Recently, we observed a high number of users been infected by Lumma Stealer. Upon investigating, we observed that the user been infected thru same vector; “Clickfix” infection chain. The attack…
The Challenger Recently Malcore.io post at X/Twitter a reversing challenges. The is related to script that is hosted here – https://raw.githubusercontent.com/Internet-2-0/file-samples/master/scripts/powershell/stacy.ps1 Dive! Dive! Dive! At first glance, we saw what…
Dealing with obfuscated scripts is an everyday challenge as an Incident Handler/Responder. These scripts, often looks like gibberish/unrecognize strings is actually codes wrapped in layers of encryption and obfuscation, aim…
It started with a person in one of Telegram group that I’ve joined; asking help to reverse the code given & explains what the code does. The code as follow:…
As usual, start your CTF by read the question/description that indeed “very helpful” XD Download the “evidence.zip” & extract it. You’ll get the folders like below: So I randomly checked…
As usual, real the description given. It says that “a file” been “transferred” to another “internal computer“. So we know that this might involving traffic between 2 internal IPs. Download…
Recently, I got an incident related to Windows Defender detected & quarantined file related to some backdoor. The MDE alert details show something like this: Usually, we go with the…
Recently, I saw a person asking question on one of Telegram group that I’ve joined. The person said that if anyone know what kind of request is this. The person…
Recently, we have host machine that been infected with QBot/QakBot. Upon investigation, we found that it added a registry with some random name. Based on Googling, I found this article…
Intro When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of…
zam