Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
Live Malware Samples...
by Teddy Rogers- 1 follower
- 20 replies
- 28k views
Thought I would start a topic with a list of places to find malware samples. Feel free to post other sources if you have any... and remember live samples will be harmful to your computer so if you don't know what your doing and/or how to work with malware don't read any further for the sake of your own sanity... Malware Domain List : http://www.malwaredomainlist.com/mdl.php Malware Blacklist : http://www.malwareblacklist.com/showMDL.php Ted.
-
Polymorphic Parasite (x86) WriteUp
by JMC31337- 2 followers
- 2 replies
- 483 views
i may banter a lil in the opening, but that is how i was taught when i was in highschool learning ASM from the ukranians and russians, bootkits from the chinese You give a short shoutout or point to be made and ya write and code Here, i use the LCRN (LCG) from the GiantBlack Book of Viruses (Physicist Dr. Mark Ludwig) and his 16-bit many hoops and recreated it for x86 (32 bit) VXWriteUp.pdf
-
- 2 followers
- 8 replies
- 653 views
Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf
-
powershell script
by whoknows- 1 follower
- 2 replies
- 1.6k views
https://sos-at-vie-1.exo.io/cloudcask/modified-cloudflare-new-111.html https://sos-ch-gva-2.exo.io/clouddesk/modi-cloudflare-update-fresh.html
-
Free resources for malware development
by Bender- 1 follower
- 3 replies
- 2.9k views
Hii🖐️ guys i am currently pursuing my bachelor's degree in computers and I am more focused in malware development rather then any other field . So can anyone pls provides me free resources for malware development , I already have intermediate knowleadge. A guided path can help me a lot 🙂
-
An easy way to decrypt VBS worm
by TeRcO- 1 follower
- 0 replies
- 947 views
https://www.youtube.com/watch?v=4G9jc5zD6K0
-
Antivirus vs malwares difference???
by CodeExplorer- 1 follower
- 6 replies
- 1.8k views
What is the difference between malwares and antivirus? I mean Antivirus slow down PC and erase legit files which are flagged as suspicious; not talking about the strange fact that protected/packed files are flagged as malicious. Anyway anti-viruses are still necessary or being careful on what you download from internet. And also I found hard to trust a single antivirus program. What antivirus you are using?
-
create malware
by moh- 2 followers
- 0 replies
- 1.1k views
My friend and I are collaborating on a project where we aim to develop a piece of malware for study and research purposes. Could anyone assist us in formulating our request in a way that clearly emphasizes the educational intent of the project and the importance of adhering to ethical guidelines
-
Is this a real malware?
by CodeExplorer- 1 follower
- 14 replies
- 1.4k views
Is this a real malware? C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk that file was renamed to Internet Explorer.vir It just a shortcut: "C:\Program Files\Internet Explorer\iexplore.exe" http://hi.ru/?dk71 It is detected by some antiviruses: https://www.virustotal.com/gui/file/9f9002954be80252c9cd7c73114ac2805343b14259619c08bbda50402899c8b4?nocache=1 InternetExplorer.vir
-
High-risk security vulnerabilities in apps
by PeterJon- 1 follower
- 2 replies
- 1.6k views
What are the high-risk or exploitable security vulnerabilities in APP? Have any experts done research or compilation in this field? I hope someone can share relevant information.
-
EMV Softwares
by Xyl2k- 4 followers
- 12 replies
- 33.5k views
Someone on telegram intrigued me by telling me about software to read credit card chips, so here are some files that I got from the net. The first software in question, on which I came across: "EMVStudio" belonging to emvstudio.com If I look for the files on VT, it communicates with auth.emvstudio.com, I come across these 3 archives: EMVStudio.rar - 1ba1fac55003d2c966f0071b2c126169254b35a38b4e2b913557c4fb0faadfdb Contains 8d6dacff8a098b8d02202e8c6a4a65bbe20b332ba58d6165cca6f958187864c4 also a file named 'gp' who seem a config file. emvstudio_v1.1.1.rar - 0bd11f024845c07e0df8fe2f080f4925dc44a289e4e59b079be0a68ed2fc42a6 Contains emvstudio_v1.1.2.exe - ce9187aa…
-
I got hit by the Locky ransomware
by blank- 2 followers
- 10 replies
- 6k views
A couple of days ago I was backing up some company server data, among which were some email inboxes. After downloading the archives I opened one of the emails to make sure the backup was successful. Apparently, that was a spam email with an infected attachment, so I lost all my data. All my files are encrypted with the .thor extensions, and I have a ransome note saying to visit jhomitevd2abj3fk.onion. From what I found online, this is an old ransomware (from around 2016), and there isn't a known way to decrypt the files. I've lost some stuff with quite a lot of sentimental value, and I don't really know how to proceed forward. I've been through a panic attack these d…
-
Malware sample for beginners
by unlisted- 2 followers
- 0 replies
- 1.8k views
Hello everyone ! Having been in infosec for a few years now, particularly on the Red Team side, I'm keen to discover new things. I have some basic knowledge of reverse engineering, but nothing too crazy. As I'm about to start a new contract on the Blue Team side, I'd like to practice a bit before starting. So I'd like to know your opinion on an easy malware family to reverse for a beginner. Thank you.
-
Pass Debugger Check in VMprotect 2.x 1 2 3 4
by mojtaba- 1 follower
- 86 replies
- 15.2k views
I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE). i checked some windows api like : CheckRemoteDebuggerPresent () IsDebuggerPresent () ... and use some ollydbg plugins like: Olly Advanced Hide Debugger StrongOD But it still get this error: Here is my log data:log-MyApp.txt what should i do to pass this error and open the app by debugger?
-
How is it Possible to Ransomware Decryption Extension ".msop"
by Faisal Mehmood- 1 reply
- 2.1k views
Hi! Everyone Kindly give mein solution ransomeware ".msop" extension for decryption. How is it possible to decryption this extension
-
Recently I caught some malware on my PC
by TishSerg- 1 reply
- 3.1k views
Recently I caught some malware on my PC... I got rid of it and cleaned all places I could find in the system (Task Scheduler, autoruns, hosts, new user, remote manipulator software, WinDefender exceptions, AppLocker policy). I found the install script of that shit. Now I wonder what is inside all those malware binaries. So far I know they (or at least some of them) are compiled AutoIt scripts protected with Themida. I was Googling about that. That's how I came here. @koolk @root it looks like you are Jedi Masters here. Could you help me to take a look inside those exe's if I send you them?
-
- 1 follower
- 0 replies
- 2.8k views
Hi all, this is my analysis of Disk Knight, an old usb-spread worm (written in VB6) from 2007 that I first encountered at my school PC Lab around that time. ENGLiSH VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight.pdf iTALiAN VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight_ITA.pdf I'm also attaching both PDF files here, just in case. I'm more interest in old-school malware that have an interesting background history behind them (for example, Disk Knight became a worm due to some programming errors), have nice/funny (or scarry) payloads or are motivated by some weird physicological reasons: in other wor…
-
- 0 replies
- 3.9k views
Hi, I'm studying Penetration Testing and part of the training obviously focuses on solving CTF challenges. You must be asking yourself how the name of the title is related to PT? Well, it's probably not that related, but there is a challenge that really caught my attention and I've been trying to solve it for a long time without success. The challenge contains a malicious file and the task is to investigate the file and find the FLAG hidden inside the file. So I will detail a bit about the malware and what I was able to understand from the code: Code details: Assembly - https://pastebin.com/asWi6a2M (IDA PRO) Decompiler - https://pastebin.com/4XmaQ…
-
Mimikatz (Benjamin Delpy)
by ramaaaa- 2 followers
- 0 replies
- 3.9k views
Hi every body First time I ask some help on a reverse forum For a challenge, we have to analyse a packed sample (spooler.zip / password : infected) spooler.zip You will see in the word document actions I try to do. I try to debug the depacked sample but there are some protections that I am not able to eliminate Could you help me ? (in two posts, because limited to 1000kb) analysis.docx
-
- 1 follower
- 2 replies
- 8k views
n
-
Malware Sample analysis, MS-DOS
by Nexusburst- 1 follower
- 1 reply
- 4.5k views
Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus. Info: will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems. MS-DOS_Malware.zip
-
- 0 replies
- 6.8k views
As far as I know, the file gets the actual malware (RAT to be specific) file from the resources and opens it. I'm stuck on the string decryption part. It's protected with Confuser.Core 1.6.0+447341964f The assembly is .NET, C# LinkApprove.exe
-
Win 10 64-bit MBR Bootkit
by JMC31337- 12 replies
- 8.7k views
Working on a bootkit rootkit for Win 10 64-bit MBR versions All checksums and digital sig verifications have been bypassed Dump all modifications as it goes along This is completed Stage 1: 1) access bootmgr (compressed) via volume mount WMI API avoiding mounts 2) decompress bootmgr -> obtaining bootmgr.exe 3) patch the digital sig verifier 4) sig the exe with This program cannot be ran in ZZZ mode 5) patch the PE header checksum location with proper checksum 6) re-compress the bootmgr.exe -> bootmgr 7) overwrite the OS default bootmgr ===== Ill explain more later, im tired File password: infected M…
-
NotInfected!!
by CodeExplorer- 1 follower
- 4 replies
- 7.5k views
NotInfected!! NotInfected.exe Lol, any Visual C++ 6.0 contains viruses? WTF? https://www.virustotal.com/gui/file/c6fa6a71f25b0b081cb3107f69bbc6dd027a6493c1c87944dfe458737a2b3efe?nocache=1
-
BitRAT steals users' files.
by karan- 0 replies
- 5.5k views
BitRAT is a hacking tool currently sold in several hacking forums. The developer added a malicious code inside the BitRAT code that can steal files. Github repo : https://github.com/miketestz/BitRAT_is_Thief
.thumb.jpeg.2543d876893bc4a3f440e4ab77c7e3f0.jpeg)
