Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
359 topics in this forum
-
fake crack sites
by Xyl2k- 2 followers
- 10 replies
- 14.3k views
So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only…
-
- 1 reply
- 7.5k views
I Am Reversing A Malware Called Raccoon Stealer Its Written In C++ My Problem Is They Use Some Libraries That IDA Marks As unknown_libname This is Because It Doesn't Have Signatures For Them I Downloaded Class Informer and It Pointed Me That They Uses A Library Called nlohmann Its A Json Parsing Library For C++ But I can't figure out how can I add signatures for these libraries though I saw this repo (FLIRTDB) contains some signatures but the library is not included is there is sort of generator for these signatures I can use ? or how can I approach this situation. Thanks In Advance .
-
- 0 replies
- 5.4k views
Hey Folks I Wanted To Share with u a poc I worked on today The Idea Behind It Is Instead of Hardcoding API Names or even their hashes in case u used api hashing we can receive this data from a server instead u can even encrypt the data sent this will complicate the analysis her is my poc have fun its very simple working on improving it and making another one but uses api hashing maybe u learn a thing or two from this https://gist.github.com/vxcute/30b1ea4ab792c1395e8c9cb8e92c384f
-
Unknown Packer
by payam5959- 1 follower
- 4 replies
- 7.9k views
I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files. with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections. I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with? also I can provide sample dll if someone can help. regards payam
-
- 2 followers
- 9 replies
- 6.6k views
A victim related to me got infected with a virus, and I decided to perform some reverse engineering on it. The victim received an e-mail that claimed to be an invoice from a portuguese company called "Galp". This seems to be a virus specifically made for this scam since the code has function and variables names that make sense if interpreted as portuguese language. I would like to mention that I'm trying to keep this guide as educational as possible so that newer people can also get something out of it and, therefore, there may be some statements and explanations that are not needed for experts. To all the experts out-there, I apologize. I would also like to rec…
-
PE Self Injection Not Working
by senuzulme99- 1 follower
- 7 replies
- 5.5k views
I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here? #include <iostream> #include <windows.h> int main() { DWORD* ImageBase; void* pImageBase; IMAGE_NT_HEADERS* NTHeader; IMAGE_DOS_HEADER* DOSHeader; IMAGE_NT_HEADERS* mem_NTHeader; IMAGE_DOS_HEADER* mem_DOSHeader; IMAGE_SECTION_HEADER* SecHeader; …
-
Polymorphic Parasitic Wiper (x86)
by JMC31337- 1 reply
- 5.6k views
This is a polymorphic (insofar as about 100 bytes of do nothing code is inserted into its decoding routine,) that has a hard coded XOR (easily rotated per infection if ya know what you're doing) Ill be writing up a white paper explaining the abusing of the DllCharacteristics value in the exe PE header - Teddy wrote a lil dissertation on this forum way back Basically once the entry point is changed and the infected host is set to DllChars = 0 the entry point is within a RW section of memory (last section) but DEP wont kick in allowing RWX all across the user space memory (tested on win version Win10 Pro v 1909 build 18363.592) Also since DLL Chars is set to…
-
How to deobfuscate this malware ?
by Ternick- 6 replies
- 7.6k views
I can not unzip this sample. Obfuscated BE CAREFULLY(DON'T RUN ON MAIN PC).exe code all the time. Most likely packed with this https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed. But his application for unpacking from his own tread does not work for this sample.
-
Decompile JSC files
by Krabby- 1 reply
- 7.5k views
During my research, i noticed that there's some difference between packed electron apps. Some of them are rally easy de-packable,and the source code it's really well understandable and not too much obfuscated. Sometimes i found the whole source compiled into a Javascript compiled file. The obfuscation of the code doesn't seems to hard, in fact if it was packed with bytenode there's still the possibility do debug it with the same module. But,to get deeper into it, what could be a good approach to analyze it fully? Cause it looks like it has no library dipendency cause all the node modules used are packed inside the jsc file. Also it's quite hard to debug it …
-
Cuckoo's Egg (proc injection)
by JMC31337- 1 follower
- 0 replies
- 5.1k views
call it cuckoo's egg because a Cuckoo bird is a parasite that lays its eggs in other birds' nests (got started on this idea in order to self delete my virus) searches through all processes and inject a remote thread spawning a messagebox in every mem location with RWX combined and modded up code from rwx-hunter.cpp and https://www.cnblogs.com/LyShark/p/13707084.html #include <windows.h> #include <iostream> #include <psapi.h> #include <TlHelp32.h> #include <stdio.h> #include <conio.h> unsigned char shell2[] = "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xB9\xFF\xFF\xFF\xFF\xFF\xD1\xC3"; //pusha //push 0 //push 0 …
-
Mastering Malware Analysis - Free eBook
by Teddy Rogers- 1 follower
- 4 replies
- 10.7k views
Ted.
