Karsten Hahn's Avatar

Karsten Hahn

@struppigel.bsky.social

275 Followers  |  20 Following  |  37 Posts  |  Joined: 29.11.2023  |  1.942

Latest posts by struppigel.bsky.social on Bluesky

Analysis Verdicts: There is more than Clean and Malicious
YouTube video by MalwareAnalysisForHedgehogs Analysis Verdicts: There is more than Clean and Malicious

πŸ¦” πŸ“Ή New Video: There is more than Clean and Malicious

➑️ 7 file analysis verdicts and what they mean

#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...

09.08.2025 04:20 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1

The course will not be hosted on Udemy. I am very unhappy with it.

The Beginners' course will also be moved to the new platform.

04.08.2025 03:56 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Good news, the intermediate malware analysis course is almost finished.

I have currently a test student working through the course to get rid of mistakes that I do not notice.

04.08.2025 03:56 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image Post image

Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research.

#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...

16.07.2025 05:24 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
A side by side comparison of the original output by Ghidra, and the LLM enriched output.

A side by side comparison of the original output by Ghidra, and the LLM enriched output.

Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n

01.07.2025 12:35 β€” πŸ‘ 8    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
Malware Analysis - Virut's file infection, part 3
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Virut's file infection, part 3

πŸ¦” πŸ“Ή Virut Part III: File infection analysis and bait file creation

#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...

05.07.2025 07:07 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
2025-06-29 - Supper is served - Humpty's RE Blog Recommend song to listen to while reading: If you find something off with what I say, please let me know. I'll gladly amend my content and credit you for the fix. Some thanks in alphabetical order

Blog: "Supper is served"
Excellent analysis article of the backdoor Supper by @c-b.io

c-b.io/2025-06-29+-...

30.06.2025 08:17 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Regarding the last point:

A conclusion makes sense if you have something to add that wasn't there before.

But if you just repeat what you wrote before, it is very boring. In those instances it is better to not add it at all. A blog is not a thesis.

29.06.2025 06:35 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Tips for newcomers to malware blog articles:

➑️You don't need to document every malware function. Focus on key areas
➑️Your text must be factually correct and it is okay to skip those details you are unsure about
➑️When you are done, just stop writing

29.06.2025 06:35 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Threat Actors abuse signed ConnectWise application as malware builder Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse th...

A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...

23.06.2025 09:57 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2

Virut part II: process infection and NTDLL hooking πŸ¦”πŸ“Ή
➑️x64dbg scripting
➑️conditional breakpoints
➑️more import table resolving
➑️fixing control flow
➑️marking up hook code

#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...

30.05.2025 13:27 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Procolored: Printer company serves malware fΓΌr six months, claims "false positive" warnings What do a coin stealer, an abandoned backdoor and a file infector have in common? They all resided in the download section on the website of a printer company - stowed away in installer files for driv...

Blog: Printer company provided infected printer software for half a year.

➑️ XRed backdoor
➑️ SnipVex virus

Initially reported by Youtuber of "Serial Hobbyism"

www.gdatasoftware.com/blog/2025/05...

16.05.2025 06:50 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Virut, a polymorphic file infector
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Virut, a polymorphic file infector

πŸ¦” πŸ“ΉNew Video: Analysis of Virut - Part I
➑️ self-modifying code
➑️ Ghidra markup decryption stub
➑️ API resolving
➑️ unpacking
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=250B...

30.04.2025 14:04 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
100 Days of YARA: How to write .NET code signatures If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.

I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.

E.g. IL code patterns, method signature definitions, GUIDs, compressed length

#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...

08.04.2025 13:25 β€” πŸ‘ 9    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
EP07 Jordan Wiens - Inside the Mind of a Binary Ninja: CTFs, AI and the Future of Cyber Security Behind the Binary by Google Cloud Security Β· Episode

Podcast with @jstrosch.bsky.social and @psifertex.bsky.social about:
binary ninja, CTFs, AI, the future of cyber security

open.spotify.com/episode/6tMY...

02.04.2025 19:02 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

This might also be interesting for you if you want to know how to deobfuscate .NET Reactor 6 or how to debug .NET DLL files.

02.03.2025 11:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Maybe it was created with AI help but the creator did not understand that it does not work. Dunno, my guess is as good as yours.

02.03.2025 10:19 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Malware Analysis - Unpacking Lumma Stealer from Emmenhtal and Pure Crypter
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Unpacking Lumma Stealer from Emmenhtal and Pure Crypter

πŸ¦” πŸ“Ή New Video: Unpacking Lumma Stealer

We continue where we left off last time and unpack the Emmenhtal to Pure Crypter to Lumma Stealer chain.

www.youtube.com/watch?v=aenO...

#MalwareAnalysisForHedgehogs #LummaStealer

02.03.2025 10:18 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 2    πŸ“Œ 0
Post image

This curious wanna-be Batch virus appeared already on several systems. But why?

autoexec.NT does not work anymore and it has an endless loop that pretends to scan.

Did not find any tmp.bat yet. Not sure it even exists.

www.virustotal.com/gui/file/e28...

10.02.2025 19:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Malware Analysis - Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer

πŸ¦” πŸ“Ή New Video: Binary Refinery deobfuscation of a LummaStealer loader (PowerShell, JScript)

www.youtube.com/watch?v=kHU_...
#MalwareAnalysisForHedgehogs #PowerShell #JScript

27.01.2025 04:23 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
Sandbox scores are not an antivirus replacement Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, p...

We would have less fake news about malware on USB adapters and analysis time wasted if sandboxes changed their wording from "malicious" to "interesting to look at"--which is how they are actually understood by analysts.

www.gdatasoftware.com/blog/2024/09...

15.01.2025 06:30 β€” πŸ‘ 7    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Thanks!

11.01.2025 08:58 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

What is the name of the book?

11.01.2025 04:14 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Thank you :)

03.01.2025 05:42 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Antivirus myths and how AVs actually work
YouTube video by MalwareAnalysisForHedgehogs Antivirus myths and how AVs actually work

πŸ”New Video: Antivirus myths
πŸ”— www.youtube.com/watch?v=4Dol...

Or why these sentences are wrong:
➑️ AVs use mostly pattern signatures
➑️ AI is a new defense technique
➑️ defense techniques must focus on high detection rate
➑️ behavior signatures are heuristic and patterns are not

03.01.2025 05:40 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Thank you. This was not written by me but my colleague Marius Benthin :)

03.01.2025 05:40 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Start at minute 36:07 to get the summary of tips.

Sample is available here: www.unpac.me/results/3c11...

PrivateLoader Yara rule: gist.github.com/struppigel/c...

07.12.2024 07:57 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Writing Code Signatures
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Writing Code Signatures

πŸ¦” πŸ“Ή Video: Learn how to write code based signatures
➑️ using privateloader as example
➑️ what to detect
➑️ where to set wildcards
➑️ how to test your rule on unpac me
www.youtube.com/watch?v=oxC9...
#MalwareAnalysisForHedgehogs #privateloader

07.12.2024 07:05 β€” πŸ‘ 9    πŸ” 7    πŸ’¬ 1    πŸ“Œ 1
YouTube Share your videos with friends, family, and the world

Awesome stream with rattle/Jesko and Dr Josh Stroschein
showcasing binary refinery

Binref is hard to learn but very rewarding.

www.youtube.com/live/-B072w0...

27.11.2024 17:15 β€” πŸ‘ 4    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Hey thanks!

19.11.2024 14:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@struppigel is following 20 prominent accounts