Discover and read the best of Twitter Threads about #VirusTotal
Most recents (7)
Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.
Sample: bazaar.abuse.ch/sample/80aad66…
C2: 0/90 VT
Script: 5/59 VT
[1/5] 👇
#Regex #python #cyberchef #malware
Sample: bazaar.abuse.ch/sample/80aad66…
C2: 0/90 VT
Script: 5/59 VT
[1/5] 👇
#Regex #python #cyberchef #malware
[2/5] Note the initial script contains a large amount of junk comments to mask the "real" code.
These can be removed using #cyberchef and a short #regex.
Find and Replace
^(REM|').*\n
These can be removed using #cyberchef and a short #regex.
Find and Replace
^(REM|').*\n
[3/5] There are some long junk numbers scattered throughout the code.
Personally, I decoded with Python and an eval inside of a safe VM.
Personally, I decoded with Python and an eval inside of a safe VM.
🧵
Last week I wrote a piece about how opening the wrong PDF led to a #cybersecurity breach that rapidly escalated
Since then I've figured out how the PDF managed to evade all major virus/malware detection tools and exploit a vulnerability (that may still exist!)
Let's dig in👇
Last week I wrote a piece about how opening the wrong PDF led to a #cybersecurity breach that rapidly escalated
Since then I've figured out how the PDF managed to evade all major virus/malware detection tools and exploit a vulnerability (that may still exist!)
Let's dig in👇
As mentioned in the piece I had suspicions about the PDF because it had come from the vicinity of #cryptocurrency criminals, so before opening I ran it through a bunch of reputable malware detection tools.
They all gave it the all clear... and they still do. Here's a link to the @virustotal report showing 0 out of 61 malware scanners alerted on this PDF.
#VirusTotal is Google's #cybersecurity offering so it's not surprising Gmail also gave it the all clear.
virustotal.com/gui/file/61d47…
#VirusTotal is Google's #cybersecurity offering so it's not surprising Gmail also gave it the all clear.
virustotal.com/gui/file/61d47…
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
🧵 Backdooring #SSH daemons (sshd) via simple patches probably exists since the dawn of time. Typically, a patched and recompiled version of #OpenSSH allows a threat actor to:
1⃣ login with master password
2⃣ logging all credentials to file
3⃣ hiding logons from "last"
1/4
1⃣ login with master password
2⃣ logging all credentials to file
3⃣ hiding logons from "last"
1/4
‼️Especially, the logging of further credentials potentially enables threat actors to maintain access in the case the backdoored #SSH daemon is detected and removed or to move laterally in the network due to password reuse.
2/4
2/4
Some lines of source code say more than thousands lines of prose 📚. Therefore, I recommend to have a look at an example github.com/QAX-A-Team/ope…. The changes are minimal, the impact is potentially huge.
3/4
3/4
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.
Came across this interesting command. What is it doing? 🤔
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.
Came across this interesting command. What is it doing? 🤔
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is faked🤥 and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041…
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041…
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a…
📎virustotal.com/gui/file/5644a…
Some links for research:
👋🌍github.com/edparcell/Hell…
🔙🚪labs.f-secure.com/archive/add-in…
📄gist.github.com/ryhanson/22722…
📎
🎁github.com/moohax/xllpoc
cc/ @buffaloverflow @moo_hax @ryHanson @FSecureLabs
👋🌍github.com/edparcell/Hell…
🔙🚪labs.f-secure.com/archive/add-in…
📄gist.github.com/ryhanson/22722…
📎
🎁github.com/moohax/xllpoc
cc/ @buffaloverflow @moo_hax @ryHanson @FSecureLabs
