A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30868  by MalwareInfo
 Sun Oct 01, 2017 3:49 am
This malware may be using OutputDebugString as an anti-debugging technique.I am not familiar with this technique,so how to fix it? Any help would be greatly appreciated!
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Thu Jan 24, 2019 4:32 pm, edited 1 time in total. Reason: edited topic title
 #30871  by Xylitol
 Sun Oct 01, 2017 9:24 am
in attachment unpacked keylogger, 8/64 on VT https://www.virustotal.com/en/file/5fb7 ... 506849125/
payload is took from ressource and then decoded, ending up with a file you can upx -d, appear coded in delphi
Code: Select all
ASCII "C:\\Downloads\\FUD\\XKey\\autorunreg.pas"
ASCII "----------------------------------------------------------------------------------------------------"
ASCII "\r\n"
ASCII "[<<]"
ASCII "[Tab]"
ASCII "[Esc]"
ASCII "[PrtScr]"
ASCII "[Del]"
ASCII "[Num Lock]"
ASCII "\r\n\r\n================================== 0USER0 - "
ASCII "[ Áóôåð îáìåíà - Clipboard - "
ASCII "nynewsguardianinternet.com"
ASCII "text="
ASCII "/upwin/index.php"
ASCII "Content-Type: application/x-www-form-urlencoded"
ASCII "GetAsyncKeyState"
KeyloggerTimer
AtivarTimer
DesativarTimer
host where it send datas is down and file is 2 years old.
You do not have the required permissions to view the files attached to this post.
 #32472  by sysopfb
 Thu Jan 17, 2019 4:25 pm
Sorry for necroing but this is XKeyScore , found topic while looking at another sample

Panel attached from a different C2 server
You do not have the required permissions to view the files attached to this post.