A Blog about malware and file formats

All articles for category: malware analysis
Writing a Qakbot 5.0 config extractor with Malcat

Writing a Qakbot 5.0 config extractor with Malcat

Fri 16 February 2024
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.
Read more →
LNK forensic and config extraction of a cobalt strike beacon

LNK forensic and config extraction of a cobalt strike beacon

Thu 11 August 2022
Windows shortcut files can contain valuable data. We will see how to extract the most information out of a .lnk downloader and will manually extract the configuration file of the final cobalt strike beacon using malcat
Read more →
Reversing a NSIS dropper using quick and dirty shellcode emulation

Reversing a NSIS dropper using quick and dirty shellcode emulation

Sun 17 April 2022
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
Read more →
Cutting corners against a Dridex downloader

Cutting corners against a Dridex downloader

Sun 13 March 2022
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.
Read more →
Exploit, steganography and Delphi: unpacking DBatLoader

Exploit, steganography and Delphi: unpacking DBatLoader

Tue 07 December 2021
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload
Read more →
Statically unpacking a simple .NET dropper

Statically unpacking a simple .NET dropper

Mon 16 August 2021
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.
Read more →