Malware in a PICTURE! | Reverse Engineering an XWorm Loader that uses STEGANOGRAPHY скачать в хорошем качестве

Malware in a PICTURE! | Reverse Engineering an XWorm Loader that uses STEGANOGRAPHY

Malware analysis of a fake winrm vbs script which acts as a downloader to invoke a PowerShell script designed to retrieve a malware from within a picture on a public image hosting website. Note: Apologies for the slightly worse audio quality on this one, I've setup a noise gate now for future videos to avoid the artifacts found in this video. ** Find me at ** Twitter/X -   / cyberraiju   Blog - https://www.jaiminton.com/ Mastodon - https://infosec.exchange/@CyberRaiju ** Tools ** Notepad++ - https://notepad-plus-plus.org/ CyberChef - https://gchq.github.io/CyberChef/ pestudio - https://www.winitor.com/download DNSpyEx - https://github.com/dnSpyEx/dnSpy ** Sample ** https://bazaar.abuse.ch/sample/1a93c7... https://www.virustotal.com/gui/file/1... https://urlscan.io/responses/f7a87524... https://urlscan.io/responses/f5718d6a... ** Timestamps ** 00:00 - Intro 01:30 - Comparing winrm.vbs scripts 02:36 - Locating the malicious script entries 03:27 - Extracting downloader URL 04:34 - Behavioral analysis of downloader 05:15 - Analysis of malicious PowerShell script 06:39 - Examining 2nd stage stego loader 07:00 - Image hiding malware 08:20 - Extracting PE file from Base64 09:30 - Examining 3rd stage .NET binary using pestudio 10:15 - Examining using dnspy 11:35 - Determining surrogate host for injection 12:45 - Examining 4th and final stage malware 14:02 - Analysis of encrypted configuration 15:45 - Easy decryption of configuration 18:23 - Outro Credits: SFX by Pixabay