Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
Does anyone have old Locky sample?
by gundamfj- 7 replies
- 5.4k views
So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.
-
need help to unpack .NET malware
by gundamfj- 17 replies
- 9.3k views
I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck. I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload. So is there any .NET debugger allowing me to pause on System API like VirtualAlloc? I know I could use debugger like Olly, but if I open…
-
cerber ransomware reverse question
by Guest kinn7s- 3 replies
- 5.9k views
Hi, I'm reversing this ransomware after an interesting reading found surfing the net. hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ What I'm trying to do is reversing the file encryption routines. Found where key is generated, buffer encrypted ecc. Can't undestand how the key is encrypted and stored into the file! (decrypt the original key) If someone is really interested, I'll share my findings (malware authors read this forum too I guess...) I'm doing this only because it' become a big challange to me and can't move on... sorry for my english
-
I have a malicious dotnet sample
by Hacktreides- 5 replies
- 5.8k views
Hello, I have a malicious dotnet sample packer, anyone known the packer type and how to unpack it? I have try de4dot but it's failed. Thank you Dumped.zip
-
Research Rootkit (Linux)
by kao- 0 replies
- 4.7k views
https://github.com/NoviceLive/research-rootkit
-
Reference a movie? auscultated code!
by 0nion- 1 reply
- 5k views
A reference from "black hat' movie 2015. The hacker cracks Encrypted code. How a malware has Encrypted code ended in ? And how to crack that ? Any information or tutorial or article would be appreciated. I do reverse engineer using IDA pro ( static analysis ).
-
Guide for Static malware analysis [?]
by Cyberwarfare- 5 replies
- 5.6k views
Is there any Ebook or video series or tutorial on Reverse engineering using IDA Pro ( static analysis ) ? I will appreciate your concern ! Thanks
-
(Help Request) .Net Protector Identification 1 2
by madskillz- 25 replies
- 21.3k views
Hi I tried die , peid , protecton id , rdg , but cannot detect protector. de4dot detected as deepsea , but deobfuscation ws not done. File attached FoxUserTools.zip File can be malware , etc , please use VM , protection. Need packer identification and unpack help. Regards
-
reversing industrial malwares
by Mr.peach- 6 replies
- 5.4k views
Hi all experts I want to know what tools are used to analyze the industrial malwares
-
Reversing an obfuscated java malware
by Extreme Coders- 1 reply
- 6.4k views
This document is a small write up demonstrating tools and techniques that can be used while reversing java code. The malware used for this purpose is the AlienSpy RAT (Remote Access Trojan) which has also been attached to this post. The password of the file malware sample.rar is infected. This is live malware. Secure your system before tinkering with it. Additionally, the decompiled source code of the malware has also been provided for study. Reversing an obfuscated java malware.pdf malware sample.rar decompiled malware source.rar
-
Reverse Kaspersky Virus Signatures
by helderc- 4 replies
- 7.2k views
Does any body know how to reverse Kaspersky virus signatures? I have looking for something like that in the leaked source code, but its huge and I couldnt find anything. Comments are welcome!
-
Which Virtual Machine Software do you prefer? 1 2 3
by deepzero- 1 follower
- 61 replies
- 34.3k views
Hi, I have been using Microsoft VirtualPC for years now. Which Virtualization Software do you prefer?
-
Tyupkin Malware...or bank's worst nightmare
by cucuielu- 1 reply
- 6.2k views
Can anyone fully deobfuscate theese 2 samples? MALWARE!!! It's not meant for regular PC... Tyupkin.zip
-
WinRAR Vulnerability...
by Teddy Rogers- 6 replies
- 6.4k views
WinRAR Vulnerability https://blog.malwarebytes.org/security-threat/2015/09/latest-winrar-vulnerability-has-yet-to-be-patched/ Ted.
-
[DecompileMe] Virus found in my PC [.NET]
by bomblader- 4 replies
- 6.6k views
Looks like I was infected by some virus, no idea where I got it. It's .NET You have to run it like this in order to run: adobe_flash_player.exe /00000017 Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted. Thanks! adobe_flash_player.rar
-
- 0 replies
- 5.6k views
Table of contents: All I can say is that I really enjoyed the book. Get your own copy from hxxp://ifreebooks.com/book/6295/ or your favorite torrent tracker.
-
Tutorials About Viruses
by CodeExplorer- 0 replies
- 6.6k views
Tutorials About Viruses Link download: http://www82.zippyshare.com/v/GFWYz9g2/file.html Tutorials list: (176 tutorials) 64-bit rugrats.pdf A Survey of Cryptologic Issues in Computer Virology.pdf Advanced Code Evolution Techniques and Computer Virus Generator Kits.pdf Advanced Metamorphic Techniques in Computer Viruses.pdf Advanced Polymorphic Techniques.pdf AGIS- Towards Automatic Generation of …
-
Reverse malware PDFs
by CodeExplorer- 0 replies
- 5.1k views
Reverse malware PDFs, Link: http://repo.hackerzvoice.net/depot_madchat/vxdevl/reverse/
-
VX Reversing I, the basics & VX Reversing II, Sasser.B
by CodeExplorer- 0 replies
- 4.8k views
VX Reversing I, the basics & VX Reversing II, Sasser.B: Tutorials about viruses. VX_Reversing_I&II.zip
-
Malware Forensics- Investigating and Analyzing Malicious Code
by CodeExplorer- 0 replies
- 5.3k views
Malware Forensics- Investigating and Analyzing Malicious Code Link download: http://www97.zippyshare.com/v/JZbv2iGo/file.html
-
Identifying Malicious Code Through Reverse Engineering
by CodeExplorer- 0 replies
- 5.5k views
Identifying Malicious Code Through Reverse Engineering Author: Sushil Jajodia Identifying Malicious Code Through Reverse Engineering.zip
-
.Net Malware Analyses
by CodeExplorer- 0 replies
- 6.9k views
.Net Malware Analyses Malicious download link: http://downloadcsoftware.blogspot.ro/2014/09/download-reaver-pro-wifi-hack-full-crack.html http://pasted.co/21439e76Do not execute the malware!private static void Main() { Running = Assembly.Load(Dew("Bctlx.pryor.resources")); // Dew method return bytes of assembly to be loaded Swagger("Scribe", new object[] { Dew("Myft.pryor.resources"), false, "winini.exe", true, 0 }); while (Threads.Count > 0) { Threads.Dequeue().Join(); } } On Swagger method: private static void Swagger(string name, params object[] values) { Thread item = new Thread(delegate { Type type = Running.GetType("Ax");…
-
Process replacement question
by Pancake- 1 reply
- 5.4k views
Hi. Im about to try proof of concept process replacement technique. I got some questions tho. First of all, when i create process as suspended where it is actually halted? The sections are mapped right, but are improts resolved? (so what comes with it, do i have all the useless import dlls from old process loaded or not) ? Next question is pretty similar. If i create a process from system32, like svchost or lsass and then i replace it with anything from other folder will the improts be properly resolved? Because from what i see, if the replacement exe has some custom dll near it, then loader will look for it inside system32 instead of the replacement process directory, …
-
- 6 replies
- 6k views
What is the best way for heuristic malware scan, what good AV should check?
-
- 0 replies
- 4.7k views
http://www.theregister.co.uk/2015/08/06/emissary_panda_apt_group_dell/