DotNET ManifestResources Format Package

We have released the DotNET ManifestResources Format package for all licenses of Cerbero Suite.

.NET manifest resources are embedded elements within .NET assemblies, used to store additional data such as files, icons, and strings that an application requires for execution. These resources are directly compiled into the executable, becoming a part of the application’s core assets. In the realm of malware, attackers frequently exploit .NET manifest resources to hide malicious payloads. Cerbero Suite lets you inspect the format of .NET manifest resources and automatically detects embedded files.

OneNote Malware With ISO File

We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.

SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516

The unidentified embedded object in the OneNote document is an ISO file.

Continue reading “OneNote Malware With ISO File”

Reversing Complex PowerShell Malware

In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables.

Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA

Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal.

Continue reading “Reversing Complex PowerShell Malware”

RedLine Stealer Dropper

An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.

SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6

The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.

Continue reading “RedLine Stealer Dropper”

Simple Batch Emulator Package

To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.

The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.

Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.

Continue reading “Simple Batch Emulator Package”

Video: Blitz 45 Seconds OneNote Malware Analysis

The malicious OneNote sample analyzed in this video contains an executable. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected in Cerbero Suite.

SHA256: F408EF3FA89546483BA63F58BE3F27A98795655EB4B9B6217CBE302A5BA9D5F7

OneNote Format Support

Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.

Installing the package from Cerbero Store takes only a few mouse clicks.

Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.

Continue reading “OneNote Format Support”

Sample Downloader Package

We have just released our Sample Downloader package and it is available for all licenses of Cerbero Suite Advanced.

While this is a simple package, we consider it extremely useful, as it allows to download malware samples by their hash. The package tries to download the requested samples from various supported intelligence services.

Check out the video presentation for a quick introduction!

Installing the Sample Downloader package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.

Continue reading “Sample Downloader Package”