Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on run time indicators of malware. In a nutshell, it allows you to run your malware, hit a key press, and get a simple text report of the sample’s activities. The tool allows you to not only run […]
Noriben is a python based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In short, it allows you to run your malware, and get a simple text report of the malware’s activities. This tool only requires Sysinternals procmon.exe (or procmon64.exe) to operate. Noriben is an ideal solution […]
We should always think twice before running an unknown program downloaded from the Internet. Of course not every application is dangerous, but it’s all too easy to find a malicious program which will exploit our naivety – and that could cost us dearly. Let’s see how we can analyse the behaviour of an unknown program […]
Lately the threat actors behind Dridex malware have been very active. Across all the recent Dridex phishing campaigns the technique is the same. All the Microsoft Office documents containembedded macros that download a malicious executable from one of many hard coded URLs. These hard coded URLs normally point to websites owned by legitimate people. The site […]
The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it’s based on, indicating that it’s being actively developed. “The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection,” Zscaler ThreatLabz researcher Santiago Vicente said in […]
Cybersecurity researchers have shed light on the command-and-control (C2) server workings of a known malware family called SystemBC. “SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP,” Kroll said in an analysis published last week. The […]
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. “While GuLoader’s core functionality hasn’t changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process,” Elastic Security Labs researcher Daniel Stepanic […]
Nowadays, more malware developers are using unconventional programming languages to bypass advanced detection systems. The Node.js malware Lu0Bot is a testament to this trend. By targeting a platform-agnostic runtime environment common in modern web apps and employing multi-layer obfuscation, Lu0Bot is a serious threat to organizations and individuals. Although currently, the malware has low activity, […]
An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques. While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to […]
Proofpoint researchers report the detection of a new variant of remote access Trojan (RAT) characterized by the use of multiple techniques and components to prevent analysis and reverse engineering. Identified as Nerbian RAT, this new malware is written in Go, and is capable of leveraging various encryption routines to evade detection altogether. COVID-19 is still […]
Security researchers from the threat hunting and intelligence company Group-IB have revealed that in 2020, at least two espionage groups from China targeted the Russian Federal authorities. Chinese espionage groups are notorious for global cyber-attacks that target state agencies, research institutes, military contractors, and other agencies and institutions with espionage in mind. According to Group-IB, […]
AMIRA is a service for automatically running the analysis on the OSXCollector output files. The automated analysis is performed via OSXCollector Output Filters, in particular The One Filter to Rule Them All: the Analyze Filter. AMIRA takes care of retrieving the output files from an S3 bucket, running the Analyze Filter and then uploading […]
PEframe is an open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti-virtual machine, suspicious sections and functions, and much more information about the suspicious files. Requirements: Python 2.7.x Installation: To install from PyPI: # […]
A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point. TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system. Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to […]
A wide Spread EMOTET malware emerging again with new stealthy capabilities to hijack the Windows API and evade the sandbox detection which also gives more pain for Malware analysis. Previous future called RunPE that is used for hiding malware into the Legitimate process to evade the security scanners and inject its code into windows executable process. In […]
Our Previous post talked about the initial overview of the Shamoon 2.0 sample .This analysis is a continuation of our last post but with a more insight on the working and behavior of the malware. There are 3 components which are linked with one another which makeup Shamoon 2.0 single malware. We have analyzed each […]