A forum for reverse engineering, OS internals and malware analysis 

Search found 252 matches

 Go to advanced search

Re: PbBot bootkit (alias Plite, GBPBoot)

 by R136a1 ¦  Fri Jun 24, 2016 11:41 am ¦  Forum: Malware ¦  Topic: PbBot bootkit (alias Plite, GBPBoot) ¦  Replies: 22 ¦  Views: 28202

Hi folks, here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail. Strings from 16-bit loader: -------------- ReadInitData ------------ ------- IsPMSInstalled ------------- C:\Wi...

TrojanDropper:W97M/Miskip.(A/B)

 by R136a1 ¦  Tue Jun 14, 2016 2:32 pm ¦  Forum: Malware ¦  Topic: TrojanDropper:W97M/Miskip.(A/B) ¦  Replies: 0 ¦  Views: 4149

Hi folks,

attached are the Word documents and the malware files which are used in targeted attacks. It's nothing advanced, but the campaign is interesting none the less.

An analysis can be found here: http://www.malware-reversing.com/2016/0 ... os-in.html

Re: Win32/Furtim

 by R136a1 ¦  Mon May 23, 2016 3:17 pm ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52867

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)

Re: Malware with heavy virtual machine and sandbox detection

 by R136a1 ¦  Wed Apr 27, 2016 10:30 am ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52867

The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.

Re: Malware with heavy virtual machine and sandbox detection

 by R136a1 ¦  Mon Apr 25, 2016 8:18 pm ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52867

Attached is another sample with slightly newer compilation time stamp which was downloaded with new version of Godzilla Loader.

Trojan.GodzillaLoader (alias Godzilla Loader)

 by R136a1 ¦  Tue Apr 19, 2016 2:13 pm ¦  Forum: Malware ¦  Topic: Trojan.GodzillaLoader (alias Godzilla Loader) ¦  Replies: 3 ¦  Views: 11396

In January of 2016, a tiny downloader named Godzilla Loader was advertised in the Damagelab forum. Despite its small size of 6 KB, this downloader didn't look very special at first. However, a closer look into a sample showed an interesting downloading method which I haven't seen before. A translati...

Re: Gozi & GMBot Source Code

 by R136a1 ¦  Mon Apr 18, 2016 5:38 pm ¦  Forum: Malware ¦  Topic: Gozi & GMBot Source Code ¦  Replies: 2 ¦  Views: 4449

Re: My files were compressed and password protected

 by R136a1 ¦  Thu Apr 14, 2016 9:05 am ¦  Forum: Malware ¦  Topic: My files were compressed and password protected ¦  Replies: 6 ¦  Views: 7635

Since this ransomware uses WinRAR self-extracting files protected with a password (symmetric encryption), you have a good chance to get your files back: - The password is generated on-the-fly (e.g. from computer specific data from the victim) and send to C&C server - The password is included in the ...

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

 by R136a1 ¦  Sun Apr 03, 2016 2:14 pm ¦  Forum: Malware ¦  Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit) ¦  Replies: 66 ¦  Views: 257235

Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption ...

Re: Win32/Rick.d

 by R136a1 ¦  Fri Apr 01, 2016 9:20 pm ¦  Forum: Malware ¦  Topic: [April fool's day] Win32/Rick.d ¦  Replies: 4 ¦  Views: 4708

A bit late and well... at least someone tried it this year ;)

  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 26