estrellas

@BlinkzSec This is likely APT-C-36/Blind Eagle.

Let's now take a look at the .bat file. #malware sha256:dbe95eb55c806cad0b0914da8a5003cb464e23a4c8c8289c97d514be76823f24 bazaar.abuse.ch/sample/dbe95eb… This uses a kind of set/goto obfuscation. In the end, a PowerShell script comes out of it.

✊

@0x6D6172636F I'd take the advice

🫠

@killandy01 ❤️

@bugfireIO @0x6D6172636F Yes it is! youtu.be/DtDYEdRLiYk?si…

@0x6D6172636F Is it a publicly available podcast? Would definitely take a listen.

weekly podcast appearances are now by far the most stressful part of my job lol. how do people do this for a living. i sound like a cartoon character.

@belabs_james Appreciate the feedback! Do you have any resources on doing so? I've also been thinking about implementing value tracking for tail call detection purposes.

@CryptDeriveKey Neat. Careful with that ‘is_stack_access’ function though. That segment is not useful on x64, and certainly does not indicate stack access. You’ll need real value tracking across the whole cfg to implement a function like that.

Lately I've been working in my very own binary lifter... As part of the documentation process, I decided to write a few words about my implementation of static recovery of a given function's control flow graph. Hope you enjoy it! deobfuscation.club/blog/on-static…

@netspooky Pyarmor's BCC mode transpiles python to C, producing an ELF afterwards (even for Windows applications). The ELF can also be a wrapper around GNU Lightning (JIT assembler) if certain options are marked in the obfuscation process

What's the most unexpected or interesting place you have seen the ELF format used? Especially non-Linux use cases (eg Firehose programmers)

@jsrailton @Mandiant that is not new

NEW: 🇰🇵DPRK has begun hiding malware on blockchain. Result, decentralized, immutable malware. Nearly impossible to remove. Research by @Mandiant

@daltsec @thefinalfl46498 oh lmao that's indeed me

@thefinalfl46498 ma guy @CryptDeriveKey

@vmfunc I am sorry :(

my cat just died

Additional info on the Fancy Bear kit being reported on. Cheers to @Laughing_Mantis for writing backdoors so good that APTs plagiarize it. kroll.com/en/publication…

My latest analysis of #XWORM's new delivery method just got published! You can read it at: kroll.com/en/publication…

@vector35 @RussianPanda9xx Mostly these. They are: Search options (text, byte pattern, imm), Segments view, Graphs editor (zoom, fit to window, proximity browser), Graphs view (XREFs, Function calls), and "Windows management" (Imports, Exports, Strings)

@CryptDeriveKey @RussianPanda9xx Which icons in the toolbar do you use most often? Have you tried using the command-palette as an alternative? Variable naming is good feedback -- definitely something we can change to make the transition easier.

What is your preferred disassembler tool? I MUST KNOW

@vector35 @RussianPanda9xx Ooh! Exactly like this! Thanks!

@CryptDeriveKey @RussianPanda9xx Lack of brackets? Like this? Or something else?

@vector35 @RussianPanda9xx I am honestly not a big fan of the r64_N syntax for variables, the lack of icons for functionalities, as well as not having brackets😅... But I do appreciate being able to go through many different IL's, and IL forms

@CryptDeriveKey @RussianPanda9xx Are there features you find yourself missing from the UI in BN? Or workflows you haven't been able to recreate?

@leandrofr0es Very well deserved! Keep at it!

Some career news: some weeks ago I decided to move to a new path and try a kind of hidden dream I have since years. Instead of malware research and RE now I’ll be doing windows development and research in both user and kernel. 🥹

@0x6D6172636F eating like a king huh

Non Appetít