Results 1 to 3 of 3

Thread: Is this malware?

  1. #1

    Is this malware?


    Link here :
    Password : p@ssw0rd

    I have submitted it to VirusTotal but it came back clean.

    I was getting random redirects when searching in Firefox. I'd click on a link and end up at a random ebay shop or something. Adaware and Malwarebytes' Anti-Malware both reported my machine as clean.

    Found this file in use by lots of applications on the system, tried to delete it and everything went haywire.

    Now I have removed it from my registry run keys and renamed it, the problems have gone away.

    The files itself is not packed, but does seem to be using some kind of flow obfuscation with lots of random jumps all over the place. Haven't had much time to investigate further, and am rapidly running out of talent to do so so I though I would see if anyone else fancied investigating it.

    Or at least confirm/deny my suspicions it is the culprit. So far I see that it installs a hook. There are a lot of registry/file imports but very few strings indