A forum for reverse engineering, OS internals and malware analysis 

Search found 7 matches

 Go to advanced search

Re: Assistance requested identifying packed malware

 by g0r_ ¦  Wed Nov 05, 2014 9:29 pm ¦  Forum: Malware ¦  Topic: Assistance requested identifying packed malware ¦  Replies: 5 ¦  Views: 3660

Thanks again, Artillerie! :) Looks like same bad actor has more active malware on related domain: https://www.virustotal.com/en/file/77d2efae37e9ddae8eef0edbf8b1019c08a7cfe348eb081ca614df085d27ef23/analysis/1415130702/ https://www.virustotal.com/en/file/14e45bb7ecfa6b71d9b8a952be19ca19f5d45668481aae...

Re: Assistance requested identifying packed malware

 by g0r_ ¦  Tue Nov 04, 2014 11:22 pm ¦  Forum: Malware ¦  Topic: Assistance requested identifying packed malware ¦  Replies: 5 ¦  Views: 3660

Thanks very much Artillerie. Appreciate the assist. :)

Assistance requested identifying packed malware

 by g0r_ ¦  Mon Nov 03, 2014 11:37 pm ¦  Forum: Malware ¦  Topic: Assistance requested identifying packed malware ¦  Replies: 5 ¦  Views: 3660

Hi all, Found an interesting sample I suspect might be pony related (same bad actor switched from zeus/citadel to pony recently). strings has references to smartassembly, so likely packed with it. Executing in VM's is inconclusive so I suspect it might also be vm aware and not execute properly. Any ...

Re: Citadel (Zeus clone)

 by g0r_ ¦  Thu Mar 13, 2014 1:45 am ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 402503

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample? With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something m...

Re: How to pwn a botnet need Help.

 by g0r_ ¦  Thu Mar 13, 2014 1:31 am ¦  Forum: Newbie Questions ¦  Topic: How to pwn a botnet need Help. ¦  Replies: 4 ¦  Views: 5366

Personally, learning to use volatility, wireshark, process explorer/hacker,etc was something that helped me in situations where all I had was a sample of something that talked to a C2. Understanding what the malware does, what it communicates with gives you an idea of how to attack the infrastructur...

Re: Win32/Zeus (alias Zbot)

 by g0r_ ¦  Wed Feb 26, 2014 2:55 am ¦  Forum: Malware ¦  Topic: Win32/Zeus (alias Zbot) ¦  Replies: 281 ¦  Views: 366097

Some service with couple of C2's - only one with sample at moment. hxxp://89.33.0.199/service/ay/js/ hxxp://89.33.0.199/service/ay/nay.exe hxxp://89.33.0.199/service/ay/js/gate.php hxxp://89.33.0.199/service/ay/js/config.bin hxxp://89.33.0.199/service/ay/js/cp.php?m=login hxxp://89.33.0.199/service/...

Re: Citadel (Zeus clone)

 by g0r_ ¦  Fri Feb 14, 2014 3:28 am ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 402503

First time I've seen "Kingtools" Citadel re-branding. http://protectyournet.blogspot.com/2014/02/kingtools-nigerian-rebranded-citadel.html anyone seen any other knock offs like this? I would guess the bins are the same as Cit v1.3.5.1.. but I couldn't find a sample for this one. C&C was at: http://...