In the Einladen Sherlock, there’s an HTA file that drops a Microsoft signed legit executable, two DLLs, and a PDF. I’m able to use the PCAP and Procmon data to figure out where to go next, without reverse-engineering the malware. In the embedded YouTube video, I’ll dive into the DLL side-load, how the binary loads winint.dll secretly, decrypts stack strings, and contacts the C2, with a summary of the analysis in this post.

0xdf hacks stuff

This post explores the Einladen Sherlock malware and the analysis of the dropped DLLs, including msoev.exe and mso.dll. It covers the purpose of msoev.exe, the imports of mso.dll, and the method of loading wininet.dll.

Einladen mso.dll Reverse Engineering