A forum for reverse engineering, OS internals and malware analysis 

Search found 102 matches

 Go to advanced search

GammaRay Qt apps examination and inspection

 by Evilcry ¦  Thu May 28, 2015 8:27 am ¦  Forum: Tools/Software ¦  Topic: GammaRay Qt apps examination and inspection ¦  Replies: 0 ¦  Views: 5996

GammaRay is a tool for examining and manipulating the internals of a Qt application at runtime. GammaRay augments conventional debuggers by understanding the implementation of Qt, allowing it to visualize application behavior on a higher level, especially with complex frameworks like scene graphs, ...

Re: ZeuS Method of Action (in emulated environment)

 by Evilcry ¦  Sat May 09, 2015 7:32 am ¦  Forum: Newbie Questions ¦  Topic: ZeuS Method of Action (in emulated environment) ¦  Replies: 5 ¦  Views: 7120

Some ZeuS variant (if I remember well a variant derived from Gameover) has the supa dupa CreateToolhelp32Snapshot looking for "VBoxservice.exe" / "vmtoolsd.exe".

Re: Why virtdbg cannot run in VMWARE?

 by Evilcry ¦  Tue Apr 14, 2015 9:30 am ¦  Forum: Kernel-Mode Development ¦  Topic: Why virtdbg cannot run in VMWARE? ¦  Replies: 3 ¦  Views: 5794

You should post an abstract of the Dump produced by the BSOD ( put the dump on windbg and run !analyze -v ).

Obviously is extremely more likely to be a virtdbg bug than a vmware bug.

Re: Win32/Caphaw (Shylock)

 by Evilcry ¦  Tue Oct 08, 2013 2:06 pm ¦  Forum: Malware ¦  Topic: Win32/Caphaw (Shylock) ¦  Replies: 46 ¦  Views: 53201

First episode of my coauthored article on Caphaw:

http://quequero.org/2013/10/caphaw-shyl ... is-part-1/

Regards

Re: Win32/Caphaw (Shylock)

 by Evilcry ¦  Fri Oct 04, 2013 7:45 am ¦  Forum: Malware ¦  Topic: Win32/Caphaw (Shylock) ¦  Replies: 46 ¦  Views: 53201

Yes there is a configuration for the bot, where there are specified C&C server(s), details to reach webinjects and the name of the botnet.
Soon I'll release more information about :)

Re: Win32/Caphaw (Shylock)

 by Evilcry ¦  Mon Sep 23, 2013 6:07 am ¦  Forum: Malware ¦  Topic: Win32/Caphaw (Shylock) ¦  Replies: 46 ¦  Views: 53201

Yes I've extracted various Shylock/Caphaw samples from BEK serving domains, approximately 25-26 August. The BEK was dropping ZeroAccess with new modules and Caphaw, filename adopted was FirefoxUpdate.exe - here a tweet I've pushed at the time: https://twitter.com/Blackmond_/status/371618939794501632

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Evilcry ¦  Sat Aug 24, 2013 6:49 am ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 572281

SHA256: ebe55dc39519b1d26df7cf30fe9342dedc3f4b7c02346c6cc6421cb3171e71bd SHA1: bc8ff8ee98b54e45386493d3dd7626d788faca3a MD5: af445c4153e26888bb4a8db656a7cc1d File size: 191.5 KB ( 196096 bytes ) File name: af445c4153e26888bb4a8db656a7cc1d_kaf0x0 Detection ratio: 5 / 46 Analysis date: 2013-08-24 04:5...

Re: Win32/Urausy (aka "WinLocker")

 by Evilcry ¦  Thu Aug 22, 2013 7:07 am ¦  Forum: Malware ¦  Topic: Win32/Urausy (aka "WinLocker") ¦  Replies: 80 ¦  Views: 79659

SHA256: 49d5aedce06aace5541dfc295fdac86366e5375764040129ac0e831a674f0774 SHA1: 2bcb770dc1089eb42cba5a21ffcba0fd2c7eec2b MD5: 12b1cd37647ff7a02d372b8af62854b6 File size: 104.5 KB ( 107008 bytes ) File name: movie1080p.mkv.exe File type: Win32 EXE Detection ratio: 3 / 46 https://www.virustotal.com/en/...

Re: Cerbero PE Insider

 by Evilcry ¦  Sat Aug 17, 2013 4:08 pm ¦  Forum: Tools/Software ¦  Topic: Cerbero PE Insider ¦  Replies: 2 ¦  Views: 6141

Please re update the tool, some bug fix introduced recently.

Re: Win32/Urausy (aka "WinLocker")

 by Evilcry ¦  Sat Aug 17, 2013 3:10 pm ¦  Forum: Malware ¦  Topic: Win32/Urausy (aka "WinLocker") ¦  Replies: 80 ¦  Views: 79659

SHA256: cd3620edf22450be66127d647ecebad06de972a2a542c2780212f46480cc8139 SHA1: edf7b757c4ca2c7f63fba6beece763c345f03ca5 MD5: efc786adda00b8117a178527f88c3d44 File size: 86.5 KB ( 88576 bytes ) File name: movie1080p.mkv.exe File type: Win32 EXE Detection ratio: 3 / 46 Analysis date: 2013-08-17 13:37:...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11