Introduction Snake Ransomware (or EKANS Ransomware) is a Golang ransomware which in the past has affected several companies such as Enel and Honda. The MD5 hashing of the analyzed sample is ED3C05BDE9F0EA0F1321355B03AC42D0. This sample in particular is obfuscated with Gobfuscate, an open source obfuscation project available on Github. Let’s start by quickly summarizing the functionality of the […]
This post is a follow up on the last one on BAZARLOADER. If you’re interested in how to unpack the initial stages of this malware, you can check it out here. In this post, we’ll cover the final stage of this loader, which has the capability to download and execute remote payloads such as Cobalt Strike and Conti ransomware.
BAZARLOADER (aka BAZARBACKDOOR) is a Windows-based loader that spreads through attachments in phishing emails. In this initial post, we will unpack the different stages of a BAZARLOADER infection that comes in the form of an optical disk image (ISO) file. We will also dive into the obfuscation methods used by the main BAZARLOADER payload.
MATANBUCHUS is a loader-as-a-service that is used to download and launch malware on victim machines. It has been observed that the loader spreads through malicious Excel documents. In this post, we will focus on analyzing the latest loader DLL instead of the whole infection chain.
This post is a follow up for my last one on HANCITOR. If you haven’t checked it out, you can view it here. In this post, we’ll take a look at the main loader of this malware family, which is used for downloading and launching Cobalt Strike Beacon, information stealers, and malicious shellcode.
HANCITOR (aka CHANITOR) is a prevalent malware loader that spreads through social engineering in the form of Word or DocuSign® documents. The infected document includes instructions for the victim to manually allow the malicious macro code to be executed. The HANCITOR executable payload dropped by the macro code is used to download other malware on […]