InQuest has just released a new analysis suite for the researcher and hobbyist. Welcome to InQuest Labs!

Our CTO, Pedram Amini, presented Worm Charming: Harvesting Malware Lures for Fun and Profit at Blackhat USA 2019. During this talk, Pedram detailed the harvesting mechanism that drives the DFI portion of InQuest Labs. Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.

Currently, Microsoft and Open Office documents, spreadsheets, and presentations are available for search and download. In the future, we will expand the public data set to include Adobe PDF documents, Java / Flash applets, and scriptlets, such as Powershell. You can search extracted layers and IOCs by keyword. Download samples. Pivot between samples by heuristic detections and IOCs. And more... either interactively through the web interface, or programmatically through our open API. Result sets from the API are limited to 1337 results at a time. Contact us directly if you wish to gain unfettered access.

Some of the capabilities found within InQuest Labs are:

• Deep File Inspection (DFI-LITE)
• Indicators of Compromise Database (IOC-DB)
• Aggregate Reputation Database (REP-DB)
• YARA Tools

The InQuest Labs introduction blog highlights some of the capabilities of IOC-DB and REP-DB. Expect follow-on blogs showcasing DFI-LITE and the YARA tools.

Introduction Blog

Checkout InQuest Labs Here

Memory Analysis of TrickBot

In this blog, we take a subtle dive into memory analysis using Volatility and the memory analysis methodology. For those unfamiliar with the tool, The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples.

Read more

YARA For Everyone:Rules will be Rules

In our previous article in the series "Sharing is Caring" we did a quick installation of YARA on multiple platforms. We created a rule template and filled out our first rule and tested it against a file that manually was created to find our name within files via an ascii string match.

Read more

Cr3dOv3r

Search for public leaks for the email adresses and then try supplied credentials against some well-known websites to identify password reuse.

Read more

sherlock

Sherlock, a powerful command line tool provided by Sherlock Project, can be used to find usernames across many social networks.

Read more

DetectionLab

Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.

Read more

Microsoft warns of two new 'wormable' flaws in Windows Remote Desktop Services

These two vulnerabilities are similar to the vulnerability known as BlueKeep (CVE-2019-0708). Microsoft patched BlueKeep in May and warned that attackers could abuse it to create "wormable" attacks that spread from one computer to another without user interaction.

Read more

GOOTKIT Banking Trojan | Deep Dive Into AntiAnalysis Features

The Gootkit Banking Trojan was discovered back in 2014, and utilizes the Node.JS library to perform a range of malicious tasks, from website injections and password grabbing, all the way up to video recording and remote VNC capabilities.

Read more

Monroe College Hit With Ransomware, $2 Million Demanded

A ransomware attack at New York City's Monroe College has shutdown the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia. Reports indicate that the attackers are asking for 170 bitcoins in order to decrypt the entire college's network.

Read more