-
Cant unpack malware under VM
by Awaken- 1 follower
- 3 replies
- 6.4k views
Hello, Im trying to reverse malware,but can't remove the protection I think this is KoiVM(names in PE header),but oldrod can't devirtualize it What can I do?help please password:infected Btw,that malware cheks does it run on vm or not vklctukzxyuvdxvcsx.zip
-
Anubis 2.5 source code by vx-underground
by deepzero- 1 follower
- 0 replies
- 6.2k views
-
Help unpack Malware with VMProtect
by pl3xx- 1 follower
- 4 replies
- 6.4k views
Howdi, Anyone wiilling to give a hand ? Mega.nz
-
- 2 replies
- 5.1k views
Need help to unpack a malware , uploaded a crack.me.I need to study the code. I managed to obfusticate some but I have not the knowledge to complete this. hive_test-original.exe
-
- 2 replies
- 4.7k views
I read one article about the analysis of the some Trojan, there a friend wrote that "hardly anyone needs the name of the mutex." With what it can be connected? It’s just that hashes are usually translated along with the virus by which they can be easily determined, but it seems to me that mutexes are also getting better in this.
-
Is Malware Analysis vs Reverse Engineering?
by Jason Long- 6 replies
- 5.3k views
Hello, A Malware Analyser must know Reverse Engineering? In other word, a Malware Analyser is a Reverse Engineer? Thank you.
-
Deobfuscate a malicious program
by Borun- 2 replies
- 4.6k views
Hello guys, I have a program here that is intercepting data and sending to a server, I need to be able to read a function called "Ss" that receives a payload as a parameter, he is obfuscated by net reactor 4.5+, I found out that he is intercepting information when I analyzed the websocket traffic using the Wireshark. Could someone deobfuscate the program for me or help me in the process?
-
Eclipse Theia alt to VSCode
by whoknows- 0 replies
- 4.2k views
Is a cloud & desktop IDE framework implemented in TypeScript. https://theia-ide.org/ bonus Banking Malware Spreading via COVID-19 Relief Payment Phishing - bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/ cyberscoop.com/zoom-fbi-teleconference-hijacking/ nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/ nakedsecurity.sophos.com/2020/03/31/data-on-almost-every-citizen-of-georgia-posted-on-hacker-forum/
-
Malware music video
by Xyl2k- 11 replies
- 11.6k views
Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…
-
Malware packed with vmprotect
by Vitor Sousa- 1 reply
- 4.5k views
Hi guys, Sorry to disturb you, but I´m trying to analyze a sample that is protected with vmprotect. I tried most of the tutorials, but no good. I reach the API Virtual Protect, and the change of the section vmp0 to writable/executable, but then i can´t figure out what to do next...! He stands only in the section vmp0 and do not advance to other. Can you please help me? data.docx
-
VirusTotal graphs about malware
by Xyl2k- 2 replies
- 5.3k views
Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of …
-
Malware Noname Bot Confused
by krown- 4 replies
- 4.7k views
Language:C# Platform: Windows Os version: all Protector:Confuserex Modded 6876469eb3a5382c0914593c0b9f00217c2d804d4ebb85a21a410b521450d281.exe
-
- 2 replies
- 4.5k views
Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, …
-
Zbot Malware Unpacking
by Pacman- 0 replies
- 4.4k views
Hi everyone, I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack. I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. I've reached the marked address and I selected Analyze Code option. Last state, and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more. Can you help me please? I have tested known all of techniques. Have you an idea?…