Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
- 2 replies
- 5.2k views
I read one article about the analysis of the some Trojan, there a friend wrote that "hardly anyone needs the name of the mutex." With what it can be connected? It’s just that hashes are usually translated along with the virus by which they can be easily determined, but it seems to me that mutexes are also getting better in this.
-
Is Malware Analysis vs Reverse Engineering?
by Jason Long- 6 replies
- 5.9k views
Hello, A Malware Analyser must know Reverse Engineering? In other word, a Malware Analyser is a Reverse Engineer? Thank you.
-
Deobfuscate a malicious program
by Borun- 2 replies
- 5k views
Hello guys, I have a program here that is intercepting data and sending to a server, I need to be able to read a function called "Ss" that receives a payload as a parameter, he is obfuscated by net reactor 4.5+, I found out that he is intercepting information when I analyzed the websocket traffic using the Wireshark. Could someone deobfuscate the program for me or help me in the process?
-
Eclipse Theia alt to VSCode
by whoknows- 0 replies
- 4.6k views
Is a cloud & desktop IDE framework implemented in TypeScript. https://theia-ide.org/ bonus Banking Malware Spreading via COVID-19 Relief Payment Phishing - bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/ cyberscoop.com/zoom-fbi-teleconference-hijacking/ nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/ nakedsecurity.sophos.com/2020/03/31/data-on-almost-every-citizen-of-georgia-posted-on-hacker-forum/
-
Malware music video
by Xyl2k- 11 replies
- 12.1k views
Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…
-
Malware packed with vmprotect
by Vitor Sousa- 1 reply
- 5.1k views
Hi guys, Sorry to disturb you, but I´m trying to analyze a sample that is protected with vmprotect. I tried most of the tutorials, but no good. I reach the API Virtual Protect, and the change of the section vmp0 to writable/executable, but then i can´t figure out what to do next...! He stands only in the section vmp0 and do not advance to other. Can you please help me? data.docx
-
VirusTotal graphs about malware
by Xyl2k- 2 replies
- 5.8k views
Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of …
-
Malware Noname Bot Confused
by krown- 4 replies
- 5.2k views
Language:C# Platform: Windows Os version: all Protector:Confuserex Modded 6876469eb3a5382c0914593c0b9f00217c2d804d4ebb85a21a410b521450d281.exe
-
- 2 replies
- 4.9k views
Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, …
-
Zbot Malware Unpacking
by Pacman- 0 replies
- 4.9k views
Hi everyone, I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack. I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. I've reached the marked address and I selected Analyze Code option. Last state, and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more. Can you help me please? I have tested known all of techniques. Have you an idea?…
-
- 1 reply
- 4.6k views
I am studying about a virus.The virus hooks the some functions of nt.dll loaded in to the space of explorer.exe.It seemes that the nt.dll loaded by aother process ( say wordpad.exe) may not be hooked by the virus.Is it possible to compare the the two nt.dll address space and locate the hooked apis.I am using windows XP
-
Baldr Stealer Confused
by krown- 1 reply
- 5k views
Malware Protected by Confuser modded sample(2).exe
-
Linux binary to exploit
by cjack- 0 replies
- 4.7k views
Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf
-
OSX Bundlore
by JMC31337- 0 replies
- 11.1k views
Grabbed it while cruising around on the iPhone AdobeFlashPlayer_Bundlore.zip
-
How are some malware persistant?
by Videogamer555- 2 replies
- 5.4k views
For example some malware seem to know when they have been shut down via task manager, and start themselves running again. How does that work? If you stop it from running, it's not running, so it has no code running that can then detect that it's not running. It seems almost like magic.
-
Chinese Spy App
by JMC31337- 0 replies
- 19k views
MobileHunter base.apk
-
Evil Gnome
by JMC31337- 0 replies
- 8.2k views
Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip
-
BIOS Rootkit ?
by kb432- 2 replies
- 6.7k views
How to Implement BIOS BIOS & UEFI based rootkit ? Any sample online or guide ? Thanks
-
this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar
-
BlackRouter
by JMC31337- 0 replies
- 12.4k views
BlackRouter or variant thereof Also found at https://www.kernelmode.info/forum/viewtopic.php?t=5405 Pass: infected BlackRouter.zip
-
Hidden Bee: Let’s go down the rabbit hole
by Teddy Rogers- 0 replies
- 3.7k views
Hidden Bee: Let’s go down the rabbit hole https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/ Ted.
-
Global ATM Malware Wall
by Xyl2k- 3 replies
- 8.6k views
Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associate…
-
Malware Against the C Monoculture
by Teddy Rogers- 0 replies
- 4.4k views
https://research.checkpoint.com/malware-against-the-c-monoculture/ Ted.
-
FujiFuscator malware
by Cursedzx- 1 reply
- 6.5k views
Can someone please tell me how to remove antidebug and antitamper in this malware. i got all the methods decrypted except the strings. FilestealerMalware.exe
-
- 2 replies
- 4.6k views
Recently i have been studying on malware analysis on my own, as a college student,through books (Practical Malware Analysis),online tutorials (kienmanowar OLLYDBG) and self programming. No experience yet ,but i tried to write a simple keylogger program in C, and i was wondering: How can a keylogger program send data over other network to the Attacker? Assuming the victim's machine has the Internet Connection. I have done some research on C Socket Programming, but it seems like a non-practical way for a real-life keylogger program to achieve this purpose. I would appreciate if someone could give me some keywords, links to related documents,or book name …
