Binary tracing is sometimes useful in malware analysis in order to check the flow of executing for a giving sample (checking anti's, exit conditions, etc).

The easiest way to trace the execution of a binary is with a DBI framework. Personally I like Intel's Pin, but there are others that

Read More

On the most recent phishing attacks, PowerShell is usually employed to load and execute position-independant shellcode via a macro-enabled Office document.

Infection process

So, in order to know what actions are being carried away the truly interesting part here is the shellcode being executed. However, to slow down analysis or lower detection,

Read More

I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a

Read More

Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.


Loki is a credential harvester bot sold in Russian underground forums and black markets.

Loki as advertised


For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly

Read More