Page 1 of 1

How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 3:25 am
by TechLord
I know this is a dumb question, so please forgive me :)

Let's say that I want to see if this particular malware with the hash "9f8527b268d5df1d24d3579d96f9f33f00f45878a32bbe0849da0235fd47048e" in available for download in KernelMode.info or not. How do I go about searching for it ?

I am not able to search using the full hash in the Search box above as it says that the search is restricted to only 14 characters. So I tried searching using only the first 14 chars of the hash. Got nothing.

SO, getting a doubt that maybe I am doing the whole thing wrong, I decided to to search for a sample that I know, exists on this forum. For example, I tried searching for this malware with the hash "825c2ab5779c5a03e42d78e2aa7586ab06616ca5beaaa33ed3ea566c52b367ec" . Since the search box restricts the chars to 14, I attempted to search for this "825c2ab57". But I got an error message saying that no posts were found containing that word.

But I know that that particular malware is available at this page : viewtopic.php?f=16&t=610

I understand that the "search" function can only search for text which is not "quoted" ottherwise tagged ..

Can someone pls guide me as to how to search for the hashes that I need ?

Once again sorry for this dumb question :(

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 8:44 am
by waffles2.0
Firstly, I can search for the full hash for some reason... Anyway lets assume you are searching for with a small section of the hash. To find that post your search should look like this:
*825c2ab57*
and not like this:
825c2ab57
.

Secondly, before searching you could also do a little bit of research about the hash value rather than just searching for it. For example, with "9f8527b268d5df1d24d3579d96f9f33f00f45878a32bbe0849da0235fd47048e", check out VirusTotal & Hybrid Analysis and see if it has been submitted. Also if you googled the hash you would find that @hasherezade (https://twitter.com/hasherezade) has done a Youtube video on it: https://www.youtube.com/watch?v=AUGxYhE_CUY titled "Unpacking YoungLotus malware" so you could search for YoungLotus rather than the hash value.

However, I don't think that sample has been uploaded here. You could make a request in Malware Requests or go here and create an account and download it yourself. https://www.hybrid-analysis.com/sample/ ... mentId=100.

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 9:32 am
by TechLord
Ok.. So you are enclosing the search term between asterisks .. I tried various other ways including using quotes ("") etc ... Thanks for the tip.

But if I search for the full hash, I get this error:
Image

Not sure how you are able to search for malware using the full hash ...


Yes, I did indeed google quite a bit. I did see the youtube video that came up in the search and also saw that she gave a "hybrid-analysis" link to get hold of the malware.

The problem is that in the past I had access to hybrid-analysis.com and hence could download without issues. Now they are asking that we get vetted and the manual vetting process is taking ages. A few years earlier we could just access their services by creating an account with them, without the need to get vetted.

waffles2.0 wrote:However, I don't think that sample has been uploaded here. You could make a request in Malware Requests or go here and create an account and download it yourself. https://www.hybrid-analysis.com/sample/ ... mentId=100.
You will need to be first manually vetted by the staff and then approved before thats possible. That takes days. Many have complained about it on the REDDIT Malware sub-reddit as well...

Thanks buddy for the response thought :)

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 10:23 am
by waffles2.0
Obviously I have offended you, I apologise.

This is in the newbie questions forum so I assumed you were not experienced but I don't see why someone should extensively research who you are before answering a question nor do I understand why who you are even matters?

Try shortening the hash from 9f8527b268d5df1d24d3579d96f9f33f00f45878a32bbe0849da0235fd47048e to *9f8527b268d5df*. It still won't result in anything except this post because this hash hasn't been posted on this forum before.

As for Hybrid Analysis, that did change as of late 2017 but if you have a corporate email and the company can be verified the verification process isn't too long (a week).
So maybe you should do a little research as well before posting answers ;)
Well I guess you can do a little bit of research and find out where to download your sample from. Or maybe just explain what you have already tried in the original post before getting offended at my suggestions.

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 11:19 am
by TechLord
I think that I came on a bit too strong :)
Yes, you are right..
I just posted in the newbie forum and you assumed I am a noob :D

No worries .. I am not offended :) (Edited my post above to make it sound better)

Anyway, reg the hybrid-analysis : Even with a corporate email, if there is not physical office in the US, I guess that they are not responding these days. The problem is that while I do have a physical company in the US, that company does not deal with Malware analysis (deals with IT security in general). Its been over 2 months since we contacted them but no verification from them so far :(

Do you know any other place where I can download it rightaway ? Malwr is down .. Unfortunately all my go-to places eiter don't have it or otherwise are down :(

Cheers :)

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 11:56 am
by waffles2.0
Try dropping Hybrid Analysis a PM on Twitter they are active there and should help you out: https://twitter.com/HybridAnalysis

In the mean time see the attachment I added below this post.

Re: How to search for a certain malware in Kernelmode.Info

PostPosted:Fri Feb 16, 2018 12:08 pm
by TechLord
I will do so.. Thanks a lot for the sample.
I gave you a rep earlier but I cannot see the rep increased for you :O

Anyway will ping them and see.