LokiBot be like…

We will analyze LokiBot.

Summary


BazarCall be like..

We will analyze BazarLoader.

Summary

BazarLoader(BazaLoader) is a backdoor Trojan which is designed to collect sensitive information, control and deliver additional malware on the infected machine. The malware has been identified as Team9 malware family which was tied to group responsible for developing Trickbot.

In the recent campaign, it utilizes combination of phishing email and the call center to force the victim to download a malicious document for the initial infection vector.


Buffed up InfoStealer…

We will analyze Vidar Infostealer, specifically for infostealing capabilities.

Summary

Vidar is an infostealer which gets distributed through an attachment of phishing email, cracked version of commercial software, or keygen program.

Vidar is known to steal following informations from infected machines.

  1. Text files
  2. Browser cookies
  3. Browsder histories
  4. Crytocurrency
  5. MFA data

Our sample for this malware drops quite a few executables, which we will not cover all in this analysis. In this analysis we will go over b7j26HFyAZ.exe(main executable), metina_3.exe, and metina_4.exe.

Hands On Analysis

As always, we will conduct this analysis in our VMware Windows 10 guest box with the following tools.

  1. IDA Freeware

Breaking my spirit…

In this analysis, we will go over anti-analysis techniques that was utilized within this Dridex Sample.

Dridex

Dridex is a Banking Trojan, which was originally found around 2014. The malware is known to be constantly evolving through additions of new features and upgrades. Because of the constant updates, this malware is known to be one of the most sophiscated malware.

Summary

One of the infection chain Dridex is currently known for is below.

  1. Victim receives a Phishing Email with malicious Micorsoft Office document attached. The document type can be varied.
  2. Victim opens attached file, and proceeds “enable content” which triggers malicious macro.

In this Analysis, we will go over what I saw with my recent deepdive of njRAT.

njRAT

njRAT, also known as Bladabind, is a Remote Access Trojan(RAT) which is known for it’s infostealing capabilities. njRAT is easily accessible malware that is utilized widely within the malware community.

Summary

njRAT general infection flow is summarized below.

  1. Victim receives a Phishing Email with malicious Micorsoft Office document attached. The document type can be varied.
  2. Victim opens attached file, and proceeds “enable content” which triggers malicious macro.
  3. It will create C2 connection, which then proceeds to download a PowerShell script if the C2 server is…


In this analysis, I will show what I saw in my hands on analysis of the malware. I’m still a novice in malware analysis, but I’m hoping things I see in this analysis can help other fellow analysts who may be starting out just like me.

Qakbot

Qakbot first came to known as Banking Trojan, mostly for credential stealing. However in the recent campaign from 2020, the malware got utilized more for post-exploitation deliveries such as Cobalt Strike. The usage is very similar to what we saw with Emotet and other modular malwares.

Summary

Qakbot’s infection flow is summarized below.

  1. Victim receives…

Gorilla Rage

#MalwareAnalysis #ReverseEngineering #Gorilla

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store