@viql profile picture
Johannes Bader @viql

Reverse engineer / malware analyst. On the hunt for domain generation algorithms. Current side project: rosti.bin.re/

Joined August 2013
  • Tweets 196
  • Following 166
  • Followers 1,793
21 Photos and videos
Johannes Bader@viql
30 Jan 2025
Today, I'm releasing the first version of a small web 🚀: rosti.bin.re/ It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites. I hope it proves useful to some of you ... 🙏✨ #ThreatIntel
Screenshot of the "reports" section of Rösti. The page displays multiple reports in a grid format, each with a card-like design. Each card includes information such as the report title, author, publication date, associated threat indicators (IOCs and YARA rules), and source organization.

ALT Screenshot of the "reports" section of Rösti. The page displays multiple reports in a grid format, each with a card-like design. Each card includes information such as the report title, author, publication date, associated threat indicators (IOCs and YARA rules), and source organization.

17
123
370
32,484
Johannes Bader retweeted
abuse.ch
@abuse_ch
14 Nov 2024
According to @GovCERT_CH , an unknown threat actor has sent out postal letters (yes, *postal* letters ✉️) to recipients in Switzerland that pretend to originate from @meteoschweiz, luring the recipient into downloading and installing a rogue App 🔥🕵️‍♂️ The QR code in the letter leads to a malicious App that impersonating the "AlertSwiss" App of the federal administration. However, the App in fact is a version of Coper (aka Octo2) #malware, infecting mobile phones running Android 📱🤖 Payload delivery URL: 🌐 urlhaus.abuse.ch/url/3290212… Malware sample: 📄 bazaar.abuse.ch/sample/4928c… Coper botnet C2: 🔥 threatfox.abuse.ch/ioc/13448…ncsc.admin.ch/ncsc/en/home/a…
29
78
27,576
Johannes Bader retweeted
Jesko Hüttenhain@huettenhain
28 Sep 2024
What's happening? #FlareOn11 is happening! Time to update #BinaryRefinery and snag some flags! ✨ github.com/binref/refinery/flare-on11.ctfd.io/challenge…
17
47
5,029
Johannes Bader retweeted
ThreatCat.ch@threatcat_ch
19 Jun 2024
We're proud to be a @Quad9DNS partner, helping make the Internet a safer place!
4
14
5,787
Johannes Bader@viql
30 May 2024
Could you please share your IOCs in any format that is NOT low screenshots @Cloudflare 🙏? blog.cloudflare.com/disrupti…
Screenshot of the blog post by cloudflare, where they suggest readers "search [their] environment for the FlyingYeti indicators of compromise (IOCs) shown below", but the IOCs are just low-res screenshots.

ALT Screenshot of the blog post by cloudflare, where they suggest readers "search [their] environment for the FlyingYeti indicators of compromise (IOCs) shown below", but the IOCs are just low-res screenshots.

1
1
385
Johannes Bader retweeted
abuse.ch
@abuse_ch
24 Apr 2024
Nice #MooBot botnet caught by @banthisguy9349 😂 Botnet C2 domain: 🔥 putin.zelenskyj .ru Pointing to: 45.88.90.30:43957 (AS203168 Constant MOULIN 🇧🇪) DNS resolution provided by Cloudflare 🔎 Payload URLs: 🌐 urlhaus.abuse.ch/host/45.88.… Payload: 📄 bazaar.abuse.ch/sample/21f1c…
MooBot botnet C2 domain zelenskyj.ru

ALT MooBot botnet C2 domain zelenskyj.ru

4
9
33
10,433
Johannes Bader retweeted
Daniel Plohmann@push_pnx
8 Mar 2024
I wrote a blog post about MalpediaFLOSSed, a collection of ~4 million strings extracted from 1800 malware families and upgrading its GUI plugin to work with IDA, Ghidra, and Binary Ninja at once! Kudos to @hyun____22 for Hyara, which pioneered such cross-tool compatibility!
Byte Atlas@ByteAtlas
8 Mar 2024
[blog post] MalpediaFLOSSed danielplohmann.github.io/blo…
1
32
87
13,149
Johannes Bader retweeted
ThreatCat.ch@threatcat_ch
29 Jun 2023
New blog post: threatcat.ch/blog/when-hunte… #nuclei
A cat hunts a wolf with a crossbow.

ALT A cat hunts a wolf with a crossbow.
3
2
826
Johannes Bader retweeted
Daniel Plohmann@push_pnx
5 Jun 2023
I wrote a short blog post on MCRIT, the one-to-many code similarity analysis framework that we released as open source recently at @Botconf.
Byte Atlas@ByteAtlas
5 Jun 2023
[blog post] MCRIT: The MinHash-based Code Relationship & Investigation Toolkit danielplohmann.github.io/blo…
1
23
37
4,741
Johannes Bader retweeted
Jesko Hüttenhain@huettenhain
30 Mar 2023
#BinaryRefinery 0.5.10 can deobfuscate this sample with little effort. Only had to add one new unit for StrReverse constant folding. Not a silver bullet, obviously, but why write those regular expressions yourself when you can make me do it for you?
GuidedHacking
@GuidedHacking
29 Mar 2023
CyberChef for Malware Analysis - DCRat Loader youtube.com/watch?v=rpp6BZYI…
1
5
14
2,677
Johannes Bader retweeted
ThreatCat.ch@threatcat_ch
31 Mar 2023
🛠️ .NET malware decompiling challenges: Obfuscations of strings/constants can be tedious. Automate w/ IDA Pro's Python 🐍 interface for MSIL binary patching, even for simple cases: threatcat.ch/blog/undo-dotne… #CyberSecurity #MalwareAnalysis #IDAPro #DotNET
A colorful cartoon image of a Python sitting in front of a computer monitor. The monitor shows the logo of Microsoft .Net

