Malware Reverse Engineering

Deobfuscate a malicious program

May 4, 2020 by Borun

2 replies
4.8k views

Hello guys, I have a program here that is intercepting data and sending to a server, I need to be able to read a function called "Ss" that receives a payload as a parameter, he is obfuscated by net reactor 4.5+, I found out that he is intercepting information when I analyzed the websocket traffic using the Wireshark. Could someone deobfuscate the program for me or help me in the process?

Last reply by Borun, May 4, 2020

Eclipse Theia alt to VSCode

March 31, 2020 by whoknows

0 replies
4.4k views

Is a cloud & desktop IDE framework implemented in TypeScript. https://theia-ide.org/ bonus Banking Malware Spreading via COVID-19 Relief Payment Phishing - bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/ cyberscoop.com/zoom-fbi-teleconference-hijacking/ nakedsecurity.sophos.com/2020/03/31/marriott-international-confirms-data-breach-of-up-to-5-2-million-guests/ nakedsecurity.sophos.com/2020/03/31/data-on-almost-every-citizen-of-georgia-posted-on-hacker-forum/

Last reply by whoknows, March 31, 2020

Malware music video

February 19, 2016 by Xyl2k

11 replies
11.9k views

Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…

Last reply by Xyl2k, March 1, 2020

Malware packed with vmprotect

January 15, 2020 by Vitor Sousa

1 reply
4.9k views

Hi guys, Sorry to disturb you, but I´m trying to analyze a sample that is protected with vmprotect. I tried most of the tutorials, but no good. I reach the API Virtual Protect, and the change of the section vmp0 to writable/executable, but then i can´t figure out what to do next...! He stands only in the section vmp0 and do not advance to other. Can you please help me? data.docx

Last reply by Vitor Sousa, January 15, 2020

VirusTotal graphs about malware

June 11, 2019 by Xyl2k

2 replies
5.6k views

Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of …

Last reply by Xyl2k, January 9, 2020

Malware Noname Bot Confused

December 26, 2019 by krown

4 replies
5k views

Language:C# Platform: Windows Os version: all Protector:Confuserex Modded 6876469eb3a5382c0914593c0b9f00217c2d804d4ebb85a21a410b521450d281.exe

Last reply by krown, January 3, 2020

Strange VB injector sample, no injection behavior on physical/virtual machine

November 11, 2019 by UniqueLegend

2 replies
4.7k views

Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, …

Last reply by UniqueLegend, December 5, 2019

Zbot Malware Unpacking

November 30, 2019 by Pacman

0 replies
4.7k views

Hi everyone, I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack. I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. I've reached the marked address and I selected Analyze Code option. Last state, and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more. Can you help me please? I have tested known all of techniques. Have you an idea?…

Last reply by Pacman, November 30, 2019

Comparing nt .dll loaded by two processes

October 16, 2019 by joxxx

1 reply
4.4k views

I am studying about a virus.The virus hooks the some functions of nt.dll loaded in to the space of explorer.exe.It seemes that the nt.dll loaded by aother process ( say wordpad.exe) may not be hooked by the virus.Is it possible to compare the the two nt.dll address space and locate the hooked apis.I am using windows XP

Last reply by Scotch, October 22, 2019

Baldr Stealer Confused

October 7, 2019 by krown

1 reply
4.7k views

Malware Protected by Confuser modded sample(2).exe

Last reply by Cursedzx, October 15, 2019

Linux binary to exploit

August 30, 2019 by cjack

0 replies
4.5k views

Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf

Last reply by cjack, August 30, 2019

OSX Bundlore

August 25, 2019 by JMC31337

0 replies
10.9k views

Grabbed it while cruising around on the iPhone AdobeFlashPlayer_Bundlore.zip

Last reply by JMC31337, August 25, 2019

How are some malware persistant?

May 27, 2019 by Videogamer555

2 replies
5.2k views

For example some malware seem to know when they have been shut down via task manager, and start themselves running again. How does that work? If you stop it from running, it's not running, so it has no code running that can then detect that it's not running. It seems almost like magic.

