Word macro drops Emotet malware

SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29 I have downloaded word document for analysis from VirusTotal I checked file with Oletools to verify macro exist and is it auto executable. In below screenshot, it can be seen, the macro is present and auto executable. I opened word document and Enabled Editing. Views > Macros […]

Trojan- JS downloader

I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file. On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ […]

Word Macro backdoor Trojan

I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io  for analysis. First I used oleTools to analyse word macro. Macro will execute on opening file. It creates text file. It executes PowerShell command. it has base64 used to obfuscate the string. […]

Trojan malware – Microsoft Shortcut (LNK)

I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut. Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded Below is PowerShell script which will drop another PowerShell script from the URL. URL is http[:]// […]

Microsoft Shortcut (LNK) trojan malware

I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK) When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening. […]

Emotet malware analysis

VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c File Type: Microsoft Word Document Document Property: I have used Oletools to analyse word document properties and analyse content. This word document has VBA macros. After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings. And file has below macros, […]

HelpMe.exe malware

VirusTotal:  SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e Tools used for analysis: Ollydbg, WireShark, PEExplorer, I started debugging using Ollydbg. The first warning I received is “Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!” The executable […]