My Learning Process I’ll be documenting my journey as I learn malware analysis, sharing: Challenges I encounter and how I overcome them New techniques I discover and practice Tools I explore and my honest reviews Mistakes I make and lessons learned (because we all make them!) Hands-On Analysis This blog will feature: Step-by-step walkthroughs of malware samples Tool tutorials with practical examples Lab setup guides for safe analysis environments Real-world case studies from my analysis work Knowledge Sharing As I learn, I’ll share:...
Vidar Infostealer: Analyzing the ClickFix 'softmix-online' Delivery Chain
Executive Summary This malware analysis documents a multi-stage Windows infostealer infection chain discovered via malware samples tracked on MalwareBazaar (softmix-online tag). The campaign uses a fake software download site (softmix.online) that distributes a password-protected archive which is a technique specifically chosen to bypass automated security inspection. The attack unfolds through several layers of evasion (PowerShell downloader, encrypted archive, NSIS installer, and an Electron application) before executing the final payloads: The Electron Loader: The core logic resides in a JavaScript file (main....
Mustang Panda's ToneShell DLL static analysis
1. Sample Information Original file name: chrome.exe File type: dynamic-link-library, 32-bit, GUI File size: 1.532784 MB Hash values: MD5: 817df56f4ad3a3f6b39765e5ed95501d SHA1: 15940bb4fa5e4d9b7a940dca3a1459d4216b1dbc SHA256: 216188ee52b067f761bdf3c456634ca2e84d278c8ebf35cd4cb686d45f5aaf7b Compile Timestamp: Thu Mar 20 08:18:00 2025 Packing/Obfusction: None File Entropy Details: Sections Entropy .text 5.565 .rdata 3.910 .data 5.865 .idata 4.492 .gfids 2.945 .tls 0.011 .00cfg 0.061 .rsrc 2.239 .reloc 6.275 2. PE File Structure Sections overview: Sections Virtual Size Raw Size .text 1197979 1198080 ....