Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2022-05-12Red CanaryTony Lambert, Lauren Podber
@techreport{lambert:20220512:gootloader:4562030, author = {Tony Lambert and Lauren Podber}, title = {{Gootloader and Cobalt Strike malware analysis}}, date = {2022-05-12}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf}, language = {English}, urldate = {2022-05-13} } Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike
2022-05-12Red CanaryTony Lambert, Lauren Podber
@online{lambert:20220512:goot:1fc62fa, author = {Tony Lambert and Lauren Podber}, title = {{The Goot cause: Detecting Gootloader and its follow-on activity}}, date = {2022-05-12}, organization = {Red Canary}, url = {https://redcanary.com/blog/gootloader}, language = {English}, urldate = {2022-05-13} } The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike
2022-04-24forensicitguyTony Lambert
@online{lambert:20220424:shortcut:b1a00dd, author = {Tony Lambert}, title = {{Shortcut to Emotet, an odd TTP change}}, date = {2022-04-24}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/}, language = {English}, urldate = {2022-04-25} } Shortcut to Emotet, an odd TTP change
Emotet
2022-04-16forensicitguyTony Lambert
@online{lambert:20220416:snip3:6d70f31, author = {Tony Lambert}, title = {{Snip3 Crypter used with DCRat via VBScript}}, date = {2022-04-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/}, language = {English}, urldate = {2022-04-29} } Snip3 Crypter used with DCRat via VBScript
DCRat
2022-03-26forensicitguyTony Lambert
@online{lambert:20220326:agenttesla:edea93d, author = {Tony Lambert}, title = {{An AgentTesla Sample Using VBA Macros and Certutil}}, date = {2022-03-26}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-vba-certutil-download/}, language = {English}, urldate = {2022-03-28} } An AgentTesla Sample Using VBA Macros and Certutil
Agent Tesla
2022-02-12forensicitguyTony Lambert
@online{lambert:20220212:analyzing:cea05eb, author = {Tony Lambert}, title = {{Analyzing a Stealer MSI using msitools}}, date = {2022-02-12}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/}, language = {English}, urldate = {2022-02-14} } Analyzing a Stealer MSI using msitools
Arkei Stealer
2022-02-11forensicitguyTony Lambert
@online{lambert:20220211:xloaderformbook:1f69d72, author = {Tony Lambert}, title = {{XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets}}, date = {2022-02-11}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/}, language = {English}, urldate = {2022-02-14} } XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
Formbook
2022-02-06forensicitguyTony Lambert
@online{lambert:20220206:agenttesla:6d362f7, author = {Tony Lambert}, title = {{AgentTesla From RTF Exploitation to .NET Tradecraft}}, date = {2022-02-06}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/}, language = {English}, urldate = {2022-02-07} } AgentTesla From RTF Exploitation to .NET Tradecraft
Agent Tesla
2022-02-03forensicitguyTony Lambert
@online{lambert:20220203:njrat:88ea206, author = {Tony Lambert}, title = {{njRAT Installed from a MSI}}, date = {2022-02-03}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/njrat-installed-from-msi/}, language = {English}, urldate = {2022-02-04} } njRAT Installed from a MSI
NjRAT
2022-02-02forensicitguyTony Lambert
@online{lambert:20220202:strrat:c81498a, author = {Tony Lambert}, title = {{STRRAT Attached to a MSI File}}, date = {2022-02-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/strrat-attached-to-msi/}, language = {English}, urldate = {2022-02-04} } STRRAT Attached to a MSI File
STRRAT
2022-01-27forensicitguyTony Lambert
@online{lambert:20220127:guloader:c165a2c, author = {Tony Lambert}, title = {{GuLoader Executing Shellcode Using Callback Functions}}, date = {2022-01-27}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/}, language = {English}, urldate = {2022-02-01} } GuLoader Executing Shellcode Using Callback Functions
CloudEyE
2022-01-23forensicitguyTony Lambert
@online{lambert:20220123:hcrypt:0b8945b, author = {Tony Lambert}, title = {{HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET}}, date = {2022-01-23}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/}, language = {English}, urldate = {2022-01-25} } HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
BitRAT
2022-01-22forensicitguyTony Lambert
@online{lambert:20220122:bazariso:b5e9a03, author = {Tony Lambert}, title = {{BazarISO Analysis - Loading with Advpack.dll}}, date = {2022-01-22}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/bazariso-analysis-advpack/}, language = {English}, urldate = {2022-01-28} } BazarISO Analysis - Loading with Advpack.dll
BazarBackdoor
2022-01-17forensicitguyTony Lambert
@online{lambert:20220117:emotets:85bf9d4, author = {Tony Lambert}, title = {{Emotet's Excel 4.0 Macros Dropping DLLs}}, date = {2022-01-17}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/}, language = {English}, urldate = {2022-01-25} } Emotet's Excel 4.0 Macros Dropping DLLs
Emotet
2022-01-16forensicitguyTony Lambert
@online{lambert:20220116:analyzing:2c8a9db, author = {Tony Lambert}, title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}}, date = {2022-01-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/}, language = {English}, urldate = {2022-01-25} } Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike
2022-01-09forensicitguyTony Lambert
@online{lambert:20220109:inspecting:4681f0a, author = {Tony Lambert}, title = {{Inspecting a PowerShell Cobalt Strike Beacon}}, date = {2022-01-09}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/}, language = {English}, urldate = {2022-01-25} } Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike
2022-01-04forensicitguyTony Lambert
@online{lambert:20220104:extracting:176a37c, author = {Tony Lambert}, title = {{Extracting Indicators from a Packed Mirai Sample}}, date = {2022-01-04}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/}, language = {English}, urldate = {2022-01-25} } Extracting Indicators from a Packed Mirai Sample
Mirai
2022-01-03forensicitguyTony Lambert
@online{lambert:20220103:tale:bfd0711, author = {Tony Lambert}, title = {{A Tale of Two Dropper Scripts for Agent Tesla}}, date = {2022-01-03}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/}, language = {English}, urldate = {2022-01-25} } A Tale of Two Dropper Scripts for Agent Tesla
Agent Tesla
2022-01-02forensicitguyTony Lambert
@online{lambert:20220102:analyzing:7f13565, author = {Tony Lambert}, title = {{Analyzing a Magnitude EK Appx Package Dropping Magniber}}, date = {2022-01-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/}, language = {English}, urldate = {2022-01-25} } Analyzing a Magnitude EK Appx Package Dropping Magniber
Magniber
2022-01-01forensicitguyTony Lambert
@online{lambert:20220101:analyzing:1512a76, author = {Tony Lambert}, title = {{Analyzing an IcedID Loader Document}}, date = {2022-01-01}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-icedid-document/}, language = {English}, urldate = {2022-01-25} } Analyzing an IcedID Loader Document
IcedID