G’day Cyber Warrior,
Here are the latest Detection lists.

Please note:
You can use this information to create detect-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped.
You agree that any false positives or outages caused by use of this list will be your responsibility. To get…

Decryptor tool for AES-encrypted payloads

If you want to support me, follow me on Patreon: https://www.patreon.com/malienist

What is Varg?

Varg is a tool written in PowerShell that helps you decrypt data that has been encrypted using AES encryption. The most common application we see in the cyberSec world is malicious scripts that are dropped on victim machines in the for of encrypted payloads that execute malicious code once decrypted.


G’day Cyber Warrior,
Here are the latest IOC lists.

Please note:
You can use this information to create detect-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped.
You agree that any false positives or outages caused by use of this list will be your responsibility. To get…

G’day Cyber Warrior,
Here are the latest IOC lists.

Please note:
You can use this information to create block-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped.
You agree that any false positives or outages caused by use of this list will be your responsibility. To get…

G’day Cyber Warrior,
Here are the latest IOC lists.

Please note:
You can use this information to create block-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped.
You agree that any false positives or outages caused by use of this list will be your responsibility. To get…


G’day Cyber Warrior,
Here are the latest IOC lists.

Please note:
You can use this information to create block-lists.
All C2i published here is active at the time of publishing but some of these C2s can go offline at any time after that.
All information provided here is free to use.
C2i published on this site or shared via email could cause some FPs as these IPs/URIs get recycled frequently, you agree to that before using any C2i from this site.
Lists are NOT de-duped.
You agree that any false positives or outages caused by use of this list will be your responsibility…

This is a new series that I've started, where we not just analyse the malware but highlight the steps that can be taken to defend against these threats. You'll still need to do some digging to find out how to implement these in your org but these should give you enough to get started. 
Skill level: Intermediate-Advanced

If you want to support me, follow me on Patreon: https://www.patreon.com/malienist

QuickDefend

The long-story-short version

Use the following info to break execution of this malware:

RestartManager

This malware uses the RestartManager to shutdown/stop running processes and then encrypt them (to bypass the ‘file is in…


Powershell provides a great platform to mess around with Defender

If you want to support me, follow me on Patreon: https://www.patreon.com/malienist

MS Powershell is a very powerful tool that MS has provided to the administrators. It can easily be used by malware authors to try to by-pass Windows Defender, the Microsoft anti-malware application that has a large user-base.

Section 1

First, let’s take a look at what features that are available in Powershell to work with anti-malware.

Add-MpPreference
Modifies settings for Windows Defender.

Get-MpComputerStatus
Gets the status of anti-malware software on the computer.

Get-MpPreference
Gets preferences for the Windows Defender scans and…


This is a short one, just wanted to share how to remove password-protection from PDF documents. Instead of uploading your docs to ‘online’ password-removers or downloading tools to do that, you can use this simple method.

Nothing new here, I’ve known about this technique for quite sometime. I’ve had a bunch of people ask about it so thought maybe I should do a quick post.

Please note that this method only works on PDFs that you have the password for. You need to unlock it at least once to be able to then remove the protection moving forward. 

Here are…


This malware takes anti-analysis and stealth techniques to a new level

We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2.

Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju

Secondary Macro Code

First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. …

Vishal Thakur

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store