Blog

DBatLoader/ModiLoader Analysis – First Stage

Reversing the First Stage I don’t typically tend to reverse engineer Delphi binaries, as most of the malicious software written in Delphi is actually the wrapper/packer for the main payload written in something like C/C++. However, scrolling through Twitter one day, I noticed @abuse.ch replying to a tweet about a somewhat unknown loader currently spreading … Continue reading DBatLoader/ModiLoader Analysis – First Stage

De-crypting a TrickBot Crypter

Introduction TrickBot has utilized their own crypting service for some time now and it has been frequently updated over time. The latest version utilizes RC4 with a twist and is also a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Static Analysis … Continue reading De-crypting a TrickBot Crypter

Dealing with Obfuscated Macros, Statically – NanoCore

Author: Zero2Automated Course Team (Theory from courses.zero2auto.com) When analyzing Maldocs, you will mostly be dealing with obfuscated macros, and until a new vulnerability (or “feature”) is discovered and exploited, that is unlikely to change. Therefore, it’s quite important to know how to analyze these macros, both statically, and dynamically. Dynamic analysis is by far the … Continue reading Dealing with Obfuscated Macros, Statically – NanoCore

Netwalker Ransomware – From Static Reverse Engineering to Automatic Extraction

Author: Zero2Automated Course Team (preview from courses.zero2auto.com) Netwalker ransomware has been around since at least 2019* and has recently been in the news from a TrendMicro report detailing it being leveraged embedded in a PowerShell script[1]. We will briefly go over how to recover the DLL files from the first script, it contains a large … Continue reading Netwalker Ransomware – From Static Reverse Engineering to Automatic Extraction


Follow My Blog

Get new content delivered directly to your inbox.