WhisperGate part 1

Intro I see WhisperGate wiper gained some attention and figured it would be nice to write a few words about it and how to analyze it. The malware is composed of several stages. Stage 1 and Stage 2 are delivered to the victim machine, and stage 2 will unravel into multiple other stages. In this […]

Unpack Sodin, no IDAPython required

Intro I see there is quite some interest around Sodin on OSINT pages, some have problems with unpacking the sample, others reverse and create complex IDAPython scripts to recreate the IAT. In this post, I’ll demonstrate a quick and easy way to unpack this malware without losing time with scripting. IDAPython has it’s benefits, but […]

The Torpig (aka Sinowal) bot

Intro: Welcome back, This morning I came across a variant of the Torpig bot (aka Sinowal) and since it’s a beautiful Saturday morning I though it’s a good opportunity to write a few word about it. I found the sample while hunting for stuff on VirusTotal and looks it was first submitted on 2019-01-08 13:54:40. Is […]

Windows event logging and Fileless attacks

Intro: Welcome back. I’ve been asked lately if I know any techniques to investigate fileless attacks using free tools and I shamefully replied with a “No”. I wasn’t aware of any free and good tools that can accomplish this task of logging PowerShell scripts, WMI commands, process creation , parent processes and command lines. Lately […]

Fileless malware and WMI

Hello and welcome back. After a few weeks I managed to find time and write a new blog post. Someone suggested an article about fileless malware and here it is. The thing with fileless malware if that it runs completely in memory (if the name wasn’t obvious enough), thus it can evade security software that […]

Deobfuscating strings with IDAPython

Intro: A couple of weeks ago, I spotted a suspicious binary on VT, it then had only 11 hits and still has a valid digital signature. In this blogpost I’m going to demonstrate how to statically deobfuscate strings using IDAPython. Let’s play with it inside IDA. Reverse it: After opening IDA, one of the first […]

Debugging a DLL in x64dbg and Sync with IDA

Intro: Hello, This will be short post on how to debug an exported DLL function and also sync the addresses from the debugger with the ones shown in the IDA Pro tool. Unfortunately x64dbg has some missing features, one of them is the option to load a DLL and call an exported function. I don’t […]

Powershell 2 Shellcode Part I

  The hunt: I do my searches on VirusTotal for this blog. After a quick search I managed to find a cute sample to play with. The file is a piece of Windows Batch script, you can view it’s contents down bellow: Reverse it If you look closely you’ll rapidly see at the end of […]