Manual analysis of new PowerSplit maldocs delivering Emotet

Wow. It's been a long time since my last blog post (~ 2 years). The new year has inspired me to dust off some cobwebs and produce a blog post that hopefully someone can learn from. In this post, I'll be covering how to perform manual analysis of the new PowerSplit malicious documents (maldocs) that … Continue reading Manual analysis of new PowerSplit maldocs delivering Emotet

String Hashing: Reverse Engineering an Anti-Analysis Control

String hashing is a method employed by malware authors to disguise strings that are critical to its (stealthy) execution such as library, function and/or process names. Being able to determine what these hashes represent can aide malware researchers in developing more robust anti-anti-analysis techniques, technologies, and detections. To be clear, hashes are one-way; meaning that … Continue reading String Hashing: Reverse Engineering an Anti-Analysis Control

PSDecode Update: New-Object override + Actions output

After I published the first iteration of PSDecode, my next goal with the tool was to figure out how to override methods within system classes typically used by malware authors, such as System.Net.WebClient.DownloadFile(). This proved to be a bit more difficult than anticipated (read: likely impossible), so I had to explore alternative approaches. New-Object Primer The approach … Continue reading PSDecode Update: New-Object override + Actions output

AutoIt Malware: From Compiled Binary to Plain-Text Script

AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT's website has a wiki article that "addresses" the fact that the legitimate AutoIt binary is often detected as malicious by AntiVirus.

In this post, I will not be going into end-to-end analysis of any one sample. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script.

Defeating the VB5 Packer

In this post, I provide step-by-step instruction on how to unpack an executable that has been packed with a VB5 Packer. I will also cover the bypassing of multiple anti-analaysis controls that were implemented by the packer. The result is a fully functional unpacked executable.