Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2022-04-12Max Kersten's BlogMax Kersten
@online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } Ghidra script to handle stack strings
CaddyWiper PlugX
2022-03-28TrellixMax Kersten, Marc Elias
@online{kersten:20220328:plugx:37256d5, author = {Max Kersten and Marc Elias}, title = {{PlugX: A Talisman to Behold}}, date = {2022-03-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html}, language = {English}, urldate = {2022-03-30} } PlugX: A Talisman to Behold
PlugX
2022-03-02TrellixMax Kersten
@online{kersten:20220302:digging:42a2aaf, author = {Max Kersten}, title = {{Digging into HermeticWiper}}, date = {2022-03-02}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html}, language = {English}, urldate = {2022-03-04} } Digging into HermeticWiper
HermeticWiper
2022-02-01Max Kersten's BlogMax Kersten
@online{kersten:20220201:dumping:2784605, author = {Max Kersten}, title = {{Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader}}, date = {2022-02-01}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/}, language = {English}, urldate = {2022-02-02} } Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
WhisperGate
2022-01-25TrellixMarc Elias, Christiaan Beek, Alexandre Mundo, Leandro Velasco, Max Kersten
@online{elias:20220125:prime:20a5b0c, author = {Marc Elias and Christiaan Beek and Alexandre Mundo and Leandro Velasco and Max Kersten}, title = {{Prime Minister’s Office Compromised: Details of Recent Espionage Campaign}}, date = {2022-01-25}, organization = {Trellix}, url = {https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html}, language = {English}, urldate = {2022-01-25} } Prime Minister’s Office Compromised: Details of Recent Espionage Campaign
Graphite
2022-01-20TrellixChristiaan Beek, Max Kersten, Raj Samani
@online{beek:20220120:return:a89bce6, author = {Christiaan Beek and Max Kersten and Raj Samani}, title = {{Return of Pseudo Ransomware}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html}, language = {English}, urldate = {2022-01-24} } Return of Pseudo Ransomware
WhisperGate
2022-01-17Twitter (@Libranalysis)Max Kersten
@online{kersten:20220117:short:d913f54, author = {Max Kersten}, title = {{Tweet on short analysis of WHISPERGATE stage 3 malware}}, date = {2022-01-17}, organization = {Twitter (@Libranalysis)}, url = {https://twitter.com/Libranalysis/status/1483128221956808704}, language = {English}, urldate = {2022-01-25} } Tweet on short analysis of WHISPERGATE stage 3 malware
WhisperGate
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-08-04McAfeeMax Kersten
@online{kersten:20210804:see:9533247, author = {Max Kersten}, title = {{See Ya Sharp: A Loader’s Tale}}, date = {2021-08-04}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/see-ya-sharp-a-loaders-tale/}, language = {English}, urldate = {2021-08-06} } See Ya Sharp: A Loader’s Tale
2021-07-25Max Kersten's BlogMax Kersten
@online{kersten:20210725:ghidra:00c108d, author = {Max Kersten}, title = {{Ghidra script to decrypt a string array in XOR DDoS}}, date = {2021-07-25}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/}, language = {English}, urldate = {2021-08-02} } Ghidra script to decrypt a string array in XOR DDoS
XOR DDoS
2021-02-09Max Kersten's BlogMax Kersten
@online{kersten:20210209:ghidra:0e7f66c, author = {Max Kersten}, title = {{Ghidra script to decrypt strings in Amadey 1.09}}, date = {2021-02-09}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/}, language = {English}, urldate = {2021-02-09} } Ghidra script to decrypt strings in Amadey 1.09
Amadey
2020-09-17Max Kersten's BlogMax Kersten
@online{kersten:20200917:automatic:8b19414, author = {Max Kersten}, title = {{Automatic ReZer0 payload and configuration extraction}}, date = {2020-09-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/automatic-rezer0-payload-and-configuration-extraction/}, language = {English}, urldate = {2020-09-18} } Automatic ReZer0 payload and configuration extraction
2020-08-26Max Kersten's BlogMax Kersten
@online{kersten:20200826:rezer0v4:3bc357a, author = {Max Kersten}, title = {{ReZer0v4 loader}}, date = {2020-08-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/}, language = {English}, urldate = {2020-08-27} } ReZer0v4 loader
MASS Logger
2020-04-14Max Kersten
@online{kersten:20200414:emotet:ec18d45, author = {Max Kersten}, title = {{Emotet JavaScript downloader}}, date = {2020-04-14}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/}, language = {English}, urldate = {2020-04-14} } Emotet JavaScript downloader
Unidentified JS 003 (Emotet Downloader)
2020-03-26Max Kersten's BlogMax Kersten
@online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } Azorult loader stages
Azorult
2020-02-24Max Kersten's BlogMax Kersten
@online{kersten:20200224:closing:9d39fcf, author = {Max Kersten}, title = {{Closing in on MageCart 12}}, date = {2020-02-24}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/}, language = {English}, urldate = {2020-02-25} } Closing in on MageCart 12
magecart
2020-02-17Max Kersten's BlogMax Kersten
@online{kersten:20200217:following:07470c1, author = {Max Kersten}, title = {{Following the tracks of MageCart 12}}, date = {2020-02-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/}, language = {English}, urldate = {2020-02-20} } Following the tracks of MageCart 12
magecart
2020-01-20Max Kersten's BlogMax Kersten
@online{kersten:20200120:ticket:ad7af1c, author = {Max Kersten}, title = {{Ticket resellers infected with a credit card skimmer}}, date = {2020-01-20}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/}, language = {English}, urldate = {2020-01-27} } Ticket resellers infected with a credit card skimmer
magecart
2019-10-14Max Kersten's BlogMax Kersten
@online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2021-11-03} } Corona DDoS bot
Bashlite Corona DDOS Bot
2019-02-16Max Kersten's BlogMax Kersten
@online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } Emotet droppers
Emotet