Blogpost: http://thegoldenmessenger.blogspot.de/2 ... lware.htmlA few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/s ... ber-attack and http://www.symantec.com/connect/blogs/a ... ks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article.
The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgti ... xer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5kl ... r0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59 ... 20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbaj ... xploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip