Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
- 1 follower
- 7 replies
- 7.2k views
Hi. Literally an hour ago, a massive phishing link was sent on the discord across all private messages and servers, which is why many channels blocked me and / or muddied me. I remembered that some time ago I came across the so-called Discord Perks that improve the user experience. And last time I was not embarrassed by the fact that I load extraneous scripts without proper analysis. I found the files that I downloaded, began to analyze in more detail and found too suspicious and obvious malware insertions. Could you help de-obfuscate the part that was obfuscated to understand where and how the data was sent? A large number of people were affected by this plugin, as t…
-
- 1 follower
- 0 replies
- 5.6k views
Hi everyone, I found a trojan horse while searching for a dll injector, so I tried to unpack it, but De4dot failed because it has multiple protections. I uploaded the target to Virustotal and found that Kaspersky and Eset and other antiviruses says: UNDETECTED but am pretty sure it's a trojan horse (VirusTotal scan result)I checked it using dnspy after I used de4dot more than once. The source code still unreadable, so I thought there might be another way to unpack this file. If someone managed to unpack it, please write a tutorial I want to learn what do when it comes to binaries packed this way. Target can be downloaded here : Download Link Greetz
-
[HelpMe] pyArmor Obfuscated Malware
by rhythm- 2 followers
- 3 replies
- 10.1k views
Somebody has any suggestion for decompiling pyArmor Obfuscated code (main.pyc)? I have not experience in python decompiling. Someone attacked our entities with this malware and I want to study the actual malicious code. You can download this malware at ... https://app.any.run/tasks/0fea95f7-25cf-4b7a-b26b-f26ac4f1995d/ Malware Source: https://www.adobe-flash-player.cc/down/flash_installer.exe main.pyc
-
HELP ME UNPACK MALWARE
by bemka- 2 replies
- 6.6k views
I see it in my computer. I can't decrypt it, it's logged into my google account sending virus files to my friends. Can someone help me decipher it? DeviceId.exe
-
How to deobfuscate this malware?
by pested- 1 follower
- 2 replies
- 6.1k views
uses a custom obfuscator.
-
fake crack sites
by Xyl2k- 2 followers
- 10 replies
- 17k views
So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only…
-
- 1 reply
- 8.2k views
I Am Reversing A Malware Called Raccoon Stealer Its Written In C++ My Problem Is They Use Some Libraries That IDA Marks As unknown_libname This is Because It Doesn't Have Signatures For Them I Downloaded Class Informer and It Pointed Me That They Uses A Library Called nlohmann Its A Json Parsing Library For C++ But I can't figure out how can I add signatures for these libraries though I saw this repo (FLIRTDB) contains some signatures but the library is not included is there is sort of generator for these signatures I can use ? or how can I approach this situation. Thanks In Advance .
-
- 0 replies
- 5.7k views
Hey Folks I Wanted To Share with u a poc I worked on today The Idea Behind It Is Instead of Hardcoding API Names or even their hashes in case u used api hashing we can receive this data from a server instead u can even encrypt the data sent this will complicate the analysis her is my poc have fun its very simple working on improving it and making another one but uses api hashing maybe u learn a thing or two from this https://gist.github.com/vxcute/30b1ea4ab792c1395e8c9cb8e92c384f
-
Unknown Packer
by payam5959- 1 follower
- 4 replies
- 25k views
I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files. with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections. I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with? also I can provide sample dll if someone can help. regards payam
-
- 2 followers
- 9 replies
- 7.1k views
A victim related to me got infected with a virus, and I decided to perform some reverse engineering on it. The victim received an e-mail that claimed to be an invoice from a portuguese company called "Galp". This seems to be a virus specifically made for this scam since the code has function and variables names that make sense if interpreted as portuguese language. I would like to mention that I'm trying to keep this guide as educational as possible so that newer people can also get something out of it and, therefore, there may be some statements and explanations that are not needed for experts. To all the experts out-there, I apologize. I would also like to rec…
-
PE Self Injection Not Working
by senuzulme99- 1 follower
- 7 replies
- 5.9k views
I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here? #include <iostream> #include <windows.h> int main() { DWORD* ImageBase; void* pImageBase; IMAGE_NT_HEADERS* NTHeader; IMAGE_DOS_HEADER* DOSHeader; IMAGE_NT_HEADERS* mem_NTHeader; IMAGE_DOS_HEADER* mem_DOSHeader; IMAGE_SECTION_HEADER* SecHeader; …
-
Polymorphic Parasitic Wiper (x86)
by JMC31337- 1 reply
- 5.8k views
This is a polymorphic (insofar as about 100 bytes of do nothing code is inserted into its decoding routine,) that has a hard coded XOR (easily rotated per infection if ya know what you're doing) Ill be writing up a white paper explaining the abusing of the DllCharacteristics value in the exe PE header - Teddy wrote a lil dissertation on this forum way back Basically once the entry point is changed and the infected host is set to DllChars = 0 the entry point is within a RW section of memory (last section) but DEP wont kick in allowing RWX all across the user space memory (tested on win version Win10 Pro v 1909 build 18363.592) Also since DLL Chars is set to…
-
How to deobfuscate this malware ?
by Ternick- 6 replies
- 7.9k views
I can not unzip this sample. Obfuscated BE CAREFULLY(DON'T RUN ON MAIN PC).exe code all the time. Most likely packed with this https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed. But his application for unpacking from his own tread does not work for this sample.
-
Decompile JSC files
by Krabby- 1 reply
- 8.5k views
During my research, i noticed that there's some difference between packed electron apps. Some of them are rally easy de-packable,and the source code it's really well understandable and not too much obfuscated. Sometimes i found the whole source compiled into a Javascript compiled file. The obfuscation of the code doesn't seems to hard, in fact if it was packed with bytenode there's still the possibility do debug it with the same module. But,to get deeper into it, what could be a good approach to analyze it fully? Cause it looks like it has no library dipendency cause all the node modules used are packed inside the jsc file. Also it's quite hard to debug it …
-
Cuckoo's Egg (proc injection)
by JMC31337- 1 follower
- 0 replies
- 5.3k views
call it cuckoo's egg because a Cuckoo bird is a parasite that lays its eggs in other birds' nests (got started on this idea in order to self delete my virus) searches through all processes and inject a remote thread spawning a messagebox in every mem location with RWX combined and modded up code from rwx-hunter.cpp and https://www.cnblogs.com/LyShark/p/13707084.html #include <windows.h> #include <iostream> #include <psapi.h> #include <TlHelp32.h> #include <stdio.h> #include <conio.h> unsigned char shell2[] = "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xB9\xFF\xFF\xFF\xFF\xFF\xD1\xC3"; //pusha //push 0 //push 0 …
-
Mastering Malware Analysis - Free eBook
by Teddy Rogers- 1 follower
- 4 replies
- 12.8k views
Ted.
-
Cant unpack malware under VM
by Awaken- 1 follower
- 3 replies
- 6.6k views
Hello, Im trying to reverse malware,but can't remove the protection I think this is KoiVM(names in PE header),but oldrod can't devirtualize it What can I do?help please password:infected Btw,that malware cheks does it run on vm or not vklctukzxyuvdxvcsx.zip
-
Anubis 2.5 source code by vx-underground
by deepzero- 1 follower
- 0 replies
- 6.4k views
-
Help unpack Malware with VMProtect
by pl3xx- 1 follower
- 4 replies
- 6.9k views
Howdi, Anyone wiilling to give a hand ? Mega.nz
-
- 2 replies
- 5.5k views
Need help to unpack a malware , uploaded a crack.me.I need to study the code. I managed to obfusticate some but I have not the knowledge to complete this. hive_test-original.exe
-
- 2 replies
- 5k views
I read one article about the analysis of the some Trojan, there a friend wrote that "hardly anyone needs the name of the mutex." With what it can be connected? It’s just that hashes are usually translated along with the virus by which they can be easily determined, but it seems to me that mutexes are also getting better in this.
-
Is Malware Analysis vs Reverse Engineering?
by Jason Long- 6 replies
- 5.6k views
Hello, A Malware Analyser must know Reverse Engineering? In other word, a Malware Analyser is a Reverse Engineer? Thank you.
-
Deobfuscate a malicious program
by Borun- 2 replies
- 4.8k views
Hello guys, I have a program here that is intercepting data and sending to a server, I need to be able to read a function called "Ss" that receives a payload as a parameter, he is obfuscated by net reactor 4.5+, I found out that he is intercepting information when I analyzed the websocket traffic using the Wireshark. Could someone deobfuscate the program for me or help me in the process?
-
Eclipse Theia alt to VSCode
by whoknows- 0 replies
- 4.4k views
Is a cloud & desktop IDE framework implemented in TypeScript. https://theia-ide.org/ bonus Banking Malware Spreading via COVID-19 Relief Payment Phishing - bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/ cyberscoop.com/zoom-fbi-teleconference-hijacking/ nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/ nakedsecurity.sophos.com/2020/03/31/data-on-almost-every-citizen-of-georgia-posted-on-hacker-forum/
-
Malware music video
by Xyl2k- 11 replies
- 11.9k views
Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…
