Security Magic

Update February 11, 2021: This appears to be a Danabot downloader. I ran across the following sample: https://www.virustotal.com/gui/file/d2d729f364e3232e22746fd6520caefff465e2ae605e6429205793db37088a27/detection After grabbing the downloaded executable from the link in the VBS, I ran it through a sandbox. https://app.any.run/tasks/1cc898a5-c0b1-413f-86b1-3dedd259c191/ Today I saw another one a here is that sandbox run: https://app.any.run/tasks/8173f683-8629-405a-b074-c3d1a44e04db Quick post on this, I've run across a variant of a VBS downloader that does not appear to have a lot of detection and can only find a few other similar samples. There appears to be junk comments to throw off analysis and AV detection, but otherwise its fairly easy to follow. Here is a screenshot: As you can see this downloads another file, which appears to be placed in "programdata" and registered using regsvr32. The couple samples I've worked ...

Updated January 8,2021 (Added additional Lure observations at bottom) This is just a short, quick update. It would appear that the initial vector has changed. CDN.shopify.com and Sites.Google.com no longer seem to be hosting these redirects/PDF files which contain redirects. However, after hunting on the icon hash in virustotal, I ran across another 100MB+ file with the PDF icon hash.  The file used a similar naming convention to other observed samples in the past, containing the following " rent-check-bounced-letter ". Doing a quick Google search for "rent-check-bounced-letter" gives me the results. The link for this is "hxxps://www.braveheartmarine[.]com/rent-check-bounced-letter". Running this in my lab, showed the same style of selecting "PDF" or "Doc" for download, which then lead to a series of redirects to the Exe file. I have not been very successful running these on App.Any.Run... Here is the following attempt. https:...

Over the last couple days of this new year, I've seen a couple Quasar RATs come across my path. So I decided to highlight some of the analysis here. The first sample I'm looking at is invoice.iso (8fc2bdfaf329c652090d6bcd2f88b764). As you can see from the app.any.run link this ends up dropping and executing a simple VBS file. Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file. When we run a simple base64 decoding against this we get another URL in the minpic[.]de domain called by powershell.  hxxps://www.minpic[.]de/t/be5r/18jv5z. When we look at this page, we see yet another powershell script which again references another link in the minpic[.]de domain! When we look at this URL we find a page that contains a whole bunch of Hex code! The previous powershell script, which references this page of Hex code, als...