ALT A colorful cartoon image of a Python sitting in front of a computer monitor. The monitor shows the logo of Microsoft .Net
27
86
11,212
Johannes Bader retweeted
ThreatCat.ch@threatcat_ch
31 Mar 2023
New video on the Domain Generation Algorithm of the file infector m0yv. We've sinkholed multiple domains & show how infections dramatically increased in the last 400 days 📈. #m0yv #DGA youtu.be/3RYbkORtFnk
Cartoony image of a large sinkhole. A monster character sits at the bottom of the sinkhole with a desperate face. In large letters the title "Sinkholing the DGA of m0yv" is shown.

ALT Cartoony image of a large sinkhole. A monster character sits at the bottom of the sinkhole with a desperate face. In large letters the title "Sinkholing the DGA of m0yv" is shown.

1
5
6
1,421
Johannes Bader retweeted
Nils Kuhnert@0x3c7
22 Dec 2022
Just updated the "malwarebazaar" Python module to include a Python and CLI client for @abuse_ch #YARAify and added a "richer" output. You can find it on Github (github.com/3c7/bazaar/releas…) and on PyPI (via "malwarebazaar"). #threatintel #malware
This screenshot shows the output for the command "bazaar recent -s" which is a list of recently uploaded samples to MalwareBazaar.

ALT This screenshot shows the output for the command "bazaar recent -s" which is a list of recently uploaded samples to MalwareBazaar.

This screenshot shows the output of Vendor data for a sample uploaded to MalwareBazaar.

ALT This screenshot shows the output of Vendor data for a sample uploaded to MalwareBazaar.

This screenshot shows the output for the command "yaraify recent -s" which is a list of recently uploaded Yara rules to YARAify.

ALT This screenshot shows the output for the command "yaraify recent -s" which is a list of recently uploaded Yara rules to YARAify.

This screenshot shows data related to a scanning task on YARAify and includes detections from ClamAV as well as triggered Yara rules.

ALT This screenshot shows data related to a scanning task on YARAify and includes detections from ClamAV as well as triggered Yara rules.

2
34
112
16,527
Johannes Bader retweeted
CISA Cyber
@CISACyber
12 Dec 2022
Fortinet released security updates for FortiOS to fix a heap-based buffer overflow vulnerability (CVE-2022-42475). Apply patches asap. Read more at: go.dhs.gov/Z8v

1
48
71
Johannes Bader retweeted
GovCERT.ch@GovCERT_CH
16 Sep 2022
We published a tech paper on the #ConfuserEx obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can be dealt with using a Python script IDA Pro Blog: 👉govcert.ch/blog/unflattening… Paper: 👉govcert.ch/whitepapers/unfla…
1
115
288
Johannes Bader@viql
23 Jul 2022
I published a new blog post on a Domain Generation Algorithm that uses the balance of the Bitcoin genesis block as seed. bin.re/blog/a-dga-seeded-by-…

The Domain Generation Algorithm of Orchard v3 - A DGA Seeded by the Bitcoin Genesis Block

The Orchard malware uses a domain generation algorithm (DGA) that is seeded both by the current date, and also by the current balance of the Bitcoin genesis block.

bin.re
4
17
Johannes Bader@viql
4 Jun 2022
New blog post: "The Domain Generation Algorithms of SharkBot" 🦈 bin.re/blog/the-dgas-of-shar…

The Domain Generation Algorithms of SharkBot

SharkBot uses a DGA for communication, which was changed several times during the development of SharkBot. This blogpost shows four versions of the DGA, and their differences.

bin.re
3
11
Johannes Bader retweeted
Jesko Hüttenhain@huettenhain
11 Nov 2021
Replying to @chrissanders88
Since there's probably a few big CyberChef aficionados here, I'll go ahead and pitch my little rival project, the binary refinery: 🏭 github.com/binref/refinery/ It's (almost) like CyberChef, but it's a cross platform command line toolkit.

GitHub - binref/refinery: High Octane Triage Analysis

High Octane Triage Analysis. Contribute to binref/refinery development by creating an account on GitHub.

github.com
3
20
51
Johannes Bader@viql
1 Nov 2021
New blog post: Analysing TA551/Shathak malspam with binary refinery bin.re/blog/analysing-ta551-… I show how the open source framework "binary refinery" can be effective in analysing multistage TA551 malspams with encrypted ZIP, Word document, HTA and Javascript.
how TA551 malspam works: An encrypted zip file contains a word document. This document contains an obfuscated and hidden hta file which is extracted and run by macro code. The hta deobfuscates a Javascript with ActiveX that will download the final payload from an url.

ALT how TA551 malspam works: An encrypted zip file contains a word document. This document contains an obfuscated and hidden hta file which is extracted and run by macro code. The hta deobfuscates a Javascript with ActiveX that will download the final payload from an url.

1
65
195
Johannes Bader@viql
9 Aug 2021
Domain Generation Algorithms are straightforward to program and usually bug free. Not so the new #DGA of #BazarLoader, which goes haywire during the summer months: bin.re/blog/a-bazarloader-dg…
25
56
Load more