Unpack Sodin, no IDAPython required

Intro I see there is quite some interest around Sodin on OSINT pages, some have problems with unpacking the sample, others reverse and create complex IDAPython scripts to recreate the IAT. In this post, I'll demonstrate a quick and easy way to unpack this malware without losing time with scripting. IDAPython has it's benefits, but … Continue reading Unpack Sodin, no IDAPython required

The Torpig (aka Sinowal) bot

Intro: Welcome back, This morning I came across a variant of the Torpig bot (aka Sinowal) and since it's a beautiful Saturday morning I though it's a good opportunity to write a few word about it. I found the sample while hunting for stuff on VirusTotal and looks it was first submitted on 2019-01-08 13:54:40. Is … Continue reading The Torpig (aka Sinowal) bot

Windows event logging and Fileless attacks

Intro: Welcome back. I've been asked lately if I know any techniques to investigate fileless attacks using free tools and I shamefully replied with a "No". I wasn't aware of any free and good tools that can accomplish this task of logging PowerShell scripts, WMI commands, process creation , parent processes and command lines. Lately … Continue reading Windows event logging and Fileless attacks