I published the following diary on isc.sans.edu: “Quick Analysis of an Encrypted Compound Document Format“: We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content, it’s always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word
Category: Malware
[SANS ISC] Keep an Eye on Command-Line Browsers
I published the following diary on isc.sans.edu: “Keep an Eye on Command-Line Browsers“: For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type
[SANS ISC] Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript
I published the following diary on isc.sans.edu: “Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript“: I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script
[SANS ISC] Complex Obfuscation VS Simple Trick
I published the following diary on isc.sans.edu: “Complex Obfuscation VS Simple Trick“: Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection. The Emotet malware family does not need to be presented. Very active for years, new waves of
[SANS ISC] Quick Malicious VBS Analysis
I published the following diary on isc.sans.edu: “Quick Malicious VBS Analysis“: Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via
[SANS ISC] “Lost_Files” Ransomware
I published the following diary on isc.sans.edu: ““Lost_Files” Ransomware“: Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers! They don’t reinvent the wheel and re-use code published here and there. I spotted a ransomware which looked like an old one… [Read
[SANS ISC] Agent Tesla Trojan Abusing Corporate Email Accounts
I published the following diary on isc.sans.edu: “Agent Tesla Trojan Abusing Corporate Email Accounts“: The trojan ‘Agent Tesla’Â is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP. I found a
[SANS ISC] Rig Exploit Kit Delivering VBScript
I published the following diary on isc.sans.edu: “Rig Exploit Kit Delivering VBScript“: I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the
[SANS ISC] PowerShell Script with a builtin DLL
I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution
[SANS ISC] Private IP Addresses in Malware Samples?
I published the following diary on isc.sans.edu: “Private IP Addresses in Malware Samples?“: I’m looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918). I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP