This is a collection of our raw research notes. Each post is generated from a Jupyter Notebook that can be found in our GitHub Research repository. Notes may contain errors, spelling mistakes, grammar mistakes, and incorrect code. Please keep in mind these are all rough drafts. Pull requests are welcome!

Notes

• Go Stack Strings

  Researching a generic solution to decrypt these stack strings

  Sep 3, 2023

• Attack Crypter

  An open source travesty used to drop .NET stealers

  Aug 27, 2023

• LimeRAT

  Open Source gone wrong with this RAT

  Aug 17, 2023

• Golang Garble String Decryption

  Garble GO obfuscation string decryption

  Aug 3, 2023

• Bandit Stealer Garbled

  Garble GO obfuscation analysis

  Jul 31, 2023

• Glubteba

  Investigating this elusive GO loader

  Jul 24, 2023

• RootTeam

  Taking a look at this free GO stealer

  Jul 20, 2023

• Lobshot

  Lobshot a basic hVNC bot

  Jul 16, 2023

• Truebot

  Truely a simple malware leading to ransomware

  Jul 13, 2023

• Status Recorder

  Is this new stealer a fork of something we have seen before

  Jul 6, 2023

• Triage Malware Delivery Chain

  Walking the delivery chain from VBS to PS to DOTNET

  Jul 2, 2023

• XORSTR Generic String Decryption

  Writing a generic string decryptor for this open source library

  Jun 25, 2023

• RisePro Triage

  Investigating the link between RisePro and PrivateLoader

  Jun 15, 2023

• AMSI Bypass In The Wild

  Taking a close look at this asyncrat loader with an AMSI bypass

  May 28, 2023

• Metastealer

  DGAs and obfuscation as malware goes meta

  May 11, 2023