In this post I would like to share some scripts for WinDbg that they were useful for me while I was reversing malware with antidebug tricks. In the future I would like to write additional scripts related to this issue, and I will update this post to have all together. I hope these scripts will be useful for you too 🙂
In this post I analyze a sample of Poseidon (sample: 1b7f205b663af9a6eb44f18555bdaad86e0fa58f3a9e4aced3e2ae1e3ed472b5, you can read about it here). The original sample is a downloader. It is working, and there are online and working CnCs in the list of CnCs that the sample carries. However the malware could be failing to download the second stage executable (the keylogger) because of a bug in the downloader.
These days TalosIntelligence commented about a new variant of Konni RAT. It is not a complicated malware, but it implements some interesting tricks and functionality typical of RATs. I wanted to take a look at something different (there is more life after the ransomware 🙂 ) and in this post you can find a brief analysis of this RAT. I hope you enjoy it.
In this short post i want to share a first quick reversing of petya+eternalblue dll, md5: 3936bda83b590512fa2cfef8acf6c294. It is a first look at it, i hope the information here it is correct.
In this article i’d like to share a windbg script that will let us to load a shellcode from a file to kernel memory and create a kernel thread to execute it. I have not played a lot with the script yet, if you find some bug please tell me.
SamSam is a ransomware that is written in C#. It’s not an interesting malware, it hasn’t new interesting features or tricks to comment, however I wanted to write a post about the tools that I use to analyze .Net malware since long time ago, and this was a good opportunity to do it.
Lately, while reviewing and classifying samples, I have been seeing an increase in CoinMiners, specially CoinMiners oriented to mine Monero virtual coin. For this reason I decided to write a short article about virtual coin mining and this kind of malware.