Malware Reverse Engineering

I read one article about the analysis of the some Trojan, there a friend wrote that "hardly anyone needs the name of the mutex." With what it can be connected? It’s just that hashes are usually translated along with the virus by which they can be easily determined, but it seems to me that mutexes are also getting better in this.

Hello, A Malware Analyser must know Reverse Engineering? In other word, a Malware Analyser is a Reverse Engineer? Thank you.

Hello guys, I have a program here that is intercepting data and sending to a server, I need to be able to read a function called "Ss" that receives a payload as a parameter, he is obfuscated by net reactor 4.5+, I found out that he is intercepting information when I analyzed the websocket traffic using the Wireshark. Could someone deobfuscate the program for me or help me in the process?

Is a cloud & desktop IDE framework implemented in TypeScript. https://theia-ide.org/ bonus Banking Malware Spreading via COVID-19 Relief Payment Phishing - bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/ cyberscoop.com/zoom-fbi-teleconference-hijacking/ nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/ nakedsecurity.sophos.com/2020/03/31/data-on-almost-every-citizen-of-georgia-posted-on-hacker-forum/

Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…

Hi guys, Sorry to disturb you, but I´m trying to analyze a sample that is protected with vmprotect. I tried most of the tutorials, but no good. I reach the API Virtual Protect, and the change of the section vmp0 to writable/executable, but then i can´t figure out what to do next...! He stands only in the section vmp0 and do not advance to other. Can you please help me? data.docx

Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of …

Language:C# Platform: Windows Os version: all Protector:Confuserex Modded 6876469eb3a5382c0914593c0b9f00217c2d804d4ebb85a21a410b521450d281.exe

Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, …

Hi everyone, I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack. I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. I've reached the marked address and I selected Analyze Code option. Last state, and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more. Can you help me please? I have tested known all of techniques. Have you an idea?…

I am studying about a virus.The virus hooks the some functions of nt.dll loaded in to the space of explorer.exe.It seemes that the nt.dll loaded by aother process ( say wordpad.exe) may not be hooked by the virus.Is it possible to compare the the two nt.dll address space and locate the hooked apis.I am using windows XP

Malware Protected by Confuser modded sample(2).exe

Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf

Grabbed it while cruising around on the iPhone AdobeFlashPlayer_Bundlore.zip

For example some malware seem to know when they have been shut down via task manager, and start themselves running again. How does that work? If you stop it from running, it's not running, so it has no code running that can then detect that it's not running. It seems almost like magic.

MobileHunter base.apk

Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip

How to Implement BIOS BIOS & UEFI based rootkit ? Any sample online or guide ? Thanks

this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar

BlackRouter or variant thereof Also found at https://www.kernelmode.info/forum/viewtopic.php?t=5405 Pass: infected BlackRouter.zip

Hidden Bee: Let’s go down the rabbit hole https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/ Ted.

Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associate…

https://research.checkpoint.com/malware-against-the-c-monoculture/ Ted.

Can someone please tell me how to remove antidebug and antitamper in this malware. i got all the methods decrypted except the strings. FilestealerMalware.exe

Recently i have been studying on malware analysis on my own, as a college student,through books (Practical Malware Analysis),online tutorials (kienmanowar OLLYDBG) and self programming. No experience yet ,but i tried to write a simple keylogger program in C, and i was wondering: How can a keylogger program send data over other network to the Attacker? Assuming the victim's machine has the Internet Connection. I have done some research on C Socket Programming, but it seems like a non-practical way for a real-life keylogger program to achieve this purpose. I would appreciate if someone could give me some keywords, links to related documents,or book name …