Category: Lab Notes

Shotgun Wedding

An email caught my eye this morning. Not because of a unique social engineering theme or a new delivery technique, but because of the sheer number of attachments, a shotgun approach to malware delivery. There were 3 RTF files with spoofed .doc and docx.doc extensions, an ARJ archive containing an …

Continue Reading

The Emotet botnet began sending holiday themed emails today. While this isn’t necessarily new to them, it does go to show that they are constantly experimenting with relevant themes along with their reply-chain style emails. Below are a few examples of emails that we saw cross our wires today:

Continue Reading

The complexities of intelligence (late night ramblings of a madman)

I’m sure I’m not the only one who knows of someone who, as a young child, had a dog.  They liked dogs, so they learned dogs.  Dogs have four legs, and they stand on them.  One day, it became apparent …

Continue Reading

Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and …

Continue Reading

GIMP away your troubles

“Efficiency is intelligent laziness”

-David Dunham

Scripting is a great way to spend ten times the amount of time to automate something as it would have taken to just do it in the first place.  Sometimes it’s worth it because it saves you time in the long run, and sometimes …

Continue Reading

The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between …

Continue Reading

The Emotet botnet updated their clients this morning around 6am EST.

We came across these hashes for the clients:


The following is a list of the C2 that were pulled from the binaries. Please use these to catch any infections that may be present within your …

Continue Reading

We have been tracking the Emotet botnet for quite some time now and noticed that they began standing up their C2 (command and control) infrastructure again on Aug 21.  Our systems caught the first servers coming alive for Epoch 2 of the botnets clients around 3pm EST.  The first servers …

Continue Reading