A forum for reverse engineering, OS internals and malware analysis 

Search found 252 matches

 Go to advanced search

Forum transfer and new admin

 by R136a1 ¦  Tue Mar 13, 2018 2:40 pm ¦  Forum: Announcements ¦  Topic: Forum transfer and new admin ¦  Replies: 0 ¦  Views: 8493

Hi folks, as a_d_13 recently announced, he transferred the domain and forum over to me as the new admin. I want to thank him for his effort and time he put into it over the course of the last 8 years! He will still be available on the forum as a global moderator if you want to contact him. For those...

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 by R136a1 ¦  Wed Dec 06, 2017 11:27 am ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 197097

[Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

 by R136a1 ¦  Mon Apr 10, 2017 7:19 pm ¦  Forum: Malware ¦  Topic: [Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1 ¦  Replies: 0 ¦  Views: 12402

Hi folks, Symantec published an article about a group they named Longhorn whose tools match the descriptions of the Vault 7 documents leaked by Wikileaks, allegedly the CIA hacking tools arsenal. In the article, they also published the signature names of some tools of which some can be found on Viru...


 by R136a1 ¦  Tue Sep 27, 2016 11:14 am ¦  Forum: Malware ¦  Topic: Backdoor.Batel ¦  Replies: 0 ¦  Views: 8190

Hi folks, here are two samples of Backdoor.Batel, a small shellcode like dll file. Nothing special though, the technique is nearly identical to the one described here, except this time it's realized as a standalone dll: https://blog.cylance.com/operation-cleaver-the-notepad-files PDB path string: C:...

ATM (Diebold) related file

 by R136a1 ¦  Tue Sep 27, 2016 11:02 am ¦  Forum: Malware ¦  Topic: ATM (Diebold) related file ¦  Replies: 0 ¦  Views: 7858

Hi folks, maybe someone can shed some light into the functionality of this small ATM related file. It doesn't look malicious to me, but I can't say for sure since the Diebold API isn't public. Perhaps it's useful for someone... File: https://virustotal.com/en/file/d2296deb1b6ae42d787889e163d8d75a43c...

Re: Win32/Xswkit (alias Gootkit)

 by R136a1 ¦  Tue Sep 27, 2016 10:42 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 125030

Hi folks, here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven...

Re: TeamSpy

 by R136a1 ¦  Thu Aug 11, 2016 4:46 pm ¦  Forum: Malware ¦  Topic: TeamSpy ¦  Replies: 7 ¦  Views: 7371

Here are a few new versions. The droppers are mostly self-extracting RAR archives which contain a legit version of Teamviewer (v7) and a parasitic file named msimg32.dll. It seems to have kind of new UAC bypass method on board, but haven't checked in detail. Strings of msimg32.dll: F123456789ABCDEFG...

Re: Backdoor.Remsec

 by R136a1 ¦  Thu Aug 11, 2016 4:08 pm ¦  Forum: Malware ¦  Topic: Backdoor.Remsec ¦  Replies: 2 ¦  Views: 4491

Files attached.

Re: Duqu 2.0

 by R136a1 ¦  Wed Jul 27, 2016 5:16 pm ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 35185

Here is the exploit known as CVE-2015-2360. It wasn't publicly released yet, so I thought to upload it before it gets lost in my archive. The compilation time stamp is a bit newer than the samples described by Kaspersky, though I don't think there is a big difference in the functionality, if at all....

Re: EnumDisplayMonitors

 by R136a1 ¦  Sat Jul 02, 2016 8:26 am ¦  Forum: User-Mode Development ¦  Topic: EnumDisplayMonitors ¦  Replies: 2 ¦  Views: 10117

Funny, there is not sanity check for the pointer of the callback function at all. Windows XP is also affected, probably nothing was done since its implementation in Windows 2000.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 26