IMO the worst mistake people make trying to AI-proof their career is dropping everything to learn AI. It's like dropping out of math to study how to push calculator buttons really fast. The skill cap for AI is going to be your understanding of the underlying subject, not how good you are at prompts.
While it already had a high VirusTotal score, it is often unclear to whether it is PUP or malware. Using REMnux MCP helps solve this problem with lower effort from me.
See full generated report here: github.com/Squiblydo...
2/2
"Zipmate.exe" signed by OR KAHOL LTD
Cert reported for revocation.
MD5: d5d411d61b089d5761838138e7eb484a
Hijacks Firefox
See REMnux MCP generated report in comment below.
Claude opened the .NET using ILSpy and deobfuscated all the crap so I didn't have to.
1/2
The report isn't perfect (it thought it was a game instead of a PDF editor), however, everything else seems to line up despite poor sandbox execution.
The VT score is 22/70, but analysis is needed to prove it isn't PUP.
See the full report here: github.com/Squiblydo...
2/2
"NotAWord.exe" signed "Astro Bright LTD"
MD5: 7be1f9a968c5b1567570e12738392d7c
Yet Another PDF Application (YAPA)
App contains reversed and chunked domains. I'm now using Remnux MCP to generate reports for these apps and confirming the findings.
1/2
Ah yes, "Hubei Da'e Zhidao Food Technology Co., Ltd." is well known for their Google Chrome product.
Valid cert. Will trust.
099d63e692457bfccc2cf59278ae6a268cb03964f18d0d27f536027b43c89896
h/t @g0njxa
"CaseArchiveViewer.exe" signed with "Flagship Promotion s. r. o." EV cert.
Flagged for deploying NetSupport RAT and Vidar
8099e85c4aa05f50ff299a130dc26a67b45aed519668e8b1ee1692e0034196c2
Certificate reported.
https://tria[.]ge/260223-z2lj3abx8f/behavioral1
h/t MalwareHunterTeam
See the YARA rule here (it has Claude's annotations):
github.com/Squiblydo...
Samples on MalwareBazaar: bazaar.abuse.ch/brow...
5/5
I then performed a YARA hunt using @unpacme to check my rule. It hit 40 samples, which are ones I uploaded to MalwareBazaar. Nice.
4/5
I let Claude know my intent to create a YARA rule based on the results, and it created one for me.
The rule actually didn't work right away, but it gave me plenty to go off of. With malcat, I can also see the bytes in the executable by clicking the rule match
3/5
The MCP has access to all the tools installed on REMnux.
I tried a few YARA rules based on manual analysis, but no easy wins.
But since it was able to find the encrypted payload and then extract the payload using emulation (Speakeasy), I used that for the rule
2/5
#100DaysOfYARA - Day 15 (a little behind)
I used @REMnux 's MCP, to extract a payload from an (unknown to me) malware, I'm now tracking as AxolotlLoader. I used the MCP to build a YARA rule based off of the XOR decryption function.
Rule at end
1/5
DocSend.exe signed "Taiyuan Yuqianhan Network Technology Co., Ltd."; Certificate reported
b409adb785f58f1de1cdf12e5c7c51a2
C2: 185.174.133.12
https://tria[.]ge/260211-2qa1ascw9d/behavioral1
#StealC
h/t @malwrhunterteam
Previous RomCom: 9f69db123eb43e6b0ab300f645c15817
MB uploads: bazaar.abuse.ch/brow...
(See VT for 2 payloads too large for MB)
bazaar.abuse.ch/brow...
AnyRun: app.any.run/tasks/71...
2/2
ScreenConnect as "LiveChat.msi" signed by "XRYUS TECHNOLOGIES LIMITED"
C2: boriserton27[.]anondns[.]net
e69c9a6742466a2770711804291f3fcf
FUD fake PDF, new serial #:
705f570e89ccbbcb32b8bb304537a2e9 suspected Romcom
"XRYUS TECHNOLOGIES CORPORATION" was used by RomCom
1/2
Triage sandbox analysis: tria.ge/260210-tr8zq...
MB: bazaar.abuse.ch/samp...
2/2
"document_725299d2.msi" signed by "ALTERNATIVE HOME HEALTHCARE SERVICES LLC"
Loads ScreenConnect configured to connect to the domain zkyhgfvluyvjh[.]im
edbb4d8d6b549ea5ec04e8a43e51d5fffad9276a52dacad8bba4ea09d9b41063
h/t @malwrhunterteam
1/2
"Purchase Agreement.pif" signed "HYPERBOLA TRADECOM LIMITED"
a08293e23e09d53692aca4b20974f270e48c58c53532c6cc715993d24e928e35
Probably not a purchasing agreement and probably not a CrowdStrike Falcon sensor.
Cert was reported for revocation
h/t @malwrhunterteam
The new REMnux MCP server connects AI agents to 200+ malware analysis tools on REMnux. I was surprised at the depth of investigation it delivers. Most of my time went into capturing how I approach the analysis and providing guidance to AI at the right time, so it can think and adapt as it works.
Zabbix resigned by "Xiamen Xinke Youxuan Software Technology Co., Ltd."
7ab39ede4268a615c04ef39b1b30cee3
Reaches out to zabbxsoftware[.]com
Interesting lures:
oficio20452026PCAP.exe
PCAP Police Request Response.exe
h/t @g0njxa
The installer downloaded from the site is 680MB, which is larger than VirusTotal's allowed file size. However, it has a sub component that is 2MB, but doesn't fully run without the larger installer:
www.virustotal.com/g...
2/2
Fake Multibit wallet website multibit[.]info
The real website, multibit[.]org, mentions that multibit was discontinued in 2017
The fake installer is signed by "Anhui Shanxian Tongxin Technology Co., Ltd."
More details in thread
h/t @malwrhunterteam
1/2
AhnLabs reports seeing evidence of the campaign going back as far as October 2025.
Thanks to folk who upload such files to MalwareBazaar, VT, and help report the certificates.
Thanks @AhnLab_SecuInfo for publishing the analysis:
asec.ahnlab.com/en/9...
2/2
AhnLab published an analysis of a campaign observed by the CertGraveyard in December. Great to see more details.
An actor using signer "CรNG TY TNHH XB FLOW TECHNOLOGIES" leveraged a range of RMM tools and regularly contested abuse complaints.
Blogpost in thread
1/2
Thorough analysis of AnyPDF (signed by "Lupus Tech Limited")
rifteyy.org/report/a...
Certificate has been reported and added to the CertGraveyard.
New FUD #Transferloader "Hangzhou Wenyu Technology Co., Ltd."
Seems identical to the last one.
Reaches out to the same domain: mstiserviceconfig[.]com
2c70e3b4af65679fc4f4c135dc1c03bd7ec2ae8065e2e5c50db3aaec0effc11f
The CertGraveyard is now being leveraged by MagicSword.
MagicSword makes use of certificates we report and blocks them within your environment.
I was really amazed by the work they do to block RMM and bad drivers. Now this further enables orgs to block malicious signers.
x.com/magicswordio/s...
MB: bazaar.abuse.ch/samp...
AnyRun: app.any.run/tasks/4a...
Triage: tria.ge/260126-wxm1j...
Thanks to everyone who has volunteered analyzing files, making submissions, or used the database.
Special thanks to @anyrun_app for a sandbox that is easy to use and review.
2/2
We've reached 2,000 entries in the CertGraveyard database.
The 2,000th entry was "Auto Posto Silvestre Comercio de Combustiveis LTDA" (fuel sales), a certificate issued to a cybercriminal, used to target Brazil with a fake PDF "Requisitos_para_regularizar_sua_empresa.exe".
1/2
Does anyone know VirusTotal user "bsforvt727" (pronounced "bs for vt 727")?
I feel like we could be friends, if we aren't already.
They consistently leave comments and downvote stuff that I then see a day or two later.
www[.]virustotal[.]com/gui/user/bsforvt727
