🧩 Overview This analysis covers a suspicious executable named Dropper.DownloadFromURL.exe identified as a potential malware dropper. The sample appears to retrieve a payload from a remote server, write it to disk, and execute it. This malware sample is from TCM Security’s Practical Malware Analysis & Triage Course. 🔍 Static Analysis Hashes SHA256: 92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a MD5: 1d8562c0adcaee734d63f7baaca02f7c Embedded Strings (UTF-16LE) cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s" http://ssl-6582datamanager.helpdeskbros.local/favicon.ico C:\Users\Public\Documents\CR433101.dat.exe Mozilla/5.0 "http://huskyhacks.dev" ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe open ⚙️ Import Table (IAT) Analysis The executable imports the following Windows API calls: ...
RAT.CMDSocket.exe Analysis
Overview This post documents my analysis of a Remote Access Trojan (RAT) sample, RAT.CMDSocket.exe.malz. The objective was to identify its capabilities, persistence methods, and communication patterns through a combination of static and dynamic analysis. Static Analysis Initial string extraction immediately revealed notable artifacts: @SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable. @https @No uri scheme supplied. InternetOpenW InternetOpenUrlW @wininet MessageBoxW @[+] what command can I run for you @[+] online @NO SOUP FOR YOU \mscordll.exe Nim httpclient/1.0.6 /msdcorelib.exe AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup intrt explr http://serv1.ec2-102-95-13-2-ubuntu.local Key takeaways: ...