A forum for reverse engineering, OS internals and malware analysis
Searched query: mpress
... obfuscated VBS file in a wrapper that runs legitimate file AND the script at the same time, so the user is fooled into proceeding. It is based on MPRESS and Batch to EXE Converter. The batch script inside is shown below despite it being so simple even 8 year old child can do it: @echo off set ...
... http://i.imgur.com/92jwYx9.png entry point of malware, feel the difference. http://i.imgur.com/U5p7kL8.png This file is compressed using MPRESS version 0.81-2.xx FYI for the idiot: MPRESS version is stored as plain text in compressed file header.
... %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX. This dll is simple and is capable of downloading and executing arbitrary files on ...
Does anyone have any unpacked version of Win64.Vabushky.A? cant unpack mpress x64
PeStudio has been updated:
. Fixed detection of MPRESS under 64bit
. Added detection and Indicator of suspicious Certificate size
. Added detection and Indicator of suspicious Certificate content (e.g. padding)
... Script-kiddie ransom, created in Delphi and packed with PECompact and after this MPRESS (it is boring even upload here as unpacked). This and locker "content" mean it was created by kids. Pretty popular trend for last half of year ...
Why don't you just go download MPRESS itself and pack any other exe with it, then test the packed exe? If you are just testing that specific feature, you should not need malware specifically.
Here is the link:
http://www.matcode.com/mpress.htm
PeStudio has been updated:
. Added detection of MPRESS compression
. Added detection of UPX evasion (one or more standard UPX section names changed)
. Added computation of SHA1 of the image analyzed
. fixed issue with right mouse copy at the UI
But the result does not provide a kind of list of samples already compressed with MPRESS. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=75&p=19659&hilit=mpress#p19659 http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2050&p=17417&hilit=mpress#p17356 ...
of course, thanks! But the result does not provide a kind of list of samples already compressed with MPRESS I am looking for (in order to test my tool that should detect this feature).