Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
You can help me to find resources
by Aldhard Oswine- 3 replies
- 7.6k views
It's a great place. I found this today and can not stop reading interesting discussions. And I need your help. As I guess, most of you are knowledgeable persons. I want to learn how to analyze malware in depth. I want to RE it. Can you provide some resources related to reverse engineering and malware analyses? Books, blogs, forums, video courses, etc. I know about Practical Malware analysis, MAC, Practical RE, Eilam's book about RE, opensecuritytraining.
-
how do I find exception handler?
by gundamfj- 4 replies
- 5.8k views
Me again. Question still in regarding with the Locky sample I got. Sample downloaded from: https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4 While investigating its network behaviour, I notice the malware post request to many random-looking domains like wefnew.it, irewr.eu, etc. It looks like this sample has DGA (domain generation algo) embedded. I search through the code and finally lock down the range to a function(at addr 0x4060de) that raises an exception. After the exception was handled, a new domain is produced. It uses the API RaiseException. It's typical SEH exception handling(…
-
need help to locate Anti-Debugging
by gundamfj- 3 replies
- 6k views
I have a Locky sample downloaded from https://www.hybrid-analysis.com/sample/03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761?environmentId=4. I find something weird that I don't understand.... The simplified timeline is: (1) Locky starts and executes GetVolumeNameForVolumeMountPoint. (2) Locky starts another process called svchost.exe and that process tries to fetch something from C&C(already offline) The problem is these code below: If you executes the malware, you would observe some C&C traffic captured in Wireshark. If you monitor it with API monitor(http://www.rohitab.com/apimonitor), you would also observe that it tries to…
-
How to unpack Conficker malwere ?
by kb432- 0 replies
- 4.9k views
How to custom unpack Conficker Malware. ** How to determine which custom packer has been used by malware author ? Is that by reversing the packed malware ? Thanks
-
How to unpack dequ2 malware?
by kb432- 0 replies
- 5k views
How to custom Unpack dequ2 malware ? Thanks
-
- 0 replies
- 6k views
This blog post discussed the details of analysing some .net malware: http://blogs.cisco.com/security/talos/reversing-multilayer-net-malware
-
LeeZay sending malwares
by TheProxy RE- 0 replies
- 5.1k views
so this guy send me actualy maware so he can export shit from my pc or get some kind of information. here is detailed info about malware + screenshots https://www.hybrid-analysis.com/sample/d3e07c339ba952865e87000636b92fe67f23e9aaf2cd24f9e4d65552e9c51526?environmentId=100 Also here is unpacked malware: http://www12.zippyshare.com/v/RnmwqGGT/file.html (Do not open if you dont have any malware checking skill) (Open at your own risk)
-
write a sandbox
by rever_ser- 2 replies
- 18k views
hi I want to write a sandbox. I want to know exactly what parts made up a sandbox and how to work any how. Can anyone recommend a resource in this regard?
-
How to decode string in malware ?
by kb432- 3 replies
- 7.4k views
How to decode Encoded or Encrypted string in Reverse engineering a malware ? i heard there is a way using python script and Immunity debugger ? What is most effective option and which options should i try ? I looked up youtube and good but nothing useful. Help me with this. Thanks Tuts4you!
-
Does anyone have old Locky sample?
by gundamfj- 7 replies
- 5.9k views
So I am doing research on Locky. I notice recent Locky sample doesn't import SMB related API. You may have heard of Locky also tries to encrypt files in network share e.g. printer. So does anyone have old Locky samples(5 months ago)? I got one old sample from one guy in this forum. But that sample crashes on InterlockedIncrement. I could only find recent samples in VirusShare.
