Quantcast
Channel: Malware Reversing
Browsing latest articles
Browse All 20 View Live

Dropper of kernel-mode stealer

While searching for some interesting, unknown malware samples I came across a report that took my attention (http://www.threatexpert.com/report.aspx?md5=9c0744b8119df63371b83724bafe2095).The malware...

View Article



Image may be NSFW.
Clik here to view.

The case of the gethostbyname() exception

While analyzing a malicious bot in OllyDbg (1.10) on my Windows XP SP3 Virtual Machine, I came across an odd exception (0x000006B0) which always occured trying to step over the Windows API function...

View Article

Image may be NSFW.
Clik here to view.

Disclosure of an interesting Botnet - The Executable (Part 1)

While searching for another interesting malware sample I came across a brief description from Chae Jong Bin of an yet unknown botnet. So thanks to him!I took a quick look into the executable and...

View Article

Image may be NSFW.
Clik here to view.

Disclosure of an interesting Botnet - The Server (Part 2)

So let's try to shed light onto the C&C server.At first I want again to thank Chae Jong Bin! With his brief network analysis of this botnet, he gave me a solid background.The first thing you...

View Article

Image may be NSFW.
Clik here to view.

Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)

In this series I have analyzed an interesting malware that combines various techniques I haven't seen before. Part 1 of this series deals with the initial Dropper and the Downloader which both come in...

View Article


Image may be NSFW.
Clik here to view.

Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper...

In the second Part of this series we analyze the downloaded file (2nd Dropper) and the dropped file (3rd Dropper). At time of this analysis the files weren't uploaded on Virustotal, so I guess the...

View Article

Image may be NSFW.
Clik here to view.

Disclosure of another 0day malware - Analysis of the final Payload (Part 3)

In the last Part of this series I partly analyzed the final Payload. I haven't finished the analysis of the malware due to lack of time (and interest), but I will provide as much as information I have...

View Article

Image may be NSFW.
Clik here to view.

Disclosure of another 0day malware - Update and Additional Information

At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by...

View Article


Image may be NSFW.
Clik here to view.

Analysis of an uncommon Downloader

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to...

View Article


Image may be NSFW.
Clik here to view.

South Korea Incident - New Malware samples

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a...

View Article

Image may be NSFW.
Clik here to view.

South Korea Incident - Analysis of a tiny Downloader

In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes...

View Article

Image may be NSFW.
Clik here to view.

Brief description of a signed Adware/PUP Downloader

To publish articles more frequently and thus making this Blog a bit more interesting, I decided to drop my intention to only write "in-depth" analyses about "special" malware. From today, I start to...

View Article

Image may be NSFW.
Clik here to view.

Back to the future - Analysis of an old Downloader

This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are...

View Article


Image may be NSFW.
Clik here to view.

Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of...

View Article

Image may be NSFW.
Clik here to view.

Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook...

View Article


Image may be NSFW.
Clik here to view.

Dyre banker aka Win32/Win64 Battdil - Inside a related web panel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on...

View Article

Project APC - Analyse einer Schadsoftware (german)

Den nachfolgend im Detail beschriebenen Bot habe ich auf der Suche nach Schadsoftware gefunden, die mit Hilfe sog. asynchroner Funktionsaufrufe (engl. Asynchronous Procedure Calls oder kurz APC)...

View Article


Image may be NSFW.
Clik here to view.

Geographical distribution of Furtim malware infections

One month ago, someone posted a malware sample on the Kernelmode forum that uses a huge blacklist of security related programs. If one of this programs is found on the victims system the malware stops...

View Article

Image may be NSFW.
Clik here to view.

What have H1N1 Loader, TreasureHunter and Jolly Roger Stealer in common?

Sometimes, when analysing a malware sample you think: "Wait a minute, I have seen this before". While it's already known that the author of Jolly Roger Stealer is also behind TreasureHunter, this...

View Article

Image may be NSFW.
Clik here to view.

New threat actor uses VBA macros in targeted attacks

In recent years, the revival of malicious VBA macros has become quite popular among cyber criminals. At the beginning of last year, a new threat actor also started to send spear phishing emails with...

View Article
Browsing latest articles
Browse All 20 View Live




Latest Images