A forum for reverse engineering, OS internals and malware analysis 

Search found 244 matches

 Go to advanced search

Re: WannaOof Ransomware Sample

 by R136a1 ¦  Tue May 07, 2019 1:49 pm ¦  Forum: Completed Malware Requests ¦  Topic: WannaOof Ransomware Sample ¦  Replies: 1 ¦  Views: 244

Attached.

Re: Pirpi / Bemstour / Filensfer (Buckeye)

 by R136a1 ¦  Tue May 07, 2019 1:32 pm ¦  Forum: Malware ¦  Topic: Pirpi / Bemstour / Filensfer (Buckeye) ¦  Replies: 1 ¦  Views: 254

The blog author also found a possible version of the C# implementation of Filesnfer: 6972ba198ed0d30de9f66be5777ecdba2d657078f138325ee6db225c20b29e6e Source code: using System; using System.Net.Sockets; using System.Net; using System.Net.Security; using System.Threading; using System.Security.Crypto...

Pirpi / Bemstour / Filensfer (Buckeye)

 by R136a1 ¦  Tue May 07, 2019 1:31 pm ¦  Forum: Malware ¦  Topic: Pirpi / Bemstour / Filensfer (Buckeye) ¦  Replies: 1 ¦  Views: 254

Article from Symantec: https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit Samples available in VT (attached): 6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc (Filensfer C++ native) 3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e (Fil...

Re: Urgently Need samples.

 by R136a1 ¦  Sat May 04, 2019 10:17 am ¦  Forum: Completed Malware Requests ¦  Topic: Urgently Need samples. ¦  Replies: 3 ¦  Views: 207

@iamismael
While you probably had good intentions, still a bit disrespectful, no?

Re: Urgently Need samples.

 by R136a1 ¦  Fri May 03, 2019 8:21 pm ¦  Forum: Completed Malware Requests ¦  Topic: Urgently Need samples. ¦  Replies: 3 ¦  Views: 207

First post sample requests are normally not allowed and go to trashbin. What's the reason you need them urgently?

Warzone RAT

 by R136a1 ¦  Thu May 02, 2019 7:13 pm ¦  Forum: Malware ¦  Topic: Warzone RAT ¦  Replies: 1 ¦  Views: 339

This is a publicly advertized trojan which can be found here: warzone[.]io They also operate a dynamic DNS service located here: warzonedns[.]com The usual Twitter string analysts dubbed this AVE_MARIA Stealer while it's a bit more than this. And from Twitter directly to a blog: https://blog.yoroi.c...

Re: Stealth Hook

 by R136a1 ¦  Tue Apr 30, 2019 6:28 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Stealth Hook ¦  Replies: 3 ¦  Views: 1023

There's this new thing called search engines, I heard Google is good.

VEH hooking:
https://medium.com/@fsx30/vectored-exce ... 88754549c6

Re: C to Delphi: How take screenshot in Z-Order using PrintWindow api?

 by R136a1 ¦  Sat Apr 27, 2019 9:07 pm ¦  Forum: User-Mode Development ¦  Topic: C to Delphi: How take screenshot in Z-Order using PrintWindow api? ¦  Replies: 3 ¦  Views: 156

Yep, that's why I said "something like this" as I don't know much about Delphi syntax.

How about changing the logic to this:

Code: Select all
Bla: BOOL;
...
repeat
    Bla := Proc(CurrentWindow, _Param)
    CurrentWindow := GetWindow(CurrentWindow, GW_HWNDPREV)
until (Bla and CurrentWindow) = 0;

Re: NamPoHyu Ransomware

 by R136a1 ¦  Sat Apr 27, 2019 7:11 pm ¦  Forum: Malware Requests ¦  Topic: NamPoHyu Ransomware ¦  Replies: 1 ¦  Views: 159

Here are some IOCs: https://id-ransomware.blogspot.com/2019 ... mware.html

No samples though.

Re: C to Delphi: How take screenshot in Z-Order using PrintWindow api?

 by R136a1 ¦  Sat Apr 27, 2019 7:02 pm ¦  Forum: User-Mode Development ¦  Topic: C to Delphi: How take screenshot in Z-Order using PrintWindow api? ¦  Replies: 3 ¦  Views: 156

Why do you get a screenshot at all? Nevertheless, your problem is in EnumWindowsTopToDown as you translated it incorrectly. The function is only left when the following condition is true: while (proc(currentWindow, param) && (currentWindow = GetWindow(currentWindow, GW_HWNDPREV)) != NULL); The idea ...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 25