Blog

Password Protected Word Document Connects to TOR Hidden Service

Hash Value SHA256: 3a813df1c8f1e835cc98dd60b799c64e61 db51a259ee30b7235004ccb3c9df64 View the Full Password Protected Word Document Analysis Report Password protected documents are an effective method for malware to bypass anti-virus (AV) and other detection solutions. Typically the AV will not be able to parse the password required from the text of the email used to send the malicious document. […]

Read More "Password Protected Word Document Connects to TOR Hidden Service"

VMRay Analyzer v2.1 Enhances Detection Efficacy & Fileless Malware Analysis

VMRay Analyzer 2.1 will be officially announced at Black Hat 2017 this week. Over the last three years, VMRay has set itself apart from the competition in the Automated Malware Analysis (AMA) industry with its unique agentless hypervisor-based approach to malware detection. This approach enables DFIR Specialists and CERTs using VMRay Analyzer to detect new […]

Read More "VMRay Analyzer v2.1 Enhances Detection Efficacy & Fileless Malware Analysis"

Built-In YARA Rulesets for Increased Efficacy and Classification

YARA is an open source tool that helps malware researchers identify and classify malware by family based on known binary patterns and strings. YARA works by ingesting rules and applying them against various elements of the analysis (such as files and registry keys) to flag potentially malicious files and processes. Signature-based detection with YARA rulesets has its […]

Read More "Built-In YARA Rulesets for Increased Efficacy and Classification"

Petya/NotPetya/ExPetr Cyber Attack is More Wiper Than Ransomware

Malware Family: (Not)Petya Hash Value SHA256: 027cc450ef5f8c5f653329641ec1fed 91f694e0d229928963b30f6b0d7d3a745 View the Full Petya Analysis Report According to Microsoft, the Petya (also referred to as NotPetya/ExPetr) Ransomware attack started its initial infection through a compromise at the Ukrainian company M.E.Doc, a developer of tax accounting software. We took a closer look and did a full analysis using VMRay […]

Read More "Petya/NotPetya/ExPetr Cyber Attack is More Wiper Than Ransomware"

404 Error Page Hides RAMNIT.A Worm in the Source Code

Malware Family: Win32/Ramnit Hash Values MD5: 089dc369616dafa44a9f7fefb18e8961 SHA1: c4a2430634b7ca7427d2c055dbbb1fb8cd42a285 SHA256: 4ebafa2738f11d73d06dddf18ce41cf 02c6913f431f2b383f7abaa0d04419f2f View the Full RAMNIT.A Worm Analysis Report Most of the time, links aren’t dangerous without user interaction. Recently, we discovered an innocent-looking link for a JPG picture that prompts a user to activate ActiveX on IE. Leveraging a social engineering technique, if the user […]

Read More "404 Error Page Hides RAMNIT.A Worm in the Source Code"

VMRay Analyzer Identifies Resume Containing Evasive Malware

Recently, we received a seemingly innocuous job application with an attached Word document called “resume.doc”. Let’s take a closer look at the malicious behavior embedded in this fake resume. Upon uploading the Word doc into VMRay Analyzer, the signature was sent to our built-in reputation service, where the file hash was queried against known malicious […]

Read More "VMRay Analyzer Identifies Resume Containing Evasive Malware"

‘Close Enough’ Doesn’t Count in Cyber Security

Even though enterprises spend millions every year on information security they still remain vulnerable to persistent cyber criminals in a world where cybercrime like ransomware is pervasive. Organizations cannot afford to do the “bare minimum” when it comes to threat analysis. As the saying goes, ” ‘close enough’ only counts in horseshoes and hand grenades” and not in […]

Read More "‘Close Enough’ Doesn’t Count in Cyber Security"

Wanna Decryptor Worm Spreads Over MS17-010 Vulnerability

About one month ago, the Shadow Brokers hacker group published a set of NSA hacking tools, that included zero-day exploits. One of these exploits is known as the ETERNALBLUE Server Message Block Protocol (SMB) vulnerability (MS17-010). It was only a matter of time before the inevitable happened. A malware author used this vulnerability to spread ransomware […]

Read More "Wanna Decryptor Worm Spreads Over MS17-010 Vulnerability"

Anti-Sandboxing Techniques in Cerber Ransomware Can’t Detect VMRay Analyzer

A new variant of Cerber ransomware is in the wild and has built-in anti-sandbox tools to detect hooking-based sandbox environments, as explained in this article by Cyphort. The limitations of a hooking-based approach, where a driver is injected into the target environment and ‘hooks’ API calls,  allow the malware to easily detect the analysis environment. This […]

Read More "Anti-Sandboxing Techniques in Cerber Ransomware Can’t Detect VMRay Analyzer"