Malware | IntelOverflow

#theme-toggle,.top-link{display:none}@media(prefers-color-scheme:dark){:root{--theme:#1d1e20;--entry:#2e2e33;--primary:rgba(255, 255, 255, 0.84);--secondary:rgba(255, 255, 255, 0.56);--tertiary:rgba(255, 255, 255, 0.16);--content:rgba(255, 255, 255, 0.74);--hljs-bg:#2e2e33;--code-bg:#37383e;--border:#333}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}

UnpackIt: Dridex

Unpacking Malware: Dridex Dridex is a malware which has long been targeting the financial sector in attempts to steal user credentials and compromise individuals. It targets individuals by sending phishing emails with Microsoft Office-based attachments embedding malicious macros which download additional payload and attain the authors' objectives. Since the first-stage malware is typically packed by Dridex, we’ll uncover how to unpack it and continue with analysis of subsequent stages. Acquiring the Malware Sample Here’s the hash of the malware sample we’ll be using for the unpacking:...

MalDoc Analysis: Cheeky HTA Loader

Let’s dig into a (potentially) malicious document and see what indicators it navigates us to. Hash Name 499b2d5a07fbcfbc8a6ec124c14efde7 ordain-08.21.doc fedbbc359e03b17bd7866a31283c3ff87cc693e4 ordain-08.21.doc 331742a3835a6634e1331be491a789f7e5ddcefc6a30b7965dbf970d214b36d4 ordain-08.21.doc Download: You can acquire this sample from MalwareBazaar Initial Analysis Let’s first unzip the file with MalwareBazaar’s standard password: infected [PS: I’m going to rename the file for sanity’s sake] Once done, we can check to see what file type we’re dealing with: file Ordain....