Albert Zsigovits albertzsigovits

🕹️

[_]/\XO

#malware #ransomware #dfir #apt #threatintel #threatresearch #threatdetection #suricata #yara

albertzsigovits / mlwr-repo.txt

Created February 10, 2023 19:13

Malware Repositories

	CERT-PL-MWDB - https://mwdb.cert.pl
	Malshare - https://malshare.com
	MalwareBazaar - https://bazaar.abuse.ch
	VirusBay - https://beta.virusbay.io
	VirusShare - https://virusshare.com
	VirusTotal - https://www.virustotal.com
	VXUG-Blocks - https://samples.vx-underground.org
	VXUG-MWDB - https://virus.exchange

albertzsigovits / edr-bypass.txt

Last active October 11, 2023 18:51

EDR Bypass Techniques

	List:
	Disabling Event Tracing for Windows (ETW)
	Shellcode encryption
	Reducing entropy
	Escaping the (local) AV sandbox
	Import table obfuscation
	Disabling AMSI
	Evading common malicious API call patterns
	Direct system calls and evading “mark of the syscall”
	Removing hooks in ntdll.dll

albertzsigovits / vmprotect.txt

Created February 10, 2023 19:05

VMProtect study-pack

	Samples:

	https://bazaar.abuse.ch/browse/tag/Fabookie/
	https://bazaar.abuse.ch/browse/signature/Fabookie/

	Tutorials:

	https://www.youtube.com/watch?v=Yzt_zOO8pDM
	https://whereisr0da.github.io/blog/posts/2021-01-05-vmp-1/

albertzsigovits / yara_dotnet.yar

Created February 5, 2023 20:20

To get Dotnet module information in YARA

	# create import_dotnet.yar
	import "dotnet"

	rule dotnet {
	condition: true
	}

	# To get import information
	~/yara-4.3.0-rc1/yara -D import_dotnet.yar ~/malware/dotnet/

albertzsigovits / cleanset.txt

Created December 14, 2022 11:36

Building cleanset

	Pre-built VMs:

	https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

	Clean Windows ISOs:

	Windows 7 - https://docs.microsoft.com/en-us/lifecycle/products/windows-7
	Windows 8.1 - https://www.microsoft.com/en-us/software-download/windows8ISO
	Windows 10 - https://www.microsoft.com/en-US/software-download/windows10
	Windows 11 - https://www.microsoft.com/en-US/software-download/windows11

albertzsigovits / pfsense.txt

Created November 24, 2022 14:12

PfSense upgrade gone haywire

	1. pkg-static -d update
	2. /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf

	FreeBSD: { enabled: no }
	pfSense-core: {
	url: "pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_01_armv7-core",
	mirror_type: "srv",
	signature_type: "fingerprints",
	fingerprints: "/usr/local/share/pfSense/keys/pkg",
	enabled: yes

albertzsigovits / malre.py

Created November 22, 2022 08:35

MalRE decrypt script - Exercise

	# Mal-RE Decrypt script by @larsborn
	####################################

	import binascii
	import struct

	buffer = binascii.unhexlify(b'')

	def DecryptBlock(param_1: int, param_2: int) -> :
	return (((param_1 ^ param_2) << 4 \| (param_1 ^ param_2) >> 0x1

albertzsigovits / dosvirus.txt

Created November 3, 2022 15:41

DOS Virus repos

	VXHeaven collection VX_Heavens_Collection.tar.bz2 ~270.000 Compressed: 44.6 GB
	https://archive.org/download/vxheavens-2010-05-18

	Reddit collection Virus.DOS.tar.7z ~17.000 Compressed: 24.8 MB
	https://mega.nz/#!jQNDXCLL!xjj1qlY8SpJAurzHfQBR0fyMQC1WgCNIGgQY7fpvTkA

	GBATemp archive Link is down N/A N/A
	https://mega.nz/folder/eVdUQb6D#K_QT40RjmSLfMfqnPKHgDg

albertzsigovits / malware_template.txt

Created November 3, 2022 15:40

Malware report template

albertzsigovits / wscript.txt

Last active May 4, 2023 14:17

Suspicious keywords in wscript/cscript scripts

	ActiveXObject
	ActiveXObject("WScript.Shell")).Run(
	WScript.Shell
	.Run(
	Document.Open()
	shell.run(
	WinExec
	DownloadToFile(
	New-Object -COMObject
	RunProgram="