https://stream.echo6.co/videos/watch/a79f6900-783f-485d-9ed4-7a2273559399 00:00 - Introduction, talking about why I think APT-29 successfully phishing is funny 01:10 - Unit42's blog post talking about how the phishing document worked 02:15 - Going to google to show APT29 doing the lnk file in a zip since atleast 2016, Mandiant post. 03:40 - Talking about why phishers put executables or things to click on in zip/iso/compressed folders 04:50 - Talking about why they may use DLL Side Loading to execute the shellcode 06:25 - Showing what the user see's when they open the iso file 07:48 - Talking about why we are starting with shellcode instead of a weaponized document and why red teams like shellcode 09:00 - Using MSFVenom to generate a malicious executable with custom shellcode from BRc4 10:15 - Opening the executable with x64dbg, so we can extract a program from memory. This is great for when the shellcode is obfuscated through like shikata ga nai 11:00 - Setting a breakpoint on LdrLoadDll, showing the memory map is empty 12:15 - Running the program, examining memory on LdrLoadDll breakpoint. Showing a weird Execute-Read Permission, which initially was Read-write (screwed up initially explaining it) 13:10 - The E_MAGIC (MZ Header) is nulled out, talking about why the brute ratel may do that 14:20 - Dumping the memory to a file, copying it to linux where i have ida 15:30 - Using hexedit to set the first two bits to MZ, so ida recognizes it as an executable 16:50 - Talking about ordinal loading 18:05 - Showing the applicaiton uses ror13 hashes to call functions to avoid strings. Using google to find what the hash goes to 20:20 - The coffee string is weird, going into it 21:10 - Looking at a function that looks like it sends strings to the teamserver 22:45 - Showing similarities of the coff loader from trusted sec 24:00 - Converting another ror13 hash in badger to a function 25:25 - Having ida show all strings 25:50 - Looking at the AMSI Patch thing 26:35 - Stumbling across a static encryption key 29:00 - Looking at a likely PSExec functionality, maybe an IOC? Service name: ServicesActive 36:15 - Looking at the EnableDebug command and explaining why i think all these strings may be in the binary right now, they are likely gone now. Mon, 13 Apr 2026 13:32:05 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/a79f6900-783f-485d-9ed4-7a2273559399 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.