Clik here to view.
Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
Goal: Reverse engineer and analyze the Qakbot banker with the focus on its core functionality, new configuration, and decoded template.#Emotet and #QakbotInvoice-75301.doc [Old...
View ArticleClik here to view.
Let's Learn: Diving into the Latest "Ramnit" Banker Malware via "sLoad"...
Goal: In-depth reverse engineering of the latest Ramnit banker from "sLoad" PowerShell malware. The focus of the analysis is on the Ramnit banker core functionality, its hooking engine, webinjects,...
View ArticleClik here to view.
Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber &...
Goal: Reverse engineer the latest Panda Banker malware and detail the modules associated with the popular malware. The research aims to fill researcher gaps with the detailed information related to...
View ArticleClik here to view.
Let's Learn: In-Depth Reversing of Recent Gozi ISFB Banking Malware Version...
Goal: Reverse engineer and analyze one of the latest Gozi "ISFB" ( also called "Ursnif'" amongst various researchers) banking malware variants focusing on the one of the latest "client.dll" 32-bit...
View ArticleClik here to view.
Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
Goal: Reverse engineer and analyze one of the latest "IcedID" banking malware (also known to some researchers as "BokBot") focusing on its core functionality.2018-09-05 - #Emotet #malspam infection...
View ArticleClik here to view.
Let's Learn: Dissecting Dridex Banking Malware Part 1: Loader and Avast...
Goal: Reverse engineer and analyze the latest "Dridex" banking malware loader and its usage of Avast "snxk.dll" hooking library.Nice: pic.twitter.com/SNAhJFaqlP— James (@James_inthe_box) September 7,...
View ArticleClik here to view.
Let's Learn: Exploring ZeusVM Banking Malware Hooking Engine
Goal: Analyze and reverse one of the latest ZeusVM variants with the special attention to its main client module and its keylogger component.very interesting sample... thanks for sharing! looks like a...
View ArticleClik here to view.
Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018...
Goal: Analyze the latest Hancitor variant (build "25xce10") to determine dropper and downloader malware progression in time from 2016 to the latest version in 2018.Source:Original Packed Hancitor...
View ArticleClik here to view.
Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module
Goal: Analyze the latest TrickBot point-of-sale finder“psfin32” reconnaissance module hunting for point of sale related services, software, and machines in Lightweight Directory Access Protocol...
View ArticleClik here to view.
Let's Learn: In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor
Goal: Review, analyze, and practice extracting FIN7 JavaScript backdoor from malicious Microsoft Office documents.#FIN7 Not Finished – Morphisec Spots New Attack Campaign https://t.co/cPDMQ8xNra by...
View ArticleClik here to view.
Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review
Goal: Review and practice analyzing C# code from the Sofacy Group new loader/backdoor called "Cannon" (as discovered by Palo Alto Unit 42 researchers).New #Unit42 research: #Sofacy continues global...
View ArticleClik here to view.
Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Goal: Analyze and reverse engineer one of the "Zebrocy" C++ loader samples attributed to Sofacy/Sednit/APT28 group. By and large, Zebrocy is a widely-used first-stage loader in the recent campaigns...
View ArticleClik here to view.
Let's Learn: Dissecting APT28 Zebrocy Delphi Loader/Backdoor Variants:...
Goal: Analyze and document the progression of APT28 Zebrocy Delphi loader/backdoor variants from 6.02 to 7.00.#APT28/Sednit Zebrocy Implant47a026d93ae8e0cc292e8d7a71ddc89esimilar to...
View ArticleClik here to view.
Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Goal: Reverse engineer the latest APT28/Sofacy Zebrocy loader, coded in the Go programming language, oftentimes referred to Golang.#Sofacy uses a variant of #Zebrocy written in the Go language in...
View ArticleClik here to view.
Let's Learn: Progression of APT28/Sofacy Golang Zebrocy Loader 'Project2.Go':...
Goal: Document the progression of the Zebrocy (aka Zepakab) Golang loader as leveraged by the APT28/Sofacy group.APT28 Zekapab Go Implant6bc5f53d4082f12dd83aca45bae81e64Submission thanks to...
View ArticleClik here to view.
Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'
Goal: Reverse engineer and review the Gamaredon Group Pteranodon Implant (including its batch scripts and decoding mechanism).Hey look at that Gamaredon Group changed up the names in their pteranodon...
View ArticleClik here to view.
Let's Learn: (Over)Analyzing One of the Latest APT28 Zepakab/Zebrocy Delphi...
Goal: Analyze one of the latest APT28 Zepakab/Zebrocy Delphi implant exploring its functionality (pseudo-source code level). APT28 Zekapab Implant3e713a838a68259ae2f9ef2eed05a761Detection by @cyb3rops...
View ArticleClik here to view.
Let's Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code...
Goal: Reverse engineer and analyze the APT28 Zebrocy/Zepakab AutoIt downloader implant, focusing on extracted AutoIt source code level analysis.Source:Zebrocy/Zepakab Downloader Implant (32-Bit x86...
View ArticleClik here to view.
Let's Learn: Dissecting Lazarus PowerShell PowerRatankba.B, Installer Script...
Goal: Document and review the latest Lazarus PowerRatankba.B, PowerShell installer script leading to the 64-bit keylogger version (Pakistan version).2019-01-25: #Lazarus #DPRK #Malware Sample...
View ArticleClik here to view.
Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in...
Goal: Reverse engineer and document the Operation ShadowHammer malware and its shellcode in-depth as it was originally discovered and reported by Kaspersky Labs. Source:Exclusive: Kaspersky researchers...
View ArticleClik here to view.
Let's Learn: Deeper Dive into Golang Constructs of Ransomware Called "shifr"
Goal: Reverse engineer and provide a quick overview of the newer version of the "shifr" ransomware written in Golang.Not sure what ransomware this is, ID Ransomware didn't have any ideas...
View ArticleClik here to view.
Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading...
Goal: Document and dissect the latest Lazarus Windows 32-bit (x86) version involved in the crypto trading application distribution targeting Windows and macOS users. The malware and the campaign were...
View ArticleClik here to view.
Let's Learn: Diving Deeper into "Mozart" TLD Loader & DNS TLD Commands
Goal: Reverse engineer and dissect the rather unusual "Mozart" DNS TLD loader first flagged for research by @malwrhunterteam, focusing on the malware commands and...
View ArticleClik here to view.
Let's Learn: Inside Parallax RAT Malware: Process Hollowing Injection &...
Goal: Reverse engineer and analyze the loader portion related to the Parallax remote administration tool/Trojan (RAT) low-level injection and image decoder techniques. The original sample discovery...
View ArticleClik here to view.
Let's Learn: TrickBot "BazarBackdoor" Process Hollowing Injection Primer
Goal: Review the latest stealthy TrickBot group backdoor dubbed as "BazarBackdoor" as well as its process injection methodology approach. #Malware@googledocs📨 tyrone.smith@mymona.uwi.edu via @SendGrid📩...
View Article
