Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
Malware packed with vmprotect
by Vitor Sousa- 1 reply
- 4.8k views
Hi guys, Sorry to disturb you, but I´m trying to analyze a sample that is protected with vmprotect. I tried most of the tutorials, but no good. I reach the API Virtual Protect, and the change of the section vmp0 to writable/executable, but then i can´t figure out what to do next...! He stands only in the section vmp0 and do not advance to other. Can you please help me? data.docx
-
VirusTotal graphs about malware
by Xyl2k- 2 replies
- 5.6k views
Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of …
-
Malware Noname Bot Confused
by krown- 4 replies
- 5k views
Language:C# Platform: Windows Os version: all Protector:Confuserex Modded 6876469eb3a5382c0914593c0b9f00217c2d804d4ebb85a21a410b521450d281.exe
-
- 2 replies
- 4.7k views
Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, …
-
Zbot Malware Unpacking
by Pacman- 0 replies
- 4.7k views
Hi everyone, I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack. I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. I've reached the marked address and I selected Analyze Code option. Last state, and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more. Can you help me please? I have tested known all of techniques. Have you an idea?…
-
- 1 reply
- 4.4k views
I am studying about a virus.The virus hooks the some functions of nt.dll loaded in to the space of explorer.exe.It seemes that the nt.dll loaded by aother process ( say wordpad.exe) may not be hooked by the virus.Is it possible to compare the the two nt.dll address space and locate the hooked apis.I am using windows XP
-
Baldr Stealer Confused
by krown- 1 reply
- 4.7k views
Malware Protected by Confuser modded sample(2).exe
-
Linux binary to exploit
by cjack- 0 replies
- 4.5k views
Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf
-
OSX Bundlore
by JMC31337- 0 replies
- 10.9k views
Grabbed it while cruising around on the iPhone AdobeFlashPlayer_Bundlore.zip
-
How are some malware persistant?
by Videogamer555- 2 replies
- 5.2k views
For example some malware seem to know when they have been shut down via task manager, and start themselves running again. How does that work? If you stop it from running, it's not running, so it has no code running that can then detect that it's not running. It seems almost like magic.
-
Chinese Spy App
by JMC31337- 0 replies
- 18.8k views
MobileHunter base.apk
-
Evil Gnome
by JMC31337- 0 replies
- 7.9k views
Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip
-
BIOS Rootkit ?
by kb432- 2 replies
- 6.6k views
How to Implement BIOS BIOS & UEFI based rootkit ? Any sample online or guide ? Thanks
-
this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar
-
BlackRouter
by JMC31337- 0 replies
- 12.2k views
BlackRouter or variant thereof Also found at https://www.kernelmode.info/forum/viewtopic.php?t=5405 Pass: infected BlackRouter.zip
-
Hidden Bee: Let’s go down the rabbit hole
by Teddy Rogers- 0 replies
- 3.5k views
Hidden Bee: Let’s go down the rabbit hole https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/ Ted.
-
Global ATM Malware Wall
by Xyl2k- 3 replies
- 8.2k views
Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associate…
-
Malware Against the C Monoculture
by Teddy Rogers- 0 replies
- 4k views
https://research.checkpoint.com/malware-against-the-c-monoculture/ Ted.
-
FujiFuscator malware
by Cursedzx- 1 reply
- 6.3k views
Can someone please tell me how to remove antidebug and antitamper in this malware. i got all the methods decrypted except the strings. FilestealerMalware.exe
-
- 2 replies
- 4.4k views
Recently i have been studying on malware analysis on my own, as a college student,through books (Practical Malware Analysis),online tutorials (kienmanowar OLLYDBG) and self programming. No experience yet ,but i tried to write a simple keylogger program in C, and i was wondering: How can a keylogger program send data over other network to the Attacker? Assuming the victim's machine has the Internet Connection. I have done some research on C Socket Programming, but it seems like a non-practical way for a real-life keylogger program to achieve this purpose. I would appreciate if someone could give me some keywords, links to related documents,or book name …
-
x86 Linux Parasite
by JMC31337- 0 replies
- 4.1k views
//./gcc -m32 -masm=intel -o file file.c //https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\ //One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010 //Since Ive now written a parasite in both x86 formats (Win & Lin) //Things need to be said about this knowledge and power //When I 1st began writing viruses (or virii for all those correctedness types //I strove to be as a good as 29A - still i fall short of such titles //I owe my mentor herm1t (and other VXRs) a ton of respect //for putting up with my constant annoyances of every line and piece of new code //added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon …
-
X86 PE Parasite
by JMC31337- 1 follower
- 3 replies
- 10.1k views
//./gcc -masm=intel -mwindows -m32 -o file.exe xfile.c //Run the virus under a debugger (the jmp orig EP only works //after first infection is completed - afterwards all files //will infect and run as normal //it will infect 1 exe file per run in current dir //x86 PE Parasite //WARNING! //For educational purposes and virology analysis ONLY! //The author is not responsible for any damage caused //by this code //NOTE: I took some cheap tactics and tricks to get this //to work and its some real convoluted coding //============virt mem array========= //virtallocAPI* [ebp+0x00] (win7) //findfirstfileAPI [ebp+0x0…
-
Obfuscated Malware Sample
by hex4d0r- 1 reply
- 5.2k views
Hi all, RDG says It's DotWall Obfuscator but I think its somehow different or I'm too sh*tty to deobfuscate it. I couldn't deobfuscate fully. Could you help about it and tell me how it is different or what i did wrong? Btw It's a malware sample. Thanks in advance. infected.zip
-
How to make a file with a ReverseEngineering
by nimaarek- 1 reply
- 5k views
Using Fuzz, I found a vulnerability that was a problem in the file format structure. But because I'm in the test environment I patch the file responsible for checking CRC32 so I can not use exploit outside the test environment. To fix this, I need to create a file in standard file format But there is no documentation of this file extension The only way I have to do is, of course, I think I'll reverse engineer the program that makes this file and create a new file as an exploit. Is this a logical solution? Do you have a better idea?
-
which Malware is expensive
by malware- 5 replies
- 10.6k views
which malware is expensive ? price like 500M or 1B worth malware source code ? I need suggestion i wanna build a career as malware author for govt parties. I will appreciate your suggestion.
