Win32/Corebot

Forum for analysis and discussion about malware.
Post Reply
sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Thu Dec 10, 2015 4:52 pm

Sample and config attached
You do not have the required permissions to view the files attached to this post.
User avatar
p1nk
Posts: 44
Joined: Thu Oct 29, 2015 1:09 am

Fri Dec 11, 2015 3:42 am

Anyone reversed the packing that it's using (working on reinstalling my analysis vm). It doesn't look terribly complex and the encoded data likely starts in the data section at 0x0041E023
sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Fri Dec 11, 2015 8:06 pm

Here's a new config with some different targets and ATS urls

Sample came from Brad at MTA: https://isc.sans.edu/forums/diary/Every ... 2015/20477
You do not have the required permissions to view the files attached to this post.
sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Tue Mar 22, 2016 6:41 pm

Releasing a paper I wrote last year on this.
You do not have the required permissions to view the files attached to this post.
ikolor
Posts: 331
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Thu Jun 15, 2017 1:43 pm

You do not have the required permissions to view the files attached to this post.
User avatar
maddog4012
Posts: 77
Joined: Mon Aug 04, 2014 6:53 pm

Thu Jun 15, 2017 4:07 pm

file dropped by js file
You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Mon Jan 07, 2019 2:02 pm

maddog4012 wrote:
Thu Jun 15, 2017 4:07 pm
file dropped by js file
It is CoreBot. In attach extracted. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
Post Reply