Search found 102 matches

by Evilcry
Thu May 28, 2015 8:27 am
Forum: Tools/Software
Topic: GammaRay Qt apps examination and inspection
Replies: 0
Views: 5977

GammaRay Qt apps examination and inspection

GammaRay is a tool for examining and manipulating the internals of a Qt application at runtime. GammaRay augments conventional debuggers by understanding the implementation of Qt, allowing it to visualize application behavior on a higher level, especially with complex frameworks like scene graphs, ...
by Evilcry
Sat May 09, 2015 7:32 am
Forum: Newbie Questions
Topic: ZeuS Method of Action (in emulated environment)
Replies: 5
Views: 7088

Re: ZeuS Method of Action (in emulated environment)

Some ZeuS variant (if I remember well a variant derived from Gameover) has the supa dupa CreateToolhelp32Snapshot looking for "VBoxservice.exe" / "vmtoolsd.exe".
by Evilcry
Tue Apr 14, 2015 9:30 am
Forum: Kernel-Mode Development
Topic: Why virtdbg cannot run in VMWARE?
Replies: 3
Views: 5756

Re: Why virtdbg cannot run in VMWARE?

You should post an abstract of the Dump produced by the BSOD ( put the dump on windbg and run !analyze -v ).

Obviously is extremely more likely to be a virtdbg bug than a vmware bug.
by Evilcry
Tue Oct 08, 2013 2:06 pm
Forum: Malware
Topic: Win32/Caphaw (Shylock)
Replies: 46
Views: 53002

Re: Win32/Caphaw (Shylock)

First episode of my coauthored article on Caphaw:

http://quequero.org/2013/10/caphaw-shyl ... is-part-1/

Regards
by Evilcry
Fri Oct 04, 2013 7:45 am
Forum: Malware
Topic: Win32/Caphaw (Shylock)
Replies: 46
Views: 53002

Re: Win32/Caphaw (Shylock)

Yes there is a configuration for the bot, where there are specified C&C server(s), details to reach webinjects and the name of the botnet.
Soon I'll release more information about :)
by Evilcry
Mon Sep 23, 2013 6:07 am
Forum: Malware
Topic: Win32/Caphaw (Shylock)
Replies: 46
Views: 53002

Re: Win32/Caphaw (Shylock)

Yes I've extracted various Shylock/Caphaw samples from BEK serving domains, approximately 25-26 August. The BEK was dropping ZeroAccess with new modules and Caphaw, filename adopted was FirefoxUpdate.exe - here a tweet I've pushed at the time: https://twitter.com/Blackmond_/status/371618939794501632
by Evilcry
Sat Aug 24, 2013 6:49 am
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 570616

Re: ZeroAccess (alias MaxPlus, Sirefef)

SHA256: ebe55dc39519b1d26df7cf30fe9342dedc3f4b7c02346c6cc6421cb3171e71bd SHA1: bc8ff8ee98b54e45386493d3dd7626d788faca3a MD5: af445c4153e26888bb4a8db656a7cc1d File size: 191.5 KB ( 196096 bytes ) File name: af445c4153e26888bb4a8db656a7cc1d_kaf0x0 Detection ratio: 5 / 46 Analysis date: 2013-08-24 04:5...
by Evilcry
Thu Aug 22, 2013 7:07 am
Forum: Malware
Topic: Win32/Urausy (aka "WinLocker")
Replies: 80
Views: 79359

Re: Win32/Urausy (aka "WinLocker")

SHA256: 49d5aedce06aace5541dfc295fdac86366e5375764040129ac0e831a674f0774 SHA1: 2bcb770dc1089eb42cba5a21ffcba0fd2c7eec2b MD5: 12b1cd37647ff7a02d372b8af62854b6 File size: 104.5 KB ( 107008 bytes ) File name: movie1080p.mkv.exe File type: Win32 EXE Detection ratio: 3 / 46 https://www.virustotal.com/en/...
by Evilcry
Sat Aug 17, 2013 4:08 pm
Forum: Tools/Software
Topic: Cerbero PE Insider
Replies: 2
Views: 6106

Re: Cerbero PE Insider

Please re update the tool, some bug fix introduced recently.
by Evilcry
Sat Aug 17, 2013 3:10 pm
Forum: Malware
Topic: Win32/Urausy (aka "WinLocker")
Replies: 80
Views: 79359

Re: Win32/Urausy (aka "WinLocker")

SHA256: cd3620edf22450be66127d647ecebad06de972a2a542c2780212f46480cc8139 SHA1: edf7b757c4ca2c7f63fba6beece763c345f03ca5 MD5: efc786adda00b8117a178527f88c3d44 File size: 86.5 KB ( 88576 bytes ) File name: movie1080p.mkv.exe File type: Win32 EXE Detection ratio: 3 / 46 Analysis date: 2013-08-17 13:37:...