Win32/Corebot

Forum for analysis and discussion about malware.

Win32/Corebot

Postby sysopfb » Thu Dec 10, 2015 4:52 pm

Sample and config attached
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 84
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 46

Re: Win32/Corebot

Postby Xylitol » Thu Dec 10, 2015 5:21 pm

User avatar
Xylitol
Global Moderator
 
Posts: 1614
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Win32/Corebot

Postby p1nk » Fri Dec 11, 2015 3:42 am

Anyone reversed the packing that it's using (working on reinstalling my analysis vm). It doesn't look terribly complex and the encoded data likely starts in the data section at 0x0041E023
User avatar
p1nk
 
Posts: 36
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2

Re: Win32/Corebot

Postby sysopfb » Fri Dec 11, 2015 8:06 pm

Here's a new config with some different targets and ATS urls

Sample came from Brad at MTA: https://isc.sans.edu/forums/diary/Every ... 2015/20477
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 84
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 46

Re: Win32/Corebot

Postby sysopfb » Tue Mar 22, 2016 6:41 pm

Releasing a paper I wrote last year on this.
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 84
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 46


Return to Malware

Who is online

Users browsing this forum: Bing [Bot] and 6 guests