Pinned
Squiblydoo
2,026 posts
Squiblydoo
@SquiblydooBlog
Creator of Debloat and CertGraveyard.org
Support: ko-fi.com/squiblydoo
Join the Debloat/CertGraveyard discord: discord.gg/dvGXKaY5qr
- Bloated malware tends to be 400 - 900 MB to prevent sandbox analysis. My tool doesn't care: it cuts out the bloat. The tool is a GUI and does all the work for you. I expect it to work in 5/6 cases; send me cases where it fails. Debloat:
- Replying to @optionvalue @Zippy751388 and 2 othersAlso the sequel: The New Way Things Work
- Malcat has helped me understand Portable Executables more than any other tool or documentation I have found. I wanted to share how I use it so I wrote this blog post. I'd love to hear if you try out the tool for yourself.
- The driver is signed, it can't be bad, right? 5b2c47e72ced27ad61117c9dd2e963ca
- Clickfix -> executes MSI in memory -> uses curl to drop signed payload into C:\Public\ Signed by the well known Kyrgyzstani company "Tim Instruments Limited Liability Company"; oh, I guess maybe not well known. 58995e4bf1318a44d775d7b273de4933
- Cert Central .org is live! We track and report abused code-signing certs. By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view. Want to get more involved? Check out the Training and Research pages to learn more. 1/2
- It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by #Solarmarker malware to learn more.
- File is named "helderpassport.exe" and signed by UBUNTU CONSORTIUM (PTY) LTD 4dfbcca0441d00cab3298c404fbad7949979b697aa8cf685835d87a808d91d5f But is it bad? Tried two sandboxes. No execution. My easy next step is using #malcat First sus indicator; it uses a PDF icon. 1/7
- Again recommending my fun VirusTotal course on @KC7cyber: kc7cyber.com/modules/VT101 It covers basics I've not seen elsewhere to empower analysts. Example: Signed File has 0/72 score virustotal.com/gui/file/496b7… Is it benign or not? How can we quickly come to a conclusion? /1
- 700MB signed Lumma uploaded to MalwareBazaar. (Too big for VirusTotal). To my amusement, someone had already used my debloat tool, deflated it to 12MB, uploaded it to VT 6 days ago. Thanks for everyone that shares my tool, I hope even more people will use it. :) 🔗 in comment
- I made it to #BlackHatUSA in my own way. If its too small to read it says: [1] squiblydoo.blog/2024/05/13/imp…
- Replying to @pergardebrink and @cyb3ropsIts the right-to-left override character (attack.mitre.org/techniques/T10…). This is a nice variation though.
- #BATLOADER changed from using MSI files to using JS files. C2: installationupgrade6[.]com Execution looks like this: Wscript.exe InstallerV71.0.js cmd.exe b1.bat, b2.bat, b4.ps1, c1.exe, c2.exe, c3.exe MB: bazaar.abuse.ch/sample/61e0926… VT: virustotal.com/gui/file/61e09… @JAMESWT_MHT