-
need help to unpack .NET malware
by gundamfj- 17 replies
- 10.1k views
I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck. I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload. So is there any .NET debugger allowing me to pause on System API like VirtualAlloc? I know I could use debugger like Olly, but if I open…
-
cerber ransomware reverse question
by Guest kinn7s- 1 follower
- 3 replies
- 6.5k views
Hi, I'm reversing this ransomware after an interesting reading found surfing the net. hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ What I'm trying to do is reversing the file encryption routines. Found where key is generated, buffer encrypted ecc. Can't undestand how the key is encrypted and stored into the file! (decrypt the original key) If someone is really interested, I'll share my findings (malware authors read this forum too I guess...) I'm doing this only because it' become a big challange to me and can't move on... sorry for my english
-
I have a malicious dotnet sample
by Hacktreides- 5 replies
- 6.3k views
Hello, I have a malicious dotnet sample packer, anyone known the packer type and how to unpack it? I have try de4dot but it's failed. Thank you Dumped.zip
-
Research Rootkit (Linux)
by kao- 0 replies
- 5.1k views
https://github.com/NoviceLive/research-rootkit
-
Reference a movie? auscultated code!
by 0nion- 1 reply
- 5.7k views
A reference from "black hat' movie 2015. The hacker cracks Encrypted code. How a malware has Encrypted code ended in ? And how to crack that ? Any information or tutorial or article would be appreciated. I do reverse engineer using IDA pro ( static analysis ).
-
Guide for Static malware analysis [?]
by Cyberwarfare- 5 replies
- 6.3k views
Is there any Ebook or video series or tutorial on Reverse engineering using IDA Pro ( static analysis ) ? I will appreciate your concern ! Thanks
-
(Help Request) .Net Protector Identification 1 2
by madskillz- 25 replies
- 22.8k views
Hi I tried die , peid , protecton id , rdg , but cannot detect protector. de4dot detected as deepsea , but deobfuscation ws not done. File attached FoxUserTools.zip File can be malware , etc , please use VM , protection. Need packer identification and unpack help. Regards
-
reversing industrial malwares
by Mr.peach- 6 replies
- 5.9k views
Hi all experts I want to know what tools are used to analyze the industrial malwares
-
Reversing an obfuscated java malware
by Extreme Coders- 1 reply
- 7.6k views
This document is a small write up demonstrating tools and techniques that can be used while reversing java code. The malware used for this purpose is the AlienSpy RAT (Remote Access Trojan) which has also been attached to this post. The password of the file malware sample.rar is infected. This is live malware. Secure your system before tinkering with it. Additionally, the decompiled source code of the malware has also been provided for study. Reversing an obfuscated java malware.pdf malware sample.rar decompiled malware source.rar
-
Reverse Kaspersky Virus Signatures
by helderc- 4 replies
- 7.6k views
Does any body know how to reverse Kaspersky virus signatures? I have looking for something like that in the leaked source code, but its huge and I couldnt find anything. Comments are welcome!
-
Which Virtual Machine Software do you prefer? 1 2 3
by deepzero- 1 follower
- 61 replies
- 36.2k views
Hi, I have been using Microsoft VirtualPC for years now. Which Virtualization Software do you prefer?
-
Tyupkin Malware...or bank's worst nightmare
by cucuielu- 1 reply
- 6.6k views
Can anyone fully deobfuscate theese 2 samples? MALWARE!!! It's not meant for regular PC... Tyupkin.zip
-
WinRAR Vulnerability...
by Teddy Rogers- 6 replies
- 7k views
WinRAR Vulnerability https://blog.malwarebytes.org/security-threat/2015/09/latest-winrar-vulnerability-has-yet-to-be-patched/ Ted.
-
[DecompileMe] Virus found in my PC [.NET]
by bomblader- 4 replies
- 6.9k views
Looks like I was infected by some virus, no idea where I got it. It's .NET You have to run it like this in order to run: adobe_flash_player.exe /00000017 Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted. Thanks! adobe_flash_player.rar
-
- 0 replies
- 6.1k views
Table of contents: All I can say is that I really enjoyed the book. Get your own copy from hxxp://ifreebooks.com/book/6295/ or your favorite torrent tracker.
