This is going to be a relatively short post which won’t contain much code in itself but rather some observations I made on the state of existing security and logging utilities, with Sysmon’s handling of usermode modules being the case study. Recently, a lot of people realized that Sysmon’s stack trace feature is quite useful […]

Read more

A well known trick that has been employed in malware for a very long time (this has been publicly discussed on HF since at least 2014: showthread.php?tid=4548593) is spoofing command line argument. More recently, this method got discovered by the wider infosec community and was incorporated into tools like Cobalt Strike. Implementations often go like […]

Read more

MD5: a462c3b291b90b202c6d090881ba6134File type: PE, Visual C++ https://app.any.run/tasks/0e429277-f2b6-4432-80ad-fed61a2bb33a/ Background information Baldr is a relatively new stealer that became available on some forums early 2019. It was previously analyzed by MalwareBytes (https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/ ). However since MB’s analysis did not include deobfuscation I will be including a deobfuscated version of the malware as well as an analysis of […]

Read more