RemcosRAT is packed using AutoIT in this case and we will be using x64db to unpack the sample. Packed Sample – d017b85238bc37936397fca235c6a004b659dda441cfd34cc8d00710e47b0496 We’ll be setting the initial Breakpoints in below calls to detect possible code injection and bypass debugger detection: VirtualProtectVirtualAllocIsDebuggerPresentCreateProcessInternalW IsDebuggerPresent gets hit multiple times and we can bypass it by changing the return […]
Started tracking this activity when I observed a lot of malicious doc files submitted in VT with dhash value 6801012121018101. 6801012121018101 is the dhash value of the image file (mentioned below) that’s used in the DOC file and all files having this image can be searched in VT using main_icon_dhash:6801012121018101 More info about main_icon_dhash – […]
Details Started Tracking this activity when observed the encoded payload (f9ee2a922e43f7e080d14019a42d983004313499d2cb1fd3619d0d6eba417be1) that translates to the empty script similar to that in the Unit42 Blog about Aggah Campaign (https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/). Was interesting to see the Detections for this script. Observed that the Pastebin account belonged to HAGGA Began tracking the related URLs in VT and observed that […]
1) Sample Details: MD5 – 5ab2c99e5b4673494c2b37da10442bc3SHA-1 – 00d379f6e1d040a185f7c7d678879360a1570b47SHA-256 – 05e1e27194872ea82491a474afd2273bdad56e2b61172453ef3e771be6965c82 $ file PT798800-TT000768-11.doc PT798800-TT000768-11.doc: Microsoft Word 2007+ 2) Right away we see the suggestion provided to enable macro and a “100% Virus Satisfaction Guaranteed Seal” with a check mark next to ‘No Download’ (seems legit :p). 3) There was a lot of Junk Code like […]
1) Sample Details: Hash: MD5 – 40e2f412a8f47b43e7d2336e22bec6f4 SHA-1 – 10a4c26ba2b0ed617ba367d41feef975e2dc30b7 SHA-256 -128623cda77296ec4cd94eef06068de95b7128dfdb16a4e6f8d7269da218d8ed File: $ file rents.xls rents.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: ������������ Windows, Last Saved By: ������������ Windows, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 20 13:33:43 2018, Last Saved Time/Date: […]
Thanks for joining me! Good company in a journey makes the way seem shorter. — Izaak Walton
