A forum for reverse engineering, OS internals and malware analysis 

Search found 9 matches

 Go to advanced search

ESAT Dec 2014 word and payload dropped

 by mikeinhouston ¦  Thu Mar 12, 2015 4:50 am ¦  Forum: Completed Malware Requests ¦  Topic: ESAT Dec 2014 word and payload dropped ¦  Replies: 1 ¦  Views: 3840

I am looking for a sample of the Word document (u121Du122Du132B 2007.doc) sent to Ethiopian Satellite Television Service (ESAT) in Dec 2014 (citizenlab.org has a sample) Failing the Word document, a copy of the payload dropped by the document. md5 hashes below. ESAT doc file md5: 91961aad912dc790943...


 by mikeinhouston ¦  Fri Feb 20, 2015 7:20 am ¦  Forum: Malware ¦  Topic: Carbanak ¦  Replies: 10 ¦  Views: 25478

I searched for Carbanak and found nothing. I was surprised. Request for: Carbanak (recent in the news "1 billion dollars stolen from banks") Sample of a .doc file preferred. (like Red October Diplomat Car 'For Sale' attachment) MD5 hashs from Kaspersky's report are at bottom. Kaspersky report can be...

USB/share malware named malas or bindo or linkfars

 by mikeinhouston ¦  Fri May 10, 2013 8:58 am ¦  Forum: Completed Malware Requests ¦  Topic: USB/share malware named malas or bindo or linkfars ¦  Replies: 2 ¦  Views: 2439

I'm looking for a USB/file share malware from 2011 named malas / bindo / linkfars. I have searched these names here on the board and don't find it. File name may be userinit.exe or svchost.exe or some other. The following are names AV products use for this malware. Win32/Agent.worm.155648.C (AhnLab)...

Re: Point-of-Sale malwares / RAM scrapers

 by mikeinhouston ¦  Fri Dec 14, 2012 10:50 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864402


Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?


 by mikeinhouston ¦  Wed Dec 12, 2012 5:54 pm ¦  Forum: Completed Malware Requests ¦  Topic: Dexter ¦  Replies: 1 ¦  Views: 1828

I am looking for a Dexter builder. Any help appreciated.
In the meantime I'm looking for a Dexter server sample.
For more info on Dexter, this is a start
http://arstechnica.com/security/2012/12 ... terminals/


Re: Trusteer Rapport is really secure?

 by mikeinhouston ¦  Fri Sep 28, 2012 4:27 pm ¦  Forum: Tools/Software ¦  Topic: Trusteer Rapport is really secure? ¦  Replies: 12 ¦  Views: 20459

I saw your test.

You made a small mistake that invaldates it. You entered a password that is not protected.

Redo the test with a valid password and let us know the results. I'm interested.


Re: Gauss infection on laptop

 by mikeinhouston ¦  Mon Aug 20, 2012 4:43 pm ¦  Forum: Malware ¦  Topic: Gauss ¦  Replies: 25 ¦  Views: 28520

I am interested in talking with someone who has been able to generate a computer infection with any of the Gauss samples available here.

I have tried doing so on an XP SP3 Professional laptop (rundll32 {sample}) and have not been successful yet.


Re: Gauss

 by mikeinhouston ¦  Wed Aug 15, 2012 8:39 pm ¦  Forum: Malware ¦  Topic: Gauss ¦  Replies: 25 ¦  Views: 28520

dfine wrote:Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
Hi dfine, Any parameters needed?

ACAD/Medre.A a worm that steals AutoCAD drawings

 by mikeinhouston ¦  Tue Jun 26, 2012 10:54 pm ¦  Forum: Malware ¦  Topic: ACAD/Medre.A a worm that steals AutoCAD drawings ¦  Replies: 4 ¦  Views: 4933

I found this article http://www.esecurityplanet.com/malware/eset-warns-of-new-autocad-spy-malware.html about a worm that steals AutoCad drawings and sends them to China (among other things). I searched VirusTotal for ACAD/Medre.A and did not see any hits. Is anyone familiar with this? If this is ind...