Malware Reverse Engineering

Hi guys, I'm learning about malware and I remember stumbling upon this cool forum some time ago. I recently downloaded a pdf of a book, because I wanted to look up some pages in the book since it was used as a source in an article I was reading. It's a pretty obscure book and since I couldn't find a legitimate source for it, I thought what the hell why not try one of the risky fake-looking torrent links. To my surprise the torrent downloaded immediately and I got a .rar file. Normally with these things the rar file is either encrypted with a password or the pdf itself is fake and only contains instructions on how to complete a CPA offer to get access to the most…

It's a great place. I found this today and can not stop reading interesting discussions. And I need your help. As I guess, most of you are knowledgeable persons. I want to learn how to analyze malware in depth. I want to RE it. Can you provide some resources related to reverse engineering and malware analyses? Books, blogs, forums, video courses, etc. I know about Practical Malware analysis, MAC, Practical RE, Eilam's book about RE, opensecuritytraining.

Me again. Question still in regarding with the Locky sample I got. Sample downloaded from: https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4 While investigating its network behaviour, I notice the malware post request to many random-looking domains like wefnew.it, irewr.eu, etc. It looks like this sample has DGA (domain generation algo) embedded. I search through the code and finally lock down the range to a function(at addr 0x4060de) that raises an exception. After the exception was handled, a new domain is produced. It uses the API RaiseException. It's typical SEH exception handling(…

I have a Locky sample downloaded from https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4. I find something weird that I don't understand.... The simplified timeline is: (1) Locky starts and executes GetVolumeNameForVolumeMountPoint. (2) Locky starts another process called svchost.exe and that process tries to fetch something from C&C(already offline) The problem is these code below: If you executes the malware, you would observe some C&C traffic captured in Wireshark. If you monitor it with API monitor(http://www.rohitab.com/apimonitor), you would also observe that it tries to…

How to custom unpack Conficker Malware. ** How to determine which custom packer has been used by malware author ? Is that by reversing the packed malware ? Thanks

How to custom Unpack dequ2 malware ? Thanks

This blog post discussed the details of analysing some .net malware: http://blogs.cisco.com/security/talos/reversing-multilayer-net-malware

so this guy send me actualy maware so he can export shit from my pc or get some kind of information. here is detailed info about malware + screenshots https://www.hybrid-analysis.com/sample/d3e07c339ba952865e87000636b92fe67f23e9aaf2cd24f9e4d65552e9c51526?environmentId=100 Also here is unpacked malware: http://www12.zippyshare.com/v/RnmwqGGT/file.html (Do not open if you dont have any malware checking skill) (Open at your own risk)

hi I want to write a sandbox. I want to know exactly what parts made up a sandbox and how to work any how. Can anyone recommend a resource in this regard?

How to decode Encoded or Encrypted string in Reverse engineering a malware ? i heard there is a way using python script and Immunity debugger ? What is most effective option and which options should i try ? I looked up youtube and good but nothing useful. Help me with this. Thanks Tuts4you!

So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.

I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck. I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload. So is there any .NET debugger allowing me to pause on System API like VirtualAlloc? I know I could use debugger like Olly, but if I open…

Hi, I'm reversing this ransomware after an interesting reading found surfing the net. hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ What I'm trying to do is reversing the file encryption routines. Found where key is generated, buffer encrypted ecc. Can't undestand how the key is encrypted and stored into the file! (decrypt the original key) If someone is really interested, I'll share my findings (malware authors read this forum too I guess...) I'm doing this only because it' become a big challange to me and can't move on... sorry for my english

Hello, I have a malicious dotnet sample packer, anyone known the packer type and how to unpack it? I have try de4dot but it's failed. Thank you Dumped.zip

https://github.com/NoviceLive/research-rootkit

A reference from "black hat' movie 2015. The hacker cracks Encrypted code. How a malware has Encrypted code ended in ? And how to crack that ? Any information or tutorial or article would be appreciated. I do reverse engineer using IDA pro ( static analysis ).

Is there any Ebook or video series or tutorial on Reverse engineering using IDA Pro ( static analysis ) ? I will appreciate your concern ! Thanks

Hi I tried die , peid , protecton id , rdg , but cannot detect protector. de4dot detected as deepsea , but deobfuscation ws not done. File attached FoxUserTools.zip File can be malware , etc , please use VM , protection. Need packer identification and unpack help. Regards

Hi all experts I want to know what tools are used to analyze the industrial malwares

This document is a small write up demonstrating tools and techniques that can be used while reversing java code. The malware used for this purpose is the AlienSpy RAT (Remote Access Trojan) which has also been attached to this post. The password of the file malware sample.rar is infected. This is live malware. Secure your system before tinkering with it. Additionally, the decompiled source code of the malware has also been provided for study. Reversing an obfuscated java malware.pdf malware sample.rar decompiled malware source.rar

Does any body know how to reverse Kaspersky virus signatures? I have looking for something like that in the leaked source code, but its huge and I couldnt find anything. Comments are welcome!

Hi, I have been using Microsoft VirtualPC for years now. Which Virtualization Software do you prefer?

Can anyone fully deobfuscate theese 2 samples? MALWARE!!! It's not meant for regular PC... Tyupkin.zip

WinRAR Vulnerability https://blog.malwarebytes.org/security-threat/2015/09/latest-winrar-vulnerability-has-yet-to-be-patched/ Ted.

Looks like I was infected by some virus, no idea where I got it. It's .NET You have to run it like this in order to run: adobe_flash_player.exe /00000017 Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted. Thanks! adobe_flash_player.rar