A forum for reverse engineering, OS internals and malware analysis 

Search found 121 matches

 Go to advanced search

Re: Analyzing VB Malware - XtremeRAT

 by r3shl4k1sh ¦  Sat Dec 10, 2016 8:17 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Analyzing VB Malware - XtremeRAT ¦  Replies: 3 ¦  Views: 21647

XtremeRAT is written in Delphi not in VB (6). The VB part is probably just the cryptor. Personally i don't spend much time on cryptors. Just run and dump the extracted data from memory (with Xtreme RAT it's even easier because most of the time it's going to be on the same memory address 0x10000000)....

Re: Malware or not malware.....this is a big question...

 by r3shl4k1sh ¦  Sat Dec 10, 2016 8:10 pm ¦  Forum: Malware ¦  Topic: Malware or not malware.....this is a big question... ¦  Replies: 2 ¦  Views: 6072

If it's really a big question please give us more context to the malware.

To me it seems to be part of Adware. But it might be part of malware if it's used for sys info gathering.

Re: UACMe - Defeating Windows User Account Control

 by r3shl4k1sh ¦  Tue Aug 23, 2016 3:26 pm ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 447049

The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven

Re: LuminosityLink (Cryptominer) RAT

 by r3shl4k1sh ¦  Fri Aug 05, 2016 1:08 pm ¦  Forum: Malware ¦  Topic: LuminosityLink (Cryptominer) RAT ¦  Replies: 1 ¦  Views: 4520

Another one. VT 6/53 56a4e071cfba887e620924a9eeea8eb9 Decrypted configs: SHA256: d954e352d0385307e2bfcc8c614e22d5555be24c9f3d4890ced0b9192b958800 Encryption Key: This confi'g contains nothing useful. Quit acting as if you're cool by decrypting it. Domain/IP: 66.45.225.46 Port: 888 Backup DNS: Disabl...

LuminosityLink (Cryptominer) RAT

 by r3shl4k1sh ¦  Tue Jul 12, 2016 6:18 pm ¦  Forum: Malware ¦  Topic: LuminosityLink (Cryptominer) RAT ¦  Replies: 1 ¦  Views: 4520

http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/ Very low detection rate 2/53: cb599999063da4b3113b0b8dbefd39ec Connects to: mopol.mooo.com:8485 --> [212.7.208.101] Strings: RELPATH SHADOW_COPY_DIRS CACHE_BASE PRIVATE_BINP...

Re: TeslaCrypt ransomware

 by r3shl4k1sh ¦  Thu Sep 17, 2015 6:30 pm ¦  Forum: Malware ¦  Topic: TeslaCrypt ransomware ¦  Replies: 62 ¦  Views: 90752

http://www.isightpartners.com/2015/09/teslacrypt-2-0-cyber-crime-malware-behavior-capabilities-and-communications/ Anyone got any samples for this supposed "Tesla Crypt 2.0" ? In attach the sample mentioned in the article: https://www.virustotal.com/en/file/f01c6e165228b65178be848c86544b02ad36af81b...

Re: Imports that flag AV

 by r3shl4k1sh ¦  Thu Sep 17, 2015 6:04 pm ¦  Forum: Malware ¦  Topic: Imports that flag AV ¦  Replies: 3 ¦  Views: 3380

WriteProcessMemory ReadProcessMemory CreateRemoteThread VirtualAllocEx EnumProcesses CreateToolhelp32Snapshot But i doubt you will able to get AVs from "major vendors" to flag the file based only on suspicious imports from the Import Table. Anyway most of the time the imports should actually be used...

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by r3shl4k1sh ¦  Fri Jun 26, 2015 8:44 am ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 119265

Hi, It seems like Symantec detects the latest Rovnix Dropper and payload as Carberb.C: http://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under Part of the decrypted web-injects from the sample posted by @comak (You can get the full web-injects in the attached zip file): set_url *....

Re: Duqu 2.0

 by r3shl4k1sh ¦  Sat Jun 13, 2015 6:46 pm ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 35035

I believe that the Duqu 2.0 team where those who wrote the "report" from Kaspersky...
Probably there is a cease-fire agreement now...

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

 by r3shl4k1sh ¦  Fri May 15, 2015 12:35 pm ¦  Forum: Malware ¦  Topic: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader) ¦  Replies: 83 ¦  Views: 119265

Hi folks, A fresh Rovnix dropper (MS: TrojanDropper:Win32/Rovnix.P, ESET: Win32/Rovnix.Z) that contains CVE-2013-3660 and CVE-2014-4113 in order to escalate its privileges. d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae The driver contains an effective method to prevent loading of ...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13