Hello everyone, I just published a small blog post about writing a generic dotnet string decryptor to help in malware analysis/reverse engineering. #malware_analysis #reverse_engineering n1ght-w0lf.github.io/tutorials/dotn…

[Blog 📚] LOLBINed - Abusing Sysinternals BgInfo nasbench.medium.com/lolbined-abusi… An additional abuse vector, for a #LOLBIN first discovered by Oddvar Moe #lolbas

I wrote a static string decryptor and IDAPython script to decrypt the strings in #Statc Stealer and extract the possible C2s. Check them out: gist.github.com/X-Junior/58c68… github.com/X-Junior/Malwa…

🧙‍♂️Introducing SigmaHQ GUI 🧙‍♂️ This tool was built specifically to easily create and update Sigma Security Content. Get started now and start exploring and creating rules -> sigmahq.streamlit.app Read more about the tool in this release blog -> blog.sigmahq.io/introducing-si… ⚒️

Another fun #lolbin based on code review. Datacollector.exe is part of the Visual Studio test platform and ships with the dotnet SDK and Visual Studio installations. TL;DR - The binary has a "Process.Start" call that we can reach to proxy execution through it by setting some

Checkout our latest report written by Jonathan Peters and me

Today we're releasing our first entry in a new monthly blog series we're calling - Tales Of Valhalla nextron-systems.com/2024/03/05/tal… Our aim is to highlight some of the more evasive threats we're following and seeing uploaded to VT with very low detection rate. In this first entry we

Check it out!

I wrote a python script to decrypt the strings in #WineLoader . Check it out: gist.github.com/X-Junior/31e8f…

In case you're interested in EQGRP malware, you should take a look at this memory dump of an SBZ implant uploaded from Panama today Mohamed Ashraf and me wrote rules for it virustotal.com/gui/file/f0285…

What's the most challenging malware you've had to write a YARA rule for?

I wished everyone could see that not a single engine detected it when it was first uploaded 2 days ago and not only users with a VT Enterprise account

Check out my latest blog about Lynx ransomware and don't forget to check IDA DB if you’re interested in further research.😄

. Mohamed Ashraf from my team analyzed #Lynx ransomware and included a #YARA rule, IOCs and link to a Sigma rule that detects the activity

Cleo exploitation final payloads can be found bazaar.abuse.ch/sample/989448c… a quick walk-through how i got them gist.github.com/X-Junior/5cf5f…

We caught an APT29 sample a month before most AV engines even blinked Sample: virustotal.com/gui/file/adfe0… - Malware: WineLoader, used by APT29 (aka Cozy Bear) - Based on Zscaler’s report, published Feb 27 - Our rule hit: March 13 - Upload from Iceland Back then? Only CrowdStrike

My team published detection content for the Notepad++ / Lotus Blossom activity - both the concrete post-compromise artifacts and more generic gup.exe updater anomaly hunting Sigma gup.exe anomalies - uncommon DNS - uncommon file drops - suspicious child processes)