Following a suspicious padded executable over the past week, Appears to be Astaroth Brazilian Banking Trojan.
It's been a while since I've posted anything, but this is genuinly interesting to me and I want to put this out there. I have been using a "hunting query" in VirusTotal to look for "imphash:9cbefe68f395e67356e2a5d8d1b285c0 size:140MB+" . I use this primarily to look for some known patterns in the recent solarmark campaign, however, it's recently been picking up a number of other large padded files. Examples: IDfac-t.165.j0.exe: 2045ce1f72fab0c0de425d10308afcd4 390MB+ IDfac-t.165.j0.exe: 9c10c074275f038aeaff06455d7425f1 389MB+ PDF-Notafiscal-avqlz-07382-TGJKC.exe: dff097514b96ab3f3ef1899091ac31eb 282MB+ I've pulled a few of these and ran them through app.any.run. Here are some of the results: https://app.any.run/tasks/6783b7ca-20ce-434b-a429-e8db194118c4/ https://app.any.run/tasks/69dc7467-369e-42d6-a097-2156c2a43366/ https://app.any.run/tasks/5bce4e2c-288a-4ce6-9c57-304925819d0e/ The last one is after I remvoed most of the padding (not...