Author Archives

Anurag

Hi, I’m Anurag, working as Application infrastructure implementation consultant in Singapore. My work involves, but not limited to Windows Servers, Active Directory, DNS, DHCP, Networking, Virtualization, SQL Server, SharePoint, Dynamics CRM.

Actively looking for opportunity as Malware Analyst.

My drive towards professionally transitioning to Malware Analyst/Researcher urged me to work on malware samples and write up blogs on them.

Word Macro Malware Analysis


Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836 Sample Download Source: beta.virusbay.io File Type: Microsoft Word Document File Format: .doc VirusTotal Scrore: 32/62 Document Preview: File Property: cmd> olemeta.py <filename> Document Macro Analysis: cmd> olevba.py -a <filename> Document_Open macro executes on opening document. The first thing I was trying to access Macro. By default it was […]

Excel 4.0 macro Trojan Downloader – Malware Analysis


Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link: beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using […]

PDF malware analysis


Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0 Download sample link: Here File type: PDF VirusTotal score: 27/54   PDF Document Preview   PDFiD I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s. Next step is to extract URL’s from the document. I will use two tools here […]

Trojan Agent Tesla – Malware Analysis


Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Downloaded Sample Link: Click here Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information.   Browser Information: […]

Password stealer Trojan – Malware Analysis


Hi Visitor, I got this sample of malware shared on VirusBay. Sample below: SHA256: 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application. Upon execution, this file drops below two files at location C:\Users\<UserProfile>\AppData\Local\Temp\ Dropped files: C:\Users\<UserProfile>\AppData\Local\Temp\FB_2C02.tmp.exe C:\Users\<UserProfile>\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server) Upon execution of this file, […]

Trojan dropper bdf243b7a296f7aecc366c799e3fb865e 3aff7c72d8d942e2b2632a347fe5c3


SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3 I downloaded this sample from Malshare. I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution. Filename: help.exe SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4 It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t […]

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > […]