Malware Analysis Space

  Summary I have recently noted that APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations, and the report from sekoia.io , the third part of the report referring to HATVIBE and CHERRYSPY infection chain, which related to another report from CERT-UA , attracted me to the extension. That sample is heavily obfuscated, so here it is, for this analysis , we will focus  on doing deep dive with x32dbg debugging.   Technical analysis The sample HASH md5  d0c3b49e788600ff3967f784eb5de973 Sha256:   332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725 Format: plain text   To open it with Notepad++ and see it is the .hta file extension, it appears that the script designed was heavily obfuscated. This kind of obfuscation is often used in malicious scripts, such as malware or spyware, to make it harder to understand or reverse-engineer the code, to hide the true intention, and to evade detection. Fig.1-.hta heavily ...

  Summary From the open and public intelligence, the Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.   This report is for a new finding of an ASPX web shell in 2024.04. It was relatively rare with the Sandworm Team, which means a new tendency, including the other APT groups, to pay more attention to WEB security, from here opening an entry point and making a persistence technology with web shell as a backdoor.   Technical analysis The sample  md5: 7c33812c068c79190554b797dfd46629   The web shell is very simple but powerful, which can execute system command, create a new Windows Firewall rule, upload and download files, write text content to file, list files in table, read files and delete files and directories recursively. Figure1-the main functio...

  Summary ValleyRAT is a remote access Trojan program used by the Silver Fox threat organization. I did threat hunting and found a lot of samples, but here I just analyzed one of them.     Technical analysis ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14 Portable executable for 80386 (PE) Figure1-basic info Release malware and decoy ValleyRAT will release both Trojan “moomoo x64.exe” and decoy UUU.pdf in the directory “%LocalAppData%\Temp\,” and at the same time it starts a process, IE browser like msedge.exe, to open UUD.pdf, which is to attract the attention of the victim to cover the real motivation, the content of the PDF is written in Japanese about how to invest in the stock market, which seems the attacker is focused on the specific potential victims; in the background it also starts another Trojan process of “moomoo x64.exe.”. Firgure2-Stock market guide     The traffic between client and server When the process of “moomoo x64.ex...

  Summary The below ransomware d0glun was first submitted on 2025-01-16; it is worth paying more attention to because his motivation is low confidence.   Analysis   The details of the D0glun ransomware are as follows: it displays the private information “QQ424714982 TG@CXL13131,” the product name is 8180VPN, and the product version is 1.0.0.0. Figure1-Details of file   A text file for warning displays on the desktop, which tells the victim what date and time they were infected by ransomware. Figure2-a warn text on the desktop   On the screen, a text ransom note tells the victim what types of files will be encrypted; this is different from the other ransom group and how to recover and contact the attacker and leave the address of the dark site but without requiring any bitcoin. Figure3-ransom notes   Different types of files use different suffixes, which are not very common. Figure4-different suffix The other windows are used for decryp...