A forum for reverse engineering, OS internals and malware analysis 

Search found 249 matches

 Go to advanced search


 by R136a1 ¦  Tue Sep 27, 2016 11:14 am ¦  Forum: Malware ¦  Topic: Backdoor.Batel ¦  Replies: 0 ¦  Views: 8165

Hi folks, here are two samples of Backdoor.Batel, a small shellcode like dll file. Nothing special though, the technique is nearly identical to the one described here, except this time it's realized as a standalone dll: https://blog.cylance.com/operation-cleaver-the-notepad-files PDB path string: C:...

ATM (Diebold) related file

 by R136a1 ¦  Tue Sep 27, 2016 11:02 am ¦  Forum: Malware ¦  Topic: ATM (Diebold) related file ¦  Replies: 0 ¦  Views: 7840

Hi folks, maybe someone can shed some light into the functionality of this small ATM related file. It doesn't look malicious to me, but I can't say for sure since the Diebold API isn't public. Perhaps it's useful for someone... File: https://virustotal.com/en/file/d2296deb1b6ae42d787889e163d8d75a43c...

Re: Win32/Xswkit (alias Gootkit)

 by R136a1 ¦  Tue Sep 27, 2016 10:42 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123814

Hi folks, here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven...

Re: TeamSpy

 by R136a1 ¦  Thu Aug 11, 2016 4:46 pm ¦  Forum: Malware ¦  Topic: TeamSpy ¦  Replies: 7 ¦  Views: 7319

Here are a few new versions. The droppers are mostly self-extracting RAR archives which contain a legit version of Teamviewer (v7) and a parasitic file named msimg32.dll. It seems to have kind of new UAC bypass method on board, but haven't checked in detail. Strings of msimg32.dll: F123456789ABCDEFG...

Re: Backdoor.Remsec

 by R136a1 ¦  Thu Aug 11, 2016 4:08 pm ¦  Forum: Malware ¦  Topic: Backdoor.Remsec ¦  Replies: 2 ¦  Views: 4465

Files attached.

Re: Duqu 2.0

 by R136a1 ¦  Wed Jul 27, 2016 5:16 pm ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 34526

Here is the exploit known as CVE-2015-2360. It wasn't publicly released yet, so I thought to upload it before it gets lost in my archive. The compilation time stamp is a bit newer than the samples described by Kaspersky, though I don't think there is a big difference in the functionality, if at all....

Re: EnumDisplayMonitors

 by R136a1 ¦  Sat Jul 02, 2016 8:26 am ¦  Forum: User-Mode Development ¦  Topic: EnumDisplayMonitors ¦  Replies: 2 ¦  Views: 9796

Funny, there is not sanity check for the pointer of the callback function at all. Windows XP is also affected, probably nothing was done since its implementation in Windows 2000.

Re: PbBot bootkit (alias Plite, GBPBoot)

 by R136a1 ¦  Fri Jun 24, 2016 11:41 am ¦  Forum: Malware ¦  Topic: PbBot bootkit (alias Plite, GBPBoot) ¦  Replies: 22 ¦  Views: 28078

Hi folks, here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail. Strings from 16-bit loader: -------------- ReadInitData ------------ ------- IsPMSInstalled ------------- C:\Wi...


 by R136a1 ¦  Tue Jun 14, 2016 2:32 pm ¦  Forum: Malware ¦  Topic: TrojanDropper:W97M/Miskip.(A/B) ¦  Replies: 0 ¦  Views: 4137

Hi folks,

attached are the Word documents and the malware files which are used in targeted attacks. It's nothing advanced, but the campaign is interesting none the less.

An analysis can be found here: http://www.malware-reversing.com/2016/0 ... os-in.html

Re: Win32/Furtim

 by R136a1 ¦  Mon May 23, 2016 3:17 pm ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52639

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 25