A forum for reverse engineering, OS internals and malware analysis 

Search found 74 matches

 Go to advanced search

Re: Malware collection

 by benkow_ ¦  Sun Mar 04, 2018 9:22 am ¦  Forum: Malware ¦  Topic: XMRig Miner ¦  Replies: 5 ¦  Views: 394

SHA-256 8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80 File name ExtremeHack.exe https://www.virustotal.com/#/file/8cd0e931d1de457839fe074ee0819dee78fcd61e1983ea80c7bd7b16f696eb80/detection Another miner spreaded around since some weeks ftp://progerman:ivivad9x@82.202.231.21 { "al...

Re: Cyber Police (HiddenTear Variant)

 by benkow_ ¦  Fri Dec 29, 2017 2:01 pm ¦  Forum: Completed Malware Requests ¦  Topic: Cyber Police (HiddenTear Variant) ¦  Replies: 2 ¦  Views: 4047

attached

Re: Looking for the FireEyE Triton Samples.

 by benkow_ ¦  Sat Dec 16, 2017 9:57 am ¦  Forum: Completed Malware Requests ¦  Topic: Looking for the FireEyE Triton Samples. ¦  Replies: 2 ¦  Views: 3723

http://www.kernelmode.info/forum/viewto ... =20&t=1950 :

Requests from users with ZERO (0) posts, "thank-you" only posts, or requests-only posts not allowed. Posts will be removed and user will be banned, depending on situation. Make your effort for this place before asking anything.

Re: Sample request for mentioned MD5

 by benkow_ ¦  Fri Dec 15, 2017 9:45 am ¦  Forum: Completed Malware Requests ¦  Topic: Sample request for mentioned MD5 ¦  Replies: 1 ¦  Views: 3590

attached

Re: svchost.exe

 by benkow_ ¦  Sun Oct 01, 2017 10:42 am ¦  Forum: Completed Malware Requests ¦  Topic: svchost.exe ¦  Replies: 1 ¦  Views: 4237

So, it's VBScript "WriteData" looks like a PE hex encoded (4D5A is typical for a PE) https://www.virustotal.com/en/file/79aa811f409838b78ee0eb03d3860894ff44009f0360ee32f8d469099427ab08/analysis/1506853340/ doc Set FSO = CreateObject("Scripting.FileSystemObject") //2=TemporaryFolder / %TEMP%\svchost....

Re: Debugging Explorer Icon loading

 by benkow_ ¦  Sun Aug 06, 2017 8:53 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Debugging Explorer Icon loading ¦  Replies: 2 ¦  Views: 13408

Re: WanaCrypt0r 2.0

 by benkow_ ¦  Sun May 14, 2017 9:36 pm ¦  Forum: Malware ¦  Topic: WanaCrypt0r 2.0 ¦  Replies: 15 ¦  Views: 26440

Patched kill switch version

Code: Select all
http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
https://www.virustotal.com/fr/file/32f2 ... /analysis/

Re: JScript dropper

 by benkow_ ¦  Sun Feb 26, 2017 4:33 pm ¦  Forum: Malware ¦  Topic: JScript dropper ¦  Replies: 2 ¦  Views: 14074

List on "Onliner" spambot still up (used for spreading Ursnif)

Code: Select all
http://194.247.13.8/img/login.php
http://194.247.13.178/naomi/login.php
http://194.247.13.196/asus/login.php

Re: APT question

 by benkow_ ¦  Wed Feb 15, 2017 10:42 am ¦  Forum: Malware ¦  Topic: APT question ¦  Replies: 3 ¦  Views: 10760

Maybe the black energy malware Family. (Backdoor+KillDisk)
https://www.youtube.com/watch?v=MzhmRyA_71Q

Debugging Explorer Icon loading

 by benkow_ ¦  Sat Jan 28, 2017 5:26 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Debugging Explorer Icon loading ¦  Replies: 2 ¦  Views: 13408

Hello, I work on a strange case, during malware reversing (6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d) I've noticed a strange behaviour with explorer.exe. The malware itself (spambot) is boring but I don't know if the malware author do this deliberately or not but each time you...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8