Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
359 topics in this forum
-
Live Malware Samples...
by Teddy Rogers- 18 replies
- 25.8k views
Thought I would start a topic with a list of places to find malware samples. Feel free to post other sources if you have any... and remember live samples will be harmful to your computer so if you don't know what your doing and/or how to work with malware don't read any further for the sake of your own sanity... Malware Domain List : http://www.malwaredomainlist.com/mdl.php Malware Blacklist : http://www.malwareblacklist.com/showMDL.php Ted.
-
I got hit by the Locky ransomware
by blank- 2 followers
- 9 replies
- 1.3k views
A couple of days ago I was backing up some company server data, among which were some email inboxes. After downloading the archives I opened one of the emails to make sure the backup was successful. Apparently, that was a spam email with an infected attachment, so I lost all my data. All my files are encrypted with the .thor extensions, and I have a ransome note saying to visit jhomitevd2abj3fk.onion. From what I found online, this is an old ransomware (from around 2016), and there isn't a known way to decrypt the files. I've lost some stuff with quite a lot of sentimental value, and I don't really know how to proceed forward. I've been through a panic attack these d…
-
How is it Possible to Ransomware Decryption Extension ".msop"
by Faisal Mehmood- 1 reply
- 742 views
Hi! Everyone Kindly give mein solution ransomeware ".msop" extension for decryption. How is it possible to decryption this extension
-
- 1 follower
- 0 replies
- 1.6k views
Hi all, this is my analysis of Disk Knight, an old usb-spread worm (written in VB6) from 2007 that I first encountered at my school PC Lab around that time. ENGLiSH VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight.pdf iTALiAN VERSiON: https://lucadamico.dev/papers/malware_analysis/DiskKnight_ITA.pdf I'm also attaching both PDF files here, just in case. I'm more interest in old-school malware that have an interesting background history behind them (for example, Disk Knight became a worm due to some programming errors), have nice/funny (or scarry) payloads or are motivated by some weird physicological reasons: in other wor…
-
Recently I caught some malware on my PC
by TishSerg- 1 reply
- 1.9k views
Recently I caught some malware on my PC... I got rid of it and cleaned all places I could find in the system (Task Scheduler, autoruns, hosts, new user, remote manipulator software, WinDefender exceptions, AppLocker policy). I found the install script of that shit. Now I wonder what is inside all those malware binaries. So far I know they (or at least some of them) are compiled AutoIt scripts protected with Themida. I was Googling about that. That's how I came here. @koolk @root it looks like you are Jedi Masters here. Could you help me to take a look inside those exe's if I send you them?
-
- 0 replies
- 2.8k views
Hi, I'm studying Penetration Testing and part of the training obviously focuses on solving CTF challenges. You must be asking yourself how the name of the title is related to PT? Well, it's probably not that related, but there is a challenge that really caught my attention and I've been trying to solve it for a long time without success. The challenge contains a malicious file and the task is to investigate the file and find the FLAG hidden inside the file. So I will detail a bit about the malware and what I was able to understand from the code: Code details: Assembly - https://pastebin.com/asWi6a2M (IDA PRO) Decompiler - https://pastebin.com/4XmaQ…
-
Mimikatz (Benjamin Delpy)
by ramaaaa- 2 followers
- 0 replies
- 2.8k views
Hi every body First time I ask some help on a reverse forum For a challenge, we have to analyse a packed sample (spooler.zip / password : infected) spooler.zip You will see in the word document actions I try to do. I try to debug the depacked sample but there are some protections that I am not able to eliminate Could you help me ? (in two posts, because limited to 1000kb) analysis.docx
-
Malware Sample analysis, MS-DOS
by Nexusburst- 1 follower
- 1 reply
- 2.9k views
Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus. Info: will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems. MS-DOS_Malware.zip
-
- 0 replies
- 4.9k views
As far as I know, the file gets the actual malware (RAT to be specific) file from the resources and opens it. I'm stuck on the string decryption part. It's protected with Confuser.Core 1.6.0+447341964f The assembly is .NET, C# LinkApprove.exe
-
NotInfected!!
by CodeExplorer- 1 follower
- 4 replies
- 5k views
NotInfected!! NotInfected.exe Lol, any Visual C++ 6.0 contains viruses? WTF? https://www.virustotal.com/gui/file/c6fa6a71f25b0b081cb3107f69bbc6dd027a6493c1c87944dfe458737a2b3efe?nocache=1
-
BitRAT steals users' files.
by karan- 0 replies
- 4.3k views
BitRAT is a hacking tool currently sold in several hacking forums. The developer added a malicious code inside the BitRAT code that can steal files. Github repo : https://github.com/miketestz/BitRAT_is_Thief
-
- 1 reply
- 3.7k views
Hi. In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps. The one that puzzles me a lot is from 2019-06-22 task. Particularly the file 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899). https://www.malware-traffic-analysis.net/2019/06/22/index.html What exactly, is that it basically doesn't show any red flags during basic static analysis. # Its import table is pretty "herbivore". # Strings don't show any obvious indicators. # The only thing that looks strang…
-
Win 10 64-bit MBR Bootkit
by JMC31337- 12 replies
- 6.9k views
Working on a bootkit rootkit for Win 10 64-bit MBR versions All checksums and digital sig verifications have been bypassed Dump all modifications as it goes along This is completed Stage 1: 1) access bootmgr (compressed) via volume mount WMI API avoiding mounts 2) decompress bootmgr -> obtaining bootmgr.exe 3) patch the digital sig verifier 4) sig the exe with This program cannot be ran in ZZZ mode 5) patch the PE header checksum location with proper checksum 6) re-compress the bootmgr.exe -> bootmgr 7) overwrite the OS default bootmgr ===== Ill explain more later, im tired File password: infected M…
-
AV Evasion techniques or no...