Last reply by JMC31337, August 1, 2019

Chinese Spy App

July 20, 2019 by JMC31337

0 replies
18.8k views

MobileHunter base.apk

Last reply by JMC31337, July 20, 2019

Evil Gnome

July 19, 2019 by JMC31337

0 replies
8k views

Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip

Last reply by JMC31337, July 19, 2019

BIOS Rootkit ?

December 16, 2016 by kb432

2 replies
6.6k views

How to Implement BIOS BIOS & UEFI based rootkit ? Any sample online or guide ? Thanks

Last reply by JMC31337, July 17, 2019

Stuxnet 1 2

September 28, 2010 by JMC31337

29 replies
55.5k views

this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar

Last reply by JMC31337, July 12, 2019

BlackRouter

July 12, 2019 by JMC31337

0 replies
12.2k views

BlackRouter or variant thereof Also found at https://www.kernelmode.info/forum/viewtopic.php?t=5405 Pass: infected BlackRouter.zip

Last reply by JMC31337, July 12, 2019

Hidden Bee: Let’s go down the rabbit hole

May 31, 2019 by Teddy Rogers

0 replies
3.5k views

Hidden Bee: Let’s go down the rabbit hole https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/ Ted.

Last reply by Teddy Rogers, May 31, 2019

Global ATM Malware Wall

March 18, 2019 by Xyl2k

3 replies
8.3k views

Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associate…

Last reply by Xyl2k, May 30, 2019

Malware Against the C Monoculture

May 28, 2019 by Teddy Rogers

0 replies
4.1k views

https://research.checkpoint.com/malware-against-the-c-monoculture/ Ted.

Last reply by Teddy Rogers, May 28, 2019

FujiFuscator malware

November 1, 2018 by Cursedzx

1 reply
6.4k views

Can someone please tell me how to remove antidebug and antitamper in this malware. i got all the methods decrypted except the strings. FilestealerMalware.exe

Last reply by Cursedzx, May 14, 2019

How can Malware(KeyLogger) send data over other network?

February 18, 2019 by mercy12a1

2 replies
4.4k views

Recently i have been studying on malware analysis on my own, as a college student,through books (Practical Malware Analysis),online tutorials (kienmanowar OLLYDBG) and self programming. No experience yet ,but i tried to write a simple keylogger program in C, and i was wondering: How can a keylogger program send data over other network to the Attacker? Assuming the victim's machine has the Internet Connection. I have done some research on C Socket Programming, but it seems like a non-practical way for a real-life keylogger program to achieve this purpose. I would appreciate if someone could give me some keywords, links to related documents,or book name …

Last reply by JMC31337, May 7, 2019

x86 Linux Parasite

May 6, 2019 by JMC31337

0 replies
4.1k views

//./gcc -m32 -masm=intel -o file file.c //https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\ //One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010 //Since Ive now written a parasite in both x86 formats (Win & Lin) //Things need to be said about this knowledge and power //When I 1st began writing viruses (or virii for all those correctedness types //I strove to be as a good as 29A - still i fall short of such titles //I owe my mentor herm1t (and other VXRs) a ton of respect //for putting up with my constant annoyances of every line and piece of new code //added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon …

Last reply by JMC31337, May 6, 2019

X86 PE Parasite

April 21, 2019 by JMC31337

1 follower
3 replies
10.1k views

//./gcc -masm=intel -mwindows -m32 -o file.exe xfile.c //Run the virus under a debugger (the jmp orig EP only works //after first infection is completed - afterwards all files //will infect and run as normal //it will infect 1 exe file per run in current dir //x86 PE Parasite //WARNING! //For educational purposes and virology analysis ONLY! //The author is not responsible for any damage caused //by this code //NOTE: I took some cheap tactics and tricks to get this //to work and its some real convoluted coding //============virt mem array========= //virtallocAPI* [ebp+0x00] (win7) //findfirstfileAPI [ebp+0x0…

Last reply by JMC31337, May 5, 2019

Sign In