Thank you for the analysis. Next time could you link the sample of each stage please? Without VT enterprise I can't obtain the atom.xml payload as the site is offline and as it is executed in memory I don't see file artefacts in public sandbox reports, so can't follow along.
Hey, thank you for the hint! I forgot to include it when publishing the video. I will update the description. Here is atom.xml malshare.com/sample.php?action=detail&hash=cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
Great video as always, I always learn something new!
Good morning Karsten. I encountered same obfuscation method in AgentTesla new compaign.
Thank you for the analysis. Next time could you link the sample of each stage please? Without VT enterprise I can't obtain the atom.xml payload as the site is offline and as it is executed in memory I don't see file artefacts in public sandbox reports, so can't follow along.
Hey, thank you for the hint! I forgot to include it when publishing the video. I will update the description.
Here is atom.xml malshare.com/sample.php?action=detail&hash=cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
How did you know which word to remove in the beginning?
Because it is repeated. So removing it, will remove the bloat.
Sorry for the late reply, I somehow did not see your comment.