A forum for reverse engineering, OS internals and malware analysis 

Search found 101 matches

 Go to advanced search

Re: malware

 by sysopfb ¦  Thu Jan 17, 2019 4:25 pm ¦  Forum: Malware ¦  Topic: XKeyScore ¦  Replies: 2 ¦  Views: 6354

Sorry for necroing but this is XKeyScore , found topic while looking at another sample

Panel attached from a different C2 server

Re: TrickBot

 by sysopfb ¦  Tue Apr 17, 2018 11:48 pm ¦  Forum: Malware ¦  Topic: TrickBot ¦  Replies: 2 ¦  Views: 7269

Apparently the loader being used by TrickBot which I was calling TrickLoader added UACME #41 back in December atleast according to this post by F5 labs https://labsblog.f-secure.com/2017/12/18/dont-let-an-auto-elevating-bot-spoil-your-christmas/ - thanks Antelox for your google-fu on finding this! K...

IcedID Downloader

 by sysopfb ¦  Wed Nov 29, 2017 1:12 am ¦  Forum: Malware ¦  Topic: IcedID Downloader ¦  Replies: 1 ¦  Views: 5481

Saw this downloader show up as a payload to Chanitor/Hancitor which is used to download IcedID/BokBot banking trojan. Has some code share with the banking trojan as they share the same manner of string encryption. Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded an...

Ordinypt Wiper

 by sysopfb ¦  Thu Nov 16, 2017 3:59 pm ¦  Forum: Malware ¦  Topic: Ordinypt Wiper ¦  Replies: 1 ¦  Views: 5106

http://29wspy.ru/reversing/Ordinypt/Ordinypt.pdf Good summary: A stupid malware that destroy information of enterprises and innocent people and try steal money saying that is a ransomware. Bad coding style, a easy packer, only need 1 hour of my time to reverse it and writing this report. sample atta...

Re: Win32/Emotet - Banking trojan

 by sysopfb ¦  Thu Nov 16, 2017 1:09 am ¦  Forum: Malware ¦  Topic: Win32/Emotet - Banking trojan ¦  Replies: 54 ¦  Views: 11509

Magical builtin hijack.

Attached is a sample from 19sep with the anti layer in the crypter they are referring to.

Re: Malware from Crunchyroll

 by sysopfb ¦  Mon Nov 06, 2017 2:08 pm ¦  Forum: Malware ¦  Topic: Malware from Crunchyroll ¦  Replies: 2 ¦  Views: 5331

Payload on that pcap was metsrv, meterpreters fileless stager.

Re: Malware from Crunchyroll

 by sysopfb ¦  Sun Nov 05, 2017 8:49 pm ¦  Forum: Malware ¦  Topic: Malware from Crunchyroll ¦  Replies: 2 ¦  Views: 5331

This has a pcap of it downloading a payload from when it was live. Kudos to any.run for reaching out to Bart on twitter about the pcap https://app.any.run/tasks/010df394-dad9-41dd-87ef-f80892cde074 The decoded code from the embedded PE in the modified taiga program looks like it was based on metaspl...

Re: Malware collection

 by sysopfb ¦  Wed Nov 01, 2017 1:24 am ¦  Forum: Malware ¦  Topic: Win32/Upatre (alias Waski) ¦  Replies: 22 ¦  Views: 23850

ikolor wrote:thanks
https://www.virustotal.com/#/file/a97f2 ... /detection
That's an encoded Upatre payload from a campaign in 2015

Re: .INK Powershell Downloader

 by sysopfb ¦  Fri Jul 14, 2017 8:41 pm ¦  Forum: Malware ¦  Topic: .INK Powershell Downloader ¦  Replies: 5 ¦  Views: 9187

89b138eaaade5a1ec36e2d1422ae38059f138e81b722301e713b65a74de521c7 The file has the same packer as the godzilla loader but apppears to be ramnit The unpacked file has strings that are encrypted with Rabbit but the bots Rabbit routine uses a shr delta of 8 instead of 1 when performing decryption when c...

Re: .INK Powershell Downloader

 by sysopfb ¦  Fri Jul 14, 2017 2:14 pm ¦  Forum: Malware ¦  Topic: .INK Powershell Downloader ¦  Replies: 5 ¦  Views: 9187

0c19c460c7e8de4c36a9cdfe30836a9bdd18976e2f0f8f7cb9e79d13de00237b Looks like godzilla loader, c2 urls are push pop stored and then XORd with 'GODZILLA' C2s: hxxps://bokergrop.eu/bin/161/css.php hxxps://kuseyambar.eu/bin/161/css.php hxxps://morefitggr.eu/bin/161/css.php hxxps://perefacki.eu/bin/161/cs...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 11