Recently, we observed a high number of users been infected by Lumma Stealer. Upon investigating, we observed that the user been infected thru same vector; “Clickfix” infection chain. The attack…
The Challenger Recently Malcore.io post at X/Twitter a reversing challenges. The is related to script that is hosted here – https://raw.githubusercontent.com/Internet-2-0/file-samples/master/scripts/powershell/stacy.ps1 Dive! Dive! Dive! At first glance, we saw what…
Dealing with obfuscated scripts is an everyday challenge as an Incident Handler/Responder. These scripts, often looks like gibberish/unrecognize strings is actually codes wrapped in layers of encryption and obfuscation, aim…
It started with a person in one of Telegram group that I’ve joined; asking help to reverse the code given & explains what the code does. The code as follow:…
As usual, start your CTF by read the question/description that indeed “very helpful” XD Download the “evidence.zip” & extract it. You’ll get the folders like below: So I randomly checked…
As usual, real the description given. It says that “a file” been “transferred” to another “internal computer“. So we know that this might involving traffic between 2 internal IPs. Download…
Recently, we have host machine that been infected with QBot/QakBot. Upon investigation, we found that it added a registry with some random name. Based on Googling, I found this article…
Intro When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of…
Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.…
There is no excerpt because this is a protected post.
zam