URL Extractor Package

We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.

In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.

Continue reading “URL Extractor Package”

Reversing Complex PowerShell Malware

In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables.

Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA

Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal.

Continue reading “Reversing Complex PowerShell Malware”

OneNote Format Package: All Licenses

As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.

Installing the package from Cerbero Store takes only a few mouse clicks.

Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.

Continue reading “OneNote Format Package: All Licenses”

PowerShell Beautifier 2.0 Package

We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.

For example, this is a snippet of a malicious script:

$T = 'Get'
$M = $T + 'Method'
$I = 'Invoke'
$T = $T + 'Type'
$L = 'Load'
$Q0 = [Reflection.Assembly]
$B = $Q0::$L($MyS)
$B = $B.$T('NewPE2.PE')
$B = $B.$M('Execute')

$Ub = 'C:\Windows\Microsoft'
$z = $Ub + '.NET\Framewor'
$VT = $z + 'k\v4.0.30'
$XQ = $VT + '319\RegSvcs.exe'
$B = $B.$I($null,[object[]] ($XQ,$serv))

With both variable replacement and removal of unused variables enabled it becomes:

$load_result = [Reflection.Assembly]::Load($x_result)
$get_type_result = $load_result.GetType('NewPE2.PE')
$get_method_result = $get_type_result.GetMethod('Execute')
$invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))

TAR Format Package

We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.

The package is also exposed to the SDK:

from Pro.Core import *
from Pkg.TAR import *

def parseTARArchive(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = TARObject()
    if not obj.Load(c) or not obj.ParseArchive():
        return
    curoffs = None
    while True:
        entry, curoffs = obj.NextEntry(curoffs)
        if entry == None:
            break
        # skip directories
        if obj.IsDirectory(entry):
            continue
        print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size))
        # retrieves the file data as NTContainer
        fc = obj.GetEntryData(entry)

Cerbero Suite 6.2 and Cerbero Engine 3.2 are out!

We recently released three commercial packages: OneNote Format, Simple Batch Emulator and PowerShell Beautifier.

In this release we moved a number of features to optional packages so that we can more rapidly update them. Cerbero Store now has the following additional packages:

– JavaScript Beautifier (all licenses)
– EML Format (all advanced licenses)
– Torrent Format (all advanced licenses)
– ShellcodeToExecutable (all advanced licenses)
– Tor Downloader (all advanced licenses)
– Python Snippets (all licenses)

We have also reached another important milestone in the SDK documentation process, as it now features the complete guide on how to create plugins and extensions for Cerbero Suite and Cerbero Engine.

We also improved syntax highlighting and fixed various bugs.

RedLine Stealer Dropper

An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.

SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6

The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.

Continue reading “RedLine Stealer Dropper”