Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: VBScript Emulation Research Part 1 - Emotet OneNote Malware (Patreon)

Published:
2023-03-29 04:57:00
Imported:
2023-09

Content

In this Twitch stream we start our 3-part research series on emulating VBScript by looking at the new Emotet OneNote docs being used to execute WScript malware.

The first part of the stream we quickly triage the OneNote document, extract the WScript and manually deobfuscate the script.

The rest of the stream is dedicated to starting our automated VBScript deobfuscation project as we learn more about how cscript.exe and vbscript.dll work under the hood.

Emotet WScript Sample

1c3a7f886a544fc56e91b7232402a1d86282165e2699b7bf36e2b1781cb2adc2 

Notes

OneNote WSF Malware (Emotet) 

Files

Live Stream VOD: VBScript Emulation Research Part 1 - Emotet OneNote Malware

This is "Live Stream VOD: VBScript Emulation Research Part 1 - Emotet OneNote Malware" by OALABS on Vimeo, the home for high quality videos and the people...

Comments

Karsten Hahn

I haven't watched the entire stream yet, so not sure if you cleared this up, but the reason for the hash differences in wscript.exe might be because your tool HashCalc gets redirected to syswow64/wscript.exe Too bad that I am always sleeping when you stream :D I wish I could be there more often when it is live.

oalabs
>>105205922

Ah that might have been it! There is more craziness later on when we discover that MS is not bumping version numbers all the time... I'll try to stream earlier, but no promises : )