Discover and read the best of Twitter Threads about #shellcode

Most recents (3)

A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.

There are 11 exported functions here. 🧐

Most of them have junk names to throw off analysis.

One of them is "real", the rest are "decoys" which don't do anything if executed.
Read 14 tweets
#apt37 #goldbackdoor #loader active #C2
- SHA256: bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
- C2: hxxps://dallynk.com/wp-sup3
- Encoded Child SHA256: a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
- Child Endpoints (possibly google api key): hxxps://dallynk.com/4332.hwp, hxxp://asplinc.com/xe/modules/page/queries/query_read.dsql, hxxp://www.bsef.or.kr/board/upfile/bbsB/166737125620120323174332.hwp
- Endpoints appear to be compromised.
- All 3 endpoints download same SHA256: 5b1536c4ca22bc202543afea51279c78fa6033b393e86f2b97750ddfd4d8b263
- Decoded Child contains embedded 3 encoded (simple xor) modules, #shellcode loader/#infostealer/#keylogger
Read 3 tweets
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.

We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.

A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.

My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
Read 23 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!