Malicious LNK File Analysis
I noticed a LNK file uploaded to Malware Bazaar and wanted to take a look. It turns out to be an onion of obfuscated PowerShell that eventually leads to an executable (tagged as Colbalt Strike, though we won't go into the EXE in this video).
Sample on MalwareBazaar: https://bazaar.abuse.ch/sample/0135c4...
LnkParse3: https://pypi.org/project/LnkParse3/
☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf
[00:00] Introduction
[01:04] Overview of file in Malware Bazaar
[02:00] Looking at lnk in a Windows VM
[03:11] lnkparse on file
[04:04] Downloading and unobfuscating layer 1
[05:20] Analysis of layer 1, unobfuscating layer 2
[07:55] Analysis of layer 2
[08:50] Accidentally download directory listing
[10:45] Looking at decoy PDF
[12:03] Comparing binaries from two tmp zip files
[12:54] Not going to RE binary here
[13:23] Looking up hashes in Malware Bazaar and VirusTotal
[14:56] Wrap up
Watch video Malicious LNK File Analysis online without registration, duration hours minute second in high quality. This video was added by user 0xdf 07 February 2023, don't forget to share it with your friends and acquaintances, it has been viewed on our site 3,866 once and liked it 149 people.