A forum for reverse engineering, OS internals and malware analysis 

Search found 234 matches

 Go to advanced search

Chainshot

 by R136a1 ¦  Thu Sep 06, 2018 8:17 pm ¦  Forum: Malware ¦  Topic: Chainshot ¦  Replies: 0 ¦  Views: 1990

Re: Forum bugs

 by R136a1 ¦  Sun Mar 25, 2018 11:18 am ¦  Forum: General Discussion ¦  Topic: Forum bugs ¦  Replies: 3 ¦  Views: 5365

File upload bug for attachments > 1MB was fixed, it was caused by wrong directory permission set during the maintenance on Friday.

Forum transfer and new admin

 by R136a1 ¦  Tue Mar 13, 2018 2:40 pm ¦  Forum: Announcements ¦  Topic: Forum transfer and new admin ¦  Replies: 0 ¦  Views: 8169

Hi folks, as a_d_13 recently announced, he transferred the domain and forum over to me as the new admin. I want to thank him for his effort and time he put into it over the course of the last 8 years! He will still be available on the forum as a global moderator if you want to contact him. For those...

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 by R136a1 ¦  Wed Dec 06, 2017 11:27 am ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 194482

[Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

 by R136a1 ¦  Mon Apr 10, 2017 7:19 pm ¦  Forum: Malware ¦  Topic: [Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1 ¦  Replies: 0 ¦  Views: 12275

Hi folks, Symantec published an article about a group they named Longhorn whose tools match the descriptions of the Vault 7 documents leaked by Wikileaks, allegedly the CIA hacking tools arsenal. In the article, they also published the signature names of some tools of which some can be found on Viru...

Backdoor.Batel

 by R136a1 ¦  Tue Sep 27, 2016 11:14 am ¦  Forum: Malware ¦  Topic: Backdoor.Batel ¦  Replies: 0 ¦  Views: 8153

Hi folks, here are two samples of Backdoor.Batel, a small shellcode like dll file. Nothing special though, the technique is nearly identical to the one described here, except this time it's realized as a standalone dll: https://blog.cylance.com/operation-cleaver-the-notepad-files PDB path string: C:...

ATM (Diebold) related file

 by R136a1 ¦  Tue Sep 27, 2016 11:02 am ¦  Forum: Malware ¦  Topic: ATM (Diebold) related file ¦  Replies: 0 ¦  Views: 7827

Hi folks, maybe someone can shed some light into the functionality of this small ATM related file. It doesn't look malicious to me, but I can't say for sure since the Diebold API isn't public. Perhaps it's useful for someone... File: https://virustotal.com/en/file/d2296deb1b6ae42d787889e163d8d75a43c...

Re: Win32/Xswkit (alias Gootkit)

 by R136a1 ¦  Tue Sep 27, 2016 10:42 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123413

Hi folks, here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven...

Re: TeamSpy

 by R136a1 ¦  Thu Aug 11, 2016 4:46 pm ¦  Forum: Malware ¦  Topic: TeamSpy ¦  Replies: 7 ¦  Views: 7272

Here are a few new versions. The droppers are mostly self-extracting RAR archives which contain a legit version of Teamviewer (v7) and a parasitic file named msimg32.dll. It seems to have kind of new UAC bypass method on board, but haven't checked in detail. Strings of msimg32.dll: F123456789ABCDEFG...

Re: Backdoor.Remsec

 by R136a1 ¦  Thu Aug 11, 2016 4:08 pm ¦  Forum: Malware ¦  Topic: Backdoor.Remsec ¦  Replies: 2 ¦  Views: 4441

Files attached.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 24