaughter, and Shunichi Imano at Fortinet
By Fred Gutierrez, James Slaughter, and Shunichi Imano | June 27, 2023 Affected platforms: Windows Impacted parties: Windows Users Impact: The information collected can be used for future attacks Severity level: Medium FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEy...
Igor Skochinsky at Hex Rays
LockBoxx
Malware Hell
c3rb3ru5d3d53c included in Docs 2023-06-26 487 words 3 minutes Contents Assembly as an ASTWithout BranchingWith BranchingStarting a ProjectCreating Project HooksCreating a StateBit Vectors (ASTs)Creating ConstraintsStarting your SimulationReading MemoryANGR Python CheatSheetSymbolic execution is a technique that involves the systematic exploration of all possible paths in a program’s code using abstract syntax trees (ASTs).Assembly as an ASTPlaceholderWithout BranchingIn the following example, t...
c3rb3ru5d3d53c included in Malware 2023-06-28 283 words 2 minutes Contents Introduction2023-06-28IntroductionThis page is dedicated for malware questions in which I address live on stream.2023-06-28but no thanks, i'll pass on your request.I have a question though...If someone exploits software, firmware, or hardware...does that make them a malware developer?— Jonathan Scott (@jonathandata1) June 28, 2023Q: If someone exploits software, firmware, or hardware…does that make them a malware develope...
Nextron Systems
Jun 29, 2023 | Nextron This post will look into DuckTail Stealer and their current .NET-based payloads. The stealer is well known for targeting marketing companies. Ducktails attacks usually come via email, posing as marketing campaigns or hiring offers. They use legitimate cloud hosts like iCloud, OneDrive, and Google Drive to link to ZIP archives. The archives often contain harmless images and videos, with fake Word, PDF, and other standard document format files hidden among the otherwise harm...
OALABS Research
Writing a generic string decryptor for this open source library Jun 25, 2023 • 1790 min read xorstr decryption python Overview Samples Prior Work X-Junior IDA Script Andre Tavares Python Script IDA Xorstr Decryption Plugin aimware_deobf_str Regex and Dissassembly Approach Decryption Algorithm Limitations Possible Improvements Speed Optimizations Hard Limitations Memory-Only Emulation Trace (@mishap) Algorithm Ideas for Improvement Overview The open source string encryption library xorstr has bee...
PhishLabs
Security Joes
Our research team is committed to continuously identifying potential security vulnerabilities and techniques that threat actors may exploit to bypass existing security controls. In this blog post, our team is detailing on a comprehensive research specifically focused on process injection techniques utilized by attackers to deceive robust security products integrated into the security stack, such as EDRs and XDRs.Throughout the blog post, we will delve into various process injection techniques em...
Security Scorecard
Zhassulan Zhussupov
Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example. 8 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is the result of my own research on try to evasion AV engines via encrypting payload with another logic: modular multiplication-based cipher. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload. modular multiplication-...
