insomniacs

Analysis Walkthrough: APT32’s {79828CC5–8979–43C0–9299–8E155B397281}.dll

CDRThief 新变种/New CDRThief Variant!

Exploring the new CDRThief Variant

It’s a BEE! It’s a… no, it’s ShadowPad.

Analysis walkthrough of ShadowPad variant 2020/2021 that…

Aria-Body Loader? Is that you?

Hello! This is my first time writing a blog on a loader which I had gotten hold of. So, I am a new…

Quarians, Turians and…QuickHeal

I was expecting to find an Asari or Salarian variant of this malware…

Volatility 3 — Downloading Windows Symbols for Volatility 3 on Air-gapped Machines

A Look into SUNBURST’s DGA

My attempt at a script that decodes all of SUNBURST’s DGA strings :)

Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.

Journal: FlareOn7 (Part 3)

This is the last part of the series :)

Journal: FlareOn7 (Part 2)

Continue walking with me on levels 7–9…

Journal: FlareOn7 (Part 1)

Walk with me through my approach to the challenges in FlareOn7 :)

What happened between the BigBadWolf and the Tiger?

Shadows with a chance of BlackNix

A long post on analysis of a variant of BlackNix RATs, which are…

Shadows in the Rain

An analysis of a BBSRAT sample involving mutexes and C2 URL associated with the…

Dad! There’s A Rat In Here!

An analysis of the DADSTACHE sample fetched by the maldoc (MD5…

APT40 goes from Template Injections to OLE-Linkings for payload delivery

Part 1: Evora vs Elise — The Twins

If you had read my last post, you would have known that I am studying samples of Evora. At the…

Analysis Walkthrough — Fun ClientRun (Part 2)

Let’s carry on with the analysis of the payload dropped…

Analysis Walkthrough — Fun ClientRun (Part 1)

This is my first attempt at writing a walkthrough of my analysis process of a…

Confusing naming convention

In the report, it mentioned that the newly dubbed Sagerunex malware is an…