[SANS ISC] Diving into Malicious AutoIT Code

I published the following diary on isc.sans.edu: “Diving into Malicious AutoIT Code”: Following my yesterday diary, I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If

[The post [SANS ISC] Diving into Malicious AutoIT Code has been first published on /dev/random]

Continue reading [SANS ISC] Diving into Malicious AutoIT Code

[SANS ISC] Malicious Powershell using a Decoy Picture

I published the following diary on isc.sans.edu: “Malicious Powershell using a Decoy Picture“: I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of

[The post [SANS ISC] Malicious Powershell using a Decoy Picture has been first published on /dev/random]

Continue reading [SANS ISC] Malicious Powershell using a Decoy Picture

[SANS ISC] Malicious DLL Loaded Through AutoIT

I published the following diary on isc.sans.org: “Malicious DLL Loaded Through AutoIT“: Here is an interesting sample that I found while hunting. It started with the following URL: hxxp://200[.]98[.]170[.]29/uiferuisdfj/W5UsPk.php?Q8T3=OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5 The value of the parameter (‘OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5’) is used as the key to decode the first stage. If you don’t specify it,

[The post [SANS ISC] Malicious DLL Loaded Through AutoIT has been first published on /dev/random]

Continue reading [SANS ISC] Malicious DLL Loaded Through AutoIT

[SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file

I published the following diary on isc.sans.org: “Malicious AutoIT script delivered in a self-extracting RAR file“. Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html” (SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT

[The post [SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file has been first published on /dev/random]

Continue reading [SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file

[SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file

I published the following diary on isc.sans.org: “Malicious AutoIT script delivered in a self-extracting RAR file“. Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html” (SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT

[The post [SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file has been first published on /dev/random]

Continue reading [SANS ISC] Malicious AutoIT script delivered in a self-extracting RAR file