Tools: YARA release candidate 1 for version 4.2.0
ISC Diary Entry: YARA’s Console Module
Tools: oledump.py, zipdump.py
ISC diary entries: Simple YARA Rules for Office Maldocs, YARA Rule for OOXML Maldocs: Less False Positives
Sample: a9490d94cf547e27dcc0d52dc72e74e7
Tools: oledump.py, zipdump.py, xmldump.py, translate.py, base64dump.py
ISC Diary entry: Obfuscated Maldoc: Reversed BASE64
Tool: zipdump.py
ISC diary entries: Reader Malware: ZIP/HTML Phish, Phishing ZIP With Malformed Filename, Video: Phishing ZIP With Malformed Filename
Network capture: 2021-02-02 – QUICK POST: HANCITOR INFECTION WITH FICKER STEALER, COBALT STRIKE, & NETSUPPORT RAT
Tools: cs-decrypt-metadata.py, cs-parse-http-traffic.py, 1768.py
Blog posts: Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1, Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2, Decrypting Cobalt Strike Traffic With a “Leaked” Private Key
Tools: CyberChef
Sample: 2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b
ISC Diary Entry: Strings Analysis: VBA & Excel4 Maldoc