Matthew
@embee_research
Followers
11,546
Following
1,372
Media
449
Statuses
1,060
Malware Researcher & Reverse Engineer | Creating and Sharing Educational Cyber Content
Australia
Joined July 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 175073 Tweets
NO RDM COM CAIO E LUAN
• 137561 Tweets
Madonna
• 127836 Tweets
Tottenham
• 79326 Tweets
Spurs
• 72260 Tweets
Leverkusen
• 61813 Tweets
Palmer
• 56053 Tweets
Hayer
• 38406 Tweets
Maracaibo
• 33278 Tweets
Ole Miss
• 29594 Tweets
Ange
• 28232 Tweets
Aston Villa
• 28206 Tweets
bruno mars
• 26934 Tweets
憲法記念日
• 21170 Tweets
#SVGala9
• 20068 Tweets
Cucurella
• 18321 Tweets
$AAPL
• 17543 Tweets
Chalobah
• 16857 Tweets
Xabi Alonso
• 14217 Tweets
Caicedo
• 13737 Tweets
Anne Hathaway
• 11672 Tweets
Lillard
• 10618 Tweets
![Guillaume [Asenka] Dorison](https://pbs.twimg.com/profile_images/1588604744964128769/qz6AaT-z.jpg)
Pinned Tweet
Three Awesome Things Have Happened In The Last Few Weeks
1️⃣ - SANS-FOR578 (Cyber Threat Intelligence) has been updated to include one of my blogs on Tracking Malware Infrastructure.
This is particularly significant to me as someone without any technical certifications. Having…
16
61
393
Reverse Engineering a
#CobaltStrike
#malware
sample and extracting C2's using three different methods.
We'll touch on
#cyberchef
,
#x64dbg
and Speakeasy from fireeye to perform manual analysis and emulation of
#shellcode
.
A (big) thread ⬇️⬇️
[1/23]
20
381
1K
A Beginners Guide to Tracking Malware Infrastructure
New post with 11 Examples (Including Cobalt Strike and Qakbot) that you can use to query and track C2’s, Open Directories and More🔥
(Special thanks to
@censysio
🥳)
#threatintel
#malware
9
301
821
#Malware
Downloader retrieving an encoded powershell via DNS records.
+ Quick demo on how to deal with this and extract the final content using
#CyberChef
👇👇
8
179
617
🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef
An overview of some advanced CyberChef tricks for decoding malware
[1/12] 🧵
#AsyncRAT
#Decoding
#CyberChef
#Malware
8
193
577
A collection of incredible (non-corporate) malware analysis and reverse engineering blogs that I have personally enjoyed over the years.
All focused on education and knowledge sharing of malware/RE topics.
[1/14] 🧵
(In no particular order)
#malware
#education
11
180
526
When analysing suspicious commands using
#cyberchef
, you can utilise
#regex
to save time copy and pasting between windows.
In this case, combining "From Decimal" with the regex "(\d\d+)+" enabled a quick decoding without needing to change tabs.
10
133
511
🥷Defeating Obfuscated Malware 🥷
Today we take a look at a heavily obfuscated visual basic script containing Shellcode.
We'll use Regex,
#Cyberchef
and a Text Editor to deobfuscate
#malware
.
[1/18]
6
125
484
🔬Defeating Obfuscated .HTA Scripts to Obtain Cobalt Strike Shellcode 🔬
Let's look at Cyberchef, Manual Deobfuscation, Multi-stage script analysis and finally emulation to obtain a decoded C2.
[1/17]
7
133
452
Malware Deobfuscation With DnSpy and CyberChef 👨🍳
Let's look at some beginner tips for identifying encrypted data with DnSpy.
We'll then utilise CyberChef to recreate the decryption and obtain the address of the C2 server.
[1/12] 🧵
#malware
#cyberchef
1
138
454
Decoding a Cobalt Strike Loader with Cyberchef and Emulation
A short video looking into a common CS loader and methods for extracting C2 addresses from Shellcode 😁
#Malwareanalysis
#Cobaltstrike
3
132
441
Malware Analysis - Cobalt Strike Shellcode Analysis and C2 Extraction
Looking into a Cobalt Strike shellcode loader and extracting C2 addresses. Leveraging debugging (x64dbg) and the Speakeasy Emulator.
#malware
#cobaltstrike
1
124
420
CyberChef Tips - Utilise regex and "list matches" to extract and decode multiple encoded blobs from the same script.
Combine with code beautify and text highlighting to turn an obfuscated script into nice readable content.
#Cyberchef
#Regex
#malware
8
104
419
Advanced CyberChef Techniques for Configuration Extraction - Now in Blog Form 😁
A detailed look into advanced CyberChef operations applied to a config extractor (Flow Control, Registers, Regex, AES and Much Much More). 🔥
#Malwareanalysis
#CyberChef
3
142
417
#Malware
protectors often use unique functions to
#obfuscate
strings. Using powershell, you can dynamically invoke those functions to bypass the obfuscation and dump hidden content. Below is an
#AgentTesla
malware sample de-obfuscated using this technique.
1/
8
120
395
🔥Malware Analysis with
@HuntressLabs
🔥
Watch as we analyse a bloated (1.5GB) Golang file and dynamically extract an Xworm payload.
We'll touch on Procmon, Process Hacker, Entropy Analysis, Debloating, Breakpoints, Debuggers and lots more🤠
[1/14] 🧵
#Malware
#Golang
3
137
388
In depth analysis of a 6-stage
#asyncrat
#malware
loader using
#cyberchef
+
#dnspy
🐀
Persistent .lnk -> .py script -> 2nd .py script -> .NET DLL (reflection) -> .NET DLL (injected into msbuild.exe) -> .NET dll (custom obfuscation) -> .NET .exe (asyncrat)
7
121
360
Let's decode Powershell Malware with Cyberchef 🧑🍳
New video looking into a simple custom obfuscation routine in a StealC loader, and showing some cool CyberChef tricks for manually decoding 😁
#Cyberchef
#malwareanalysis
#powershell
0
94
339
I've been playing around with Module Stomping for EDR Evasion
This is a cool technique for bypassing detection by overwriting "legitimate" memory regions.
Let's see what it looks like from a
#Malware
and RE Perspective
@SEKTOR7net
[1/25]
4
128
333
New Record for My Longest CyberChef Recipe Ever... 😅
A 22 operation configuration extractor in CyberChef. Utilising Regex, AES, Registers and Flow Control to decode as 3 stage malware sample 🕵️♂️
#MalwareAnalysis
#Cyberchef
7
89
329
#ChromeLoader
#malware
persists via obfuscated content stored in the registry. Here's how to decode it using
#Cyberchef
.
1/
3
97
315
🟥
#BruteRatel
: Static detection via API hashes
Very similar to the Havoc C2 Detector. Looks for API hashes used to resolve ntdll functions.
8/8 Files successfully detected (on disk)
1/ 🧵🧵 ⏬
#Ghidra
#Malware
#Yara
6
105
302
Quick trick to analyse
#obfuscated
.NET
#malware
.
Assembly name -> right click -> go to entry point.
Set a breakpoint, then step over/into functions and watch values appear in the local window.
You'll quickly obtain plaintext values without de-obfuscating any code.
5
83
297
Beginner Workflows In Ghidra - Analysing Cobalt Strike
New video looking into basic workflows with Ghidra and Cobalt Strike. Showing how to locate and build context on strings, entropy and imports within malicious code 😁
#malware
#malwareanalysis
0
97
293
Uncovering 169 Phishing Domains With DNS Pivoting 🔥
Leveraging my new favourite DNS tool to pivot from an initial IOC to 169 domains impersonating popular fashion brands.
[1/14] 🧵
#phishing
#threatintel
#malware
4
86
292
Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef
[1/13] 👇🧵
#Cyberchef
#Decoding
#Ursnif
#Malware
4
98
294
Beginner Malware Analysis - Decoding Script-Based Malware With Procmon (Pikabot)
Decoding a simple Pikabot script using Dynamic Analysis with Procmon, resulting in 3 malicious URL's.
#malwareanalysis
#pikabot
1
84
293
Decoding a Cobalt Strike Loader hidden inside a .hta file.
An overview of identifying and extracting shellcode with
#CyberChef
, and performing basic validation and C2 Discovery using the SpeakEasy emulator.
#malware
#cobaltstrike
3
105
272
🔥Lumma Stealer - Manually Unpacking and Extracting C2's 🔥
Let's analyse a Lumma malware sample and manually unpack it with Dnspy and x32dbg.
We'll then leverage Ghidra and x32dbg to locate and decrypt four C2 addresses.
[1/24] 🖊️
#Malwareanalysis
#Ghidra
4
68
269
Xworm Malware Analysis - Unravelling a 4 Stage Malware Loader
New upload looking at manual script deobfuscation, AES Decryption, CyberChef, and unpacking/analysis of .NET payloads with DnSpy 🔥
#Cyberchef
#dnspy
#malwareanalysis
1
92
264
Malware Analysis - Decoding Powershell Scripts and .NET Malware (Xworm)
#malwareanalysis
#powershell
#dnspy
1
77
263
Uncovering Malicious Infrastructure With DNS Pivoting
New blog experimenting with DNS and Domain pivoting to uncover malicious infrastructure🔥
#malware
#threatintel
0
90
261
🐀AsyncRAT 🐀 - Manual Decoding from a .NET Loader.
.NET Loader -> Injection -> InstallUtil.exe -> AsyncRAT
[1/13] Manual Walkthrough in Thread 🧵
1
83
254
Unpacking Malware With Hardware Breakpoints
Leveraging debugging and Hardware breakpoints to extract Cobalt Strike shellcode.
With Bonus section where we recreate the process using
#Ghidra
,
#Cyberchef
and
#ChatGPT
.
#Malware
0
96
248
If you utilise API hashing in your
#malware
or offensive security tooling. Try rotating your API hashes. This can have a significant impact on
#detection
rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs
#Virustotal
.
8
72
241
Javascript Malware Analysis - Decoding an AgentTesla Loader
First experiment with Youtube/Video Content😅
#Malware
#decoding
#javascript
2
76
240
Malware Analysis - Decoding Obfuscated Powershell and .hta Files (Lumma Stealer)
A quick look into .hta malware and Powershell De-obfuscation. Introducing some basics to identify and decrypt AES strings using Cyberchef.
#Malware
#Cyberchef
1
78
230
I recently discovered that has an awesome and extremely affordable (even free) feature for testing and building Yara rules.
This is a great option for aspiring Malware Analysts and Detection Engineers who don't have access to an expensive VT Hunting…
🧊 IcedID Detection With Yara 🧊
1⃣ IcedID has a unique decryption routine present in unpacked payloads.
2⃣ Converting this routine into a
#Yara
rule can be used to detect
#IcedID
running in memory.
#malware
#re
#detection
1
46
121
3
77
224
Decoding an .VBS Cobalt Strike Loader With CyberChef
Leveraging advanced
#CyberChef
tactics to defeat text-based obfuscation and fix "malformed" shellcode.
#Malware
#CobaltStrike
1
71
220
One of the most interesting malware loaders i've ever encountered. Would recommend the read if you're into
#malware
analysis.
(6 stages of malware fun 🔥)
In depth analysis of a 6-stage
#asyncrat
#malware
loader using
#cyberchef
+
#dnspy
🐀
Persistent .lnk -> .py script -> 2nd .py script -> .NET DLL (reflection) -> .NET DLL (injected into msbuild.exe) -> .NET dll (custom obfuscation) -> .NET .exe (asyncrat)
7
121
360
1
56
217
Havoc C2: Static detection via ntdll hashes
Currently working on 6/6 Demon payloads generated via the Havoc framework 👀
Yara rule included in link.
1/ More notes below regarding Havoc and API Hashing
#Malware
#RE
#Ghidra
#detection
#yara
4
59
217
Uncovering APT Infrastructure with Passive DNS Pivoting
This time we're taking a
@MsftSecIntel
APT report and identifying an additional 122 similar domains using
@ValidinLLC
#malware
#threatintel
1
65
212
I've always found it difficult to find good Reverse Engineering content that utilises Ghidra instead of IDA Pro. For anyone else in the same boat,
@AGDCservices
has some great Ghidra tutorials on his youtube channel.
#Malware
#RE
#Ghidra
4
67
208
Malware Analysis - VBS Decoding With Cyberchef (Nanocore Loader)
More malware Deobfuscation using Cyberchef, regex and Notepad++ 🔥
#malware
#cyberchef
0
59
206
👽Identifying and Fixing Encrypted Strings in Ghidra 👽
2
52
192
🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.
By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.
Thread
[1/11] 👇
#Malware
#AgentTesla
#Ghidra
#Debugging
2
75
192
I recently wrote a static decoder for encrypted
#IcedID
files using Ghidra and Python😀
You can find it on Github, along with some sample files to play around with.
1/ More notes below👇
#Malware
#RE
#reversing
#ghidra
3
47
188
A quick demo of how to identify "real" exported functions from a
#obfuscated
#IcedID
dll file.
I'll also briefly touch on some
#Ghidra
tips, and how to extract
#shellcode
using a debugger.
A moderate sized thread😃
[1/13]
5
60
186
#Qakbot
Activity - Slight changes to Obfuscation
(hex instead of base64)
Onenote -> cmd -> powershell -> rundll32
IOC/C2 List 👇
Sigma Rule 👇
#Malware
#C2
#Cyberchef
#sigma
1
56
182
Decoding a MultiStage (Gu)Loader with Cyberchef
Diving into a super cool loader sample and demonstrating advanced Cyberchef and Regex trickery 😋
#malwareanalysis
#guloader
#Cyberchef
3
50
186
Malware Analysis - Simple Javascript Decoding and C2 Extraction (Redline Stealer)
Taking a look into defeating obfuscated variables and performing basic string deobfuscation in Javascript.
#Malware
#javascript
#redline
0
45
183
#AgentTesla
#malware
uses encrypted resources to store payloads. You can decode them by manually generating the DES key and decrypting using
#cyberchef
🕵️
Save resource -> generate md5 -> Trim md5 key to 8 bytes -> Load file into cyberchef -> DES Decrypt = Decoded 2nd Stage 🤠
2
53
182
🔥Malware Analysis Tips - String Decryption in .NET (RedLine)🔥
If the same function is used repeatedly to decrypt strings, you can utilise regex and powershell to extract strings and decrypt them in bulk.
#RedlineStealer
#malware
#Dnspy
#Cyberchef
0
63
180
Manual Shellcode Analysis - Locating and Resolving Function Calls With Ghidra and x32dbg
Experimenting with a new style of (paid) post where I go in-depth on
#Ghidra
manual analysis. Showing approachable and repeatable workflows for analyzing malware.
0
59
179
Malware Analysis - Powershell Decoding and .NET C2 Extraction (Quasar RAT)
A quick look into decoding simple Powershell scripts and extracting C2's from Quasar rat.
#Malware
#powershell
0
45
170
Decoding a suspected
#AsyncRAT
loader.
A high-level overview of my thought process using
#CyberChef
.
1⃣ Identify the primary encoding (Decimal in this case)
2⃣ Simplify and remove junk around encoding ( char[] etc) Noting that there are regex and non-regex options for doing…
3
47
170
Advanced Threat Intel Queries - Catching 83 Qakbot Servers With Regex,
@censysio
and TLS Certificates
This (Free) writeup includes a detailed walkthrough, IOC's and links to all queries used.
#Malware
#ThreatIntel
4
56
166
🐀Dcrat 🐀 - 3-Stage .NET Malware De-obfuscation
- Uncovering a 3 stage loader using module breakpoints, CyberChef, Entropy Analysis, and some custom python scripts 🤪
#Malware
#dcrat
#dotnet
#cyberchef
0
41
153
I’ve created an index for all of my past educational twitter threads 🤓
43 educational threads have been added so far
Check it out if you’re interested in topics like
#Ghidra
, developing
#Yara
rules and deobfuscation using
#CyberChef
.
Link Below 📖
1
76
152
Building on my previous C2 extraction from Amadey Bot, I recently experimented with finding more Amadey infrastructure using Shodan.
Here I detail my process for obtaining 12 total C2's by leveraging html hashes and ssl certs from the original ip.
2
62
152
Defeating API Hashing Using x32dbg and Conditional Breakpoints.
By setting simple log conditions on functions related to API hashing, you can quickly print out decoded hash values without needing to identify or reverse the hashing algorithm.
[1/11]
#Malware
1
64
152
Passive DNS For Phishing Link Analysis - Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects
#Threatintel
#IOC
#malware
1
60
151
DCRAT - String Decoder For Loading PE File into Memory
- A large number of fake base64 strings are initialized.
- First character from each string is added to an new buffer
- Second character from each string is added to the new buffer
- .. And so on
- Resulting buffer is…
5
53
145
Catching ~50 BianLian C2's With Regex Signatures, TLS Certificates and
@censysio
(Demonstrating some cool methods for catching C2's without relying on ASN's or Port Patterns)
[1/11] 🧵
#Malware
#ThreatIntel
1
46
138
🐍Identifying Malware Infrastructure - Vultur Banking Trojan🐍
Today we'll show how you can use public reports and free dns tools to identify malicious domains.
We'll find 13 new domains, many of which are undetected on VT.
#ThreatIntel
#malware
0
36
140
#Malware
Tip - If you encounter terms like compression or decompress in obfuscated code, Try using the
#cyberchef
"gunzip" feature.
This obfuscation is simple, but is surprisingly common.
Encoded text -> From Base64 -> Gunzip -> decoded binary
3
31
136
🖥️Query techniques to identify potential malware Infrastructure 🖥️
A quick demo showing ways to use
@censysio
and ThreatFox to build simple queries and find suspicous servers for further investigation.
[1/14] 🧵
2
43
137
#Qakbot
Dumpulator Script has now been added to Github! 😀
This script is capable of dumping decrypted strings from the encrypted string table used by recent Qakbot malware.
1/ (notes and details below)
#malware
#qakbot
#dumpulator
#RE
#Dumpulator
script to extract decrypted strings from recent
#Qakbot
payloads.
This works by brute forcing index values to the Qakbot string decryption function.
Hoping to put out a detailed blog soon.
#RE
#malware
3
27
93
1
44
138
Remcos
#Malware
Analysis - Manual Deobfuscation
Encoded vbs -> Encoded Powershell -> Custom Obfuscation -> Bits Download From Google Drive
Touching on multiple manual decoding methods leveraging
#Regex
,
#Python
and
#Cyberchef
.
3
52
133
Combining Pivot Points to Identify Malware Infrastructure with
@censysio
We'll use a single smokeloader IP (running default services) to locate 11 total servers with C2's for Redline, Amadey and
#CobaltStrike
.
#Malware
#c2
#ThreatIntel
2
29
126
Cyberchef Tips! - Decoding a Malware Loader using Advanced Cyberchef Tactics.
We'll cover!
- Using regex to identify obfuscated values
- Subsections for isolating obfuscated data
- for visualizing regex queries
- + More 😄
1
68
127
Nighthawk C2 Detection
Quick Yara rule to detect the 4 Nighthawk payloads mentioned by
@cyb3rops
(and vaguely inferred by
@NinjaParanoid
)
#Yara
#detection
#Nighthawk
Possible NightHawk samples on Virustotal
fc4106f71cdcdf6d6fab5441a6c6d7fb
8defdaba9b1fc949b429c40c0723030d
15c3fe7a3022ede934113c335b9d20bb
5b0028dd161208c993965a33138e282b
The last one named "nh_dll2.dll" has been removed on VT.
4
58
205
1
44
127
3 New
#yara
rules added to Github!
Updated with high-fidelity rules for ....
- Qakbot 🦆
- Emotet 🐍
- Ursnif 🐽
#Malware
#Detection
#Yara
0
42
125
Investigating a PrivateLoader C2 with
@censysio
An introductory guide to building and refining queries with limited malicious services available.
(This time diving more into the thought process behind query building)
#Malware
#threatintel
1
47
121
