Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
Live Malware Samples...
by Teddy Rogers- 1 follower
- 20 replies
- 27.1k views
Thought I would start a topic with a list of places to find malware samples. Feel free to post other sources if you have any... and remember live samples will be harmful to your computer so if you don't know what your doing and/or how to work with malware don't read any further for the sake of your own sanity... Malware Domain List : http://www.malwaredomainlist.com/mdl.php Malware Blacklist : http://www.malwareblacklist.com/showMDL.php Ted.
-
Antivirus vs malwares difference???
by CodeExplorer- 1 follower
- 6 replies
- 1.1k views
What is the difference between malwares and antivirus? I mean Antivirus slow down PC and erase legit files which are flagged as suspicious; not talking about the strange fact that protected/packed files are flagged as malicious. Anyway anti-viruses are still necessary or being careful on what you download from internet. And also I found hard to trust a single antivirus program. What antivirus you are using?
-
create malware
by moh- 2 followers
- 0 replies
- 579 views
My friend and I are collaborating on a project where we aim to develop a piece of malware for study and research purposes. Could anyone assist us in formulating our request in a way that clearly emphasizes the educational intent of the project and the importance of adhering to ethical guidelines
-
Is this a real malware?
by CodeExplorer- 1 follower
- 14 replies
- 752 views
Is this a real malware? C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk that file was renamed to Internet Explorer.vir It just a shortcut: "C:\Program Files\Internet Explorer\iexplore.exe" http://hi.ru/?dk71 It is detected by some antiviruses: https://www.virustotal.com/gui/file/9f9002954be80252c9cd7c73114ac2805343b14259619c08bbda50402899c8b4?nocache=1 InternetExplorer.vir
-
High-risk security vulnerabilities in apps
by PeterJon- 1 follower
- 2 replies
- 1k views
What are the high-risk or exploitable security vulnerabilities in APP? Have any experts done research or compilation in this field? I hope someone can share relevant information.
-
EMV Softwares
by Xyl2k- 4 followers
- 12 replies
- 31.1k views
Someone on telegram intrigued me by telling me about software to read credit card chips, so here are some files that I got from the net. The first software in question, on which I came across: "EMVStudio" belonging to emvstudio.com If I look for the files on VT, it communicates with auth.emvstudio.com, I come across these 3 archives: EMVStudio.rar - 1ba1fac55003d2c966f0071b2c126169254b35a38b4e2b913557c4fb0faadfdb Contains 8d6dacff8a098b8d02202e8c6a4a65bbe20b332ba58d6165cca6f958187864c4 also a file named 'gp' who seem a config file. emvstudio_v1.1.1.rar - 0bd11f024845c07e0df8fe2f080f4925dc44a289e4e59b079be0a68ed2fc42a6 Contains emvstudio_v1.1.2.exe - ce9187aa…
-
I got hit by the Locky ransomware
by blank- 2 followers
- 10 replies
- 5.4k views
A couple of days ago I was backing up some company server data, among which were some email inboxes. After downloading the archives I opened one of the emails to make sure the backup was successful. Apparently, that was a spam email with an infected attachment, so I lost all my data. All my files are encrypted with the .thor extensions, and I have a ransome note saying to visit jhomitevd2abj3fk.onion. From what I found online, this is an old ransomware (from around 2016), and there isn't a known way to decrypt the files. I've lost some stuff with quite a lot of sentimental value, and I don't really know how to proceed forward. I've been through a panic attack these d…
-
Malware sample for beginners
by unlisted- 2 followers
- 0 replies
- 1.1k views
Hello everyone ! Having been in infosec for a few years now, particularly on the Red Team side, I'm keen to discover new things. I have some basic knowledge of reverse engineering, but nothing too crazy. As I'm about to start a new contract on the Blue Team side, I'd like to practice a bit before starting. So I'd like to know your opinion on an easy malware family to reverse for a beginner. Thank you.
-
Pass Debugger Check in VMprotect 2.x 1 2 3 4
by mojtaba- 1 follower
- 86 replies
- 12.6k views
I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE). i checked some windows api like : CheckRemoteDebuggerPresent () IsDebuggerPresent () ... and use some ollydbg plugins like: Olly Advanced Hide Debugger StrongOD But it still get this error: Here is my log data:log-MyApp.txt what should i do to pass this error and open the app by debugger?
-
How is it Possible to Ransomware Decryption Extension ".msop"
by Faisal Mehmood- 1 reply
- 1.4k views
Hi! Everyone Kindly give mein solution ransomeware ".msop" extension for decryption. How is it possible to decryption this extension
-
Recently I caught some malware on my PC
by TishSerg- 1 reply
- 2.6k views
Recently I caught some malware on my PC... I got rid of it and cleaned all places I could find in the system (Task Scheduler, autoruns, hosts, new user, remote manipulator software, WinDefender exceptions, AppLocker policy). I found the install script of that shit. Now I wonder what is inside all those malware binaries. So far I know they (or at least some of them) are compiled AutoIt scripts protected with Themida. I was Googling about that. That's how I came here. @koolk @root it looks like you are Jedi Masters here. Could you help me to take a look inside those exe's if I send you them?
-
- 1 follower
- 0 replies
- 2.2k views
Hi all, this is my analysis of Disk Knight, an old usb-spread worm (written in VB6) from 2007 that I first encountered at my school PC Lab around that time. ENGLiSH VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight.pdf iTALiAN VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight_ITA.pdf I'm also attaching both PDF files here, just in case. I'm more interest in old-school malware that have an interesting background history behind them (for example, Disk Knight became a worm due to some programming errors), have nice/funny (or scarry) payloads or are motivated by some weird physicological reasons: in other wor…
-
- 0 replies
- 3.4k views
Hi, I'm studying Penetration Testing and part of the training obviously focuses on solving CTF challenges. You must be asking yourself how the name of the title is related to PT? Well, it's probably not that related, but there is a challenge that really caught my attention and I've been trying to solve it for a long time without success. The challenge contains a malicious file and the task is to investigate the file and find the FLAG hidden inside the file. So I will detail a bit about the malware and what I was able to understand from the code: Code details: Assembly - https://pastebin.com/asWi6a2M (IDA PRO) Decompiler - https://pastebin.com/4XmaQ…
-
Mimikatz (Benjamin Delpy)
by ramaaaa- 2 followers
- 0 replies
- 3.4k views
Hi every body First time I ask some help on a reverse forum For a challenge, we have to analyse a packed sample (spooler.zip / password : infected) spooler.zip You will see in the word document actions I try to do. I try to debug the depacked sample but there are some protections that I am not able to eliminate Could you help me ? (in two posts, because limited to 1000kb) analysis.docx
-
- 1 follower
- 2 replies
- 7.3k views
n
-
Malware Sample analysis, MS-DOS
by Nexusburst- 1 follower
- 1 reply
- 3.9k views
Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus. Info: will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems. MS-DOS_Malware.zip
-
- 0 replies
- 5.9k views
As far as I know, the file gets the actual malware (RAT to be specific) file from the resources and opens it. I'm stuck on the string decryption part. It's protected with Confuser.Core 1.6.0+447341964f The assembly is .NET, C# LinkApprove.exe
-
Win 10 64-bit MBR Bootkit
by JMC31337- 12 replies
- 7.9k views
Working on a bootkit rootkit for Win 10 64-bit MBR versions All checksums and digital sig verifications have been bypassed Dump all modifications as it goes along This is completed Stage 1: 1) access bootmgr (compressed) via volume mount WMI API avoiding mounts 2) decompress bootmgr -> obtaining bootmgr.exe 3) patch the digital sig verifier 4) sig the exe with This program cannot be ran in ZZZ mode 5) patch the PE header checksum location with proper checksum 6) re-compress the bootmgr.exe -> bootmgr 7) overwrite the OS default bootmgr ===== Ill explain more later, im tired File password: infected M…
-
NotInfected!!
by CodeExplorer- 1 follower
- 4 replies
- 6.9k views
NotInfected!! NotInfected.exe Lol, any Visual C++ 6.0 contains viruses? WTF? https://www.virustotal.com/gui/file/c6fa6a71f25b0b081cb3107f69bbc6dd027a6493c1c87944dfe458737a2b3efe?nocache=1
-
BitRAT steals users' files.
by karan- 0 replies
- 4.9k views
BitRAT is a hacking tool currently sold in several hacking forums. The developer added a malicious code inside the BitRAT code that can steal files. Github repo : https://github.com/miketestz/BitRAT_is_Thief
-
- 1 reply
- 4.5k views
Hi. In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps. The one that puzzles me a lot is from 2019-06-22 task. Particularly the file 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899). https://www.malware-traffic-analysis.net/2019/06/22/index.html What exactly, is that it basically doesn't show any red flags during basic static analysis. # Its import table is pretty "herbivore". # Strings don't show any obvious indicators. # The only thing that looks strang…
-
AV Evasion techniques or no...
by PeterN- 1 follower
- 1 reply
- 5.5k views
This is how poor advice from a course on malware creation looks like. Download Video
-
- 1 follower
- 2 replies
- 4.9k views
I've looked on this forum, other forums, I have googled, and used stack overflow but nothing useful seems to come out of it. I was wondering if any of you guys know a way to get the complete source code of a dll that is written is C++. Thank you.
-
Sandboxes Artifacts for AntiVM and anything
by JewishKinger- 0 replies
- 5.7k views
Hello everyone! Recently, I came up with the idea to hide the RAT and send it several times to VirusTotal. The purpose of these actions is to isolate virtual machine artifacts from the VirusTotal Sandbox. As a result, I collected lists of processes obtained from the virtual machines on which RAT was executed. It's funny that after numerous build submissions, I saw connections from Russian, Chinese, Czech, German servers (not counting the VirusTotal). I have successfully collected all the artifacts into one repository. I think, it will be very useful for the malware developers. It took me 2-3 hours to send numerous builds to their servers and collect …
-
C# Nemesis.Worm
by JMC31337- 1 reply
- 16.6k views
//JMC31337 //NEMESIS WORM PROJEKT using System; using System.Net; using System.Net.Sockets; using System.Text; using System.Threading; using System.Collections.Generic; using System.IO; using System.Text.RegularExpressions; using System.Net.Mail; using System.Net.Mime; using System.Runtime.InteropServices; using System.Diagnostics; using System.Collections; using System.ComponentModel; using System.Data; using Microsoft.Win32; namespace ConsoleApplication1 { class Program { public static int bypass = 0; private static string DESTINATION_IP_ADDRESS = "204.13.204.222"; private static string DESTINATION_IP_ADDRESS2 = "2…
.thumb.jpeg.2543d876893bc4a3f440e4ab77c7e3f0.jpeg)
