9618
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
Good morning here. Please could u tell me how to fix the malware Expiro win32 and win64?
Читать полностью…
User HackBos has 1/3 warnings; be careful!
Reason:
English only
Ok, I'll keep investigating, thanks for your time.
Читать полностью…
Do you have links where this family is defined somewhere? Pony doesnt ring a bell for me
Читать полностью…
From what I saw it seems to be a pony.exe family
Читать полностью…
And you know, something that catches my attention is that the file itself is called Chrome.pif but it seems like a direct access, and when I open it with DNSpy it has another name
Читать полностью…
You can try using die or de4dot to identify what obfuscation is it and then work from there
Читать полностью…
Hello Everyone,
I’m excited to share a new video where I demonstrate AI-powered threat hunting using the Garuda Framework—a tool I developed for manual threat hunting, leveraging rich endpoint telemetry from Sysmon.
In this video, you’ll see how Garuda, when integrated with a large language model (LLM), can automatically identify threats, showcasing the power of combining structured telemetry with AI for autonomous threat detection.
Watch Here: https://youtu.be/Sk_c5w1CEiY
Garuda will be officially released at DEF CON 2025. If you’re curious about how AI can extend manual threat hunting or want a first look at Garuda in action, I’d love for you to check out the video.
Hello everyone. Does anyone have any idea how to perform a test to understand what an application writes to memory?
The context: I need to intercept data that the application passes in 3 ways:
1) localhost
2) shared memory
3) http to other servers
what interests me is via shared memory, but I have no idea how to do it. Does anyone have any hints to guide me? On the machine I have procmon and process hacker. do I need frida?
The machines are in a lab, but I don't want to get the machine too dirty because there are other tests going on.
User Zachura en has 2/3 warnings; be careful!
Reason:
don't spam
Hello Lorenzo, please make sure to read rules. Welcome
Читать полностью…
the victim downloads an unlocker that has the privkey, that privkey can decrypt all the keys that decrypt all their files
Читать полностью…
Hello Profound, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: HackBos
User ID: 2053535532
Reason: illegal activity
haven't seen or heard about Pony since I last took a SANS course quite some years ago...
but I don't mind being surprised about it
although from the codes, I'm not inclined to think it's Pony, more likely one of the more common infostealer families out there, as per what Libra has mentioned
I agree with Libra. This seems to be a loader for next stage. Additionally, rsrc section has high entropy.
As for the code from the screenshot, it looks like junk instructions are added in between. You should be able to debug this sample in order to get the next stage.
The code above main is doing some process killing of unwanted processes, the code is all in a single class, so Im assuming this is a loader for a next stage
Читать полностью…
The .pif file feels like its the CypherIT loader, followed by some generic malware probably. Since its .net, its either another loader or the final payload. Guessing its snakekeylogger due to its prevalence, could also be lumma given the frequency
Читать полностью…
Because when I open it with DNSPY I see it like this..
Читать полностью…
Hello, first of all, thank you for taking the time to respond :) Well, with de4dot it indicates that it's uncoded and...
Hi! Sorry to bother you, do you have any advice for someone starting out with malware analysis? Specifically, I'm having a problem with a .pif file, but I doubt it's due to the .net entries. I opened it with dnSpy, and to my "surprise," it's obfuscated. I tried using de4dot, but I couldn't de-obfuscate it. Anyone? Any ideas? A lifesaver? Hehe - as always, I apologize, I don't speak English.
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: Libra
User: Zorko
User ID: 7721845900
Reason: no paid ads, you got warned multiple times in different groups
but they use a different priv-key for "customer" or they should
Читать полностью…
How decryption happens sir after ransom Is paid?
Читать полностью…
Hello Profound, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…