by PeterN- 1 follower
- 1 reply
- 4.3k views
This is how poor advice from a course on malware creation looks like. Download Video
-
- 1 follower
- 2 replies
- 4.4k views
I've looked on this forum, other forums, I have googled, and used stack overflow but nothing useful seems to come out of it. I was wondering if any of you guys know a way to get the complete source code of a dll that is written is C++. Thank you.
-
Sandboxes Artifacts for AntiVM and anything
by JewishKinger- 0 replies
- 5.1k views
Hello everyone! Recently, I came up with the idea to hide the RAT and send it several times to VirusTotal. The purpose of these actions is to isolate virtual machine artifacts from the VirusTotal Sandbox. As a result, I collected lists of processes obtained from the virtual machines on which RAT was executed. It's funny that after numerous build submissions, I saw connections from Russian, Chinese, Czech, German servers (not counting the VirusTotal). I have successfully collected all the artifacts into one repository. I think, it will be very useful for the malware developers. It took me 2-3 hours to send numerous builds to their servers and collect …
-
- 1 follower
- 0 replies
- 5.3k views
Hi everyone, I found a trojan horse while searching for a dll injector, so I tried to unpack it, but De4dot failed because it has multiple protections. I uploaded the target to Virustotal and found that Kaspersky and Eset and other antiviruses says: UNDETECTED but am pretty sure it's a trojan horse (VirusTotal scan result)I checked it using dnspy after I used de4dot more than once. The source code still unreadable, so I thought there might be another way to unpack this file. If someone managed to unpack it, please write a tutorial I want to learn what do when it comes to binaries packed this way. Target can be downloaded here : Download Link Greetz
-
- 1 follower
- 7 replies
- 6.5k views
Hi. Literally an hour ago, a massive phishing link was sent on the discord across all private messages and servers, which is why many channels blocked me and / or muddied me. I remembered that some time ago I came across the so-called Discord Perks that improve the user experience. And last time I was not embarrassed by the fact that I load extraneous scripts without proper analysis. I found the files that I downloaded, began to analyze in more detail and found too suspicious and obvious malware insertions. Could you help de-obfuscate the part that was obfuscated to understand where and how the data was sent? A large number of people were affected by this plugin, as t…
-
- 1 follower
- 2 replies
- 6.6k views
n
-
[HelpMe] pyArmor Obfuscated Malware
by rhythm- 2 followers
- 3 replies
- 9.2k views
Somebody has any suggestion for decompiling pyArmor Obfuscated code (main.pyc)? I have not experience in python decompiling. Someone attacked our entities with this malware and I want to study the actual malicious code. You can download this malware at ... https://app.any.run/tasks/0fea95f7-25cf-4b7a-b26b-f26ac4f1995d/ Malware Source: https://www.adobe-flash-player.cc/down/flash_installer.exe main.pyc
-
HELP ME UNPACK MALWARE
by bemka- 2 replies
- 6.2k views
I see it in my computer. I can't decrypt it, it's logged into my google account sending virus files to my friends. Can someone help me decipher it? DeviceId.exe
-
How to deobfuscate this malware?
by pested- 1 follower
- 2 replies
- 5.8k views
uses a custom obfuscator.
-
- 1 reply
- 7.5k views
I Am Reversing A Malware Called Raccoon Stealer Its Written In C++ My Problem Is They Use Some Libraries That IDA Marks As unknown_libname This is Because It Doesn't Have Signatures For Them I Downloaded Class Informer and It Pointed Me That They Uses A Library Called nlohmann Its A Json Parsing Library For C++ But I can't figure out how can I add signatures for these libraries though I saw this repo (FLIRTDB) contains some signatures but the library is not included is there is sort of generator for these signatures I can use ? or how can I approach this situation. Thanks In Advance .
-
- 0 replies
- 5.4k views
Hey Folks I Wanted To Share with u a poc I worked on today The Idea Behind It Is Instead of Hardcoding API Names or even their hashes in case u used api hashing we can receive this data from a server instead u can even encrypt the data sent this will complicate the analysis her is my poc have fun its very simple working on improving it and making another one but uses api hashing maybe u learn a thing or two from this https://gist.github.com/vxcute/30b1ea4ab792c1395e8c9cb8e92c384f
-
- 2 followers
- 9 replies
- 6.6k views
A victim related to me got infected with a virus, and I decided to perform some reverse engineering on it. The victim received an e-mail that claimed to be an invoice from a portuguese company called "Galp". This seems to be a virus specifically made for this scam since the code has function and variables names that make sense if interpreted as portuguese language. I would like to mention that I'm trying to keep this guide as educational as possible so that newer people can also get something out of it and, therefore, there may be some statements and explanations that are not needed for experts. To all the experts out-there, I apologize. I would also like to rec…