This new version of virustotal-search.py accepts input from stdin.
virustotal-search_V0_1_4.zip (https)
MD5: 867D6272792965D11317BFB6308E20A9
SHA256: 8C033B3C46767590C54C191AEEDC0162B3B8CCDE0D7B75841A6552CA9DE76044
Sunday 23 October 2016
Update: virustotal-search.py Version 0.1.4
Saturday 22 October 2016
Update: cut-bytes.py Version 0.0.4
I added dumps to this new version of cut-bytes.py:
cut-bytes_V0_0_4.zip (https)
MD5: A44D8BBE9BAB9309E732F8995CB5C7BB
SHA256: F95453DE1CC5855C320AB947D9AE354BE8E3ABFA52418C0CF623351A9DBF6344
Monday 17 October 2016
Update: oledump.py Version 0.0.25
This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.
oledump_V0_0_25.zip (https)
MD5: CED1602AEF505AE0388DB95414F9C00A
SHA256: 54510A54264E4EA3C4559545B5CE43A20D8AB290B4EDDA7B57983AD1396E29FC
Friday 14 October 2016
Analyzing Office Maldocs With Decoder.xls
There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.
Tools: oledump.py, decoder.xls
Sample: 2f918f49c3f926bb1538eaad6e8e6883
Friday 7 October 2016
rtfdump Videos
I produced 3 videos to show you how to use my rtfdump.py tool to analyze (malicious) RTF files.
Here is a video for sample 07884483f95ae891845caf0d50ce507f:
Here is a video for sample 4483ad299158eb54f6ff58b5346a36ee:
Monday 3 October 2016
Overview of Content Published In September
Here is an overview of content I published in September:
Blog posts:
- Update: translate.py Version 2.3.1
- decoder-search.py Beta
- Quickpost: Enhancing Radare2 Disassembly Listing
YouTube videos:
- Malware: Process Explorer & Procmon
- Malware: FakeNet-NG
- Maldoc VBA: .pub File
- Maldoc VBA: decoder.xls
- Maldoc VBA: Shellcode
SANS ISC Diary entries:
Didier Stevens 