Discover and read the best of Twitter Threads about #Virustotal

Most recents (7)

Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.

Sample: bazaar.abuse.ch/sample/80aad66…

C2: 0/90 VT
Script: 5/59 VT

[1/5] 👇

#Regex #python #cyberchef #malware ImageImageImageImage
[2/5] Note the initial script contains a large amount of junk comments to mask the "real" code.

These can be removed using #cyberchef and a short #regex.

Find and Replace
^(REM|').*\n ImageImage
[3/5] There are some long junk numbers scattered throughout the code.

Personally, I decoded with Python and an eval inside of a safe VM. ImageImage
Read 5 tweets
🧵
Last week I wrote a piece about how opening the wrong PDF led to a #cybersecurity breach that rapidly escalated

Since then I've figured out how the PDF managed to evade all major virus/malware detection tools and exploit a vulnerability (that may still exist!)

Let's dig in👇
As mentioned in the piece I had suspicions about the PDF because it had come from the vicinity of #cryptocurrency criminals, so before opening I ran it through a bunch of reputable malware detection tools.
They all gave it the all clear... and they still do. Here's a link to the @virustotal report showing 0 out of 61 malware scanners alerted on this PDF.

#VirusTotal is Google's #cybersecurity offering so it's not surprising Gmail also gave it the all clear.
virustotal.com/gui/file/61d47… Image
Read 37 tweets
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Read 6 tweets
🧵 Backdooring #SSH daemons (sshd) via simple patches probably exists since the dawn of time. Typically, a patched and recompiled version of #OpenSSH allows a threat actor to:

1⃣ login with master password
2⃣ logging all credentials to file
3⃣ hiding logons from "last"

1/4
‼️Especially, the logging of further credentials potentially enables threat actors to maintain access in the case the backdoored #SSH daemon is detected and removed or to move laterally in the network due to password reuse.

2/4
Some lines of source code say more than thousands lines of prose 📚. Therefore, I recommend to have a look at an example github.com/QAX-A-Team/ope…. The changes are minimal, the impact is potentially huge.

3/4
Read 4 tweets
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Read 6 tweets
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? 🤔
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is faked🤥 and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Read 8 tweets
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041… ImageImageImageImage
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a… ImageImageImage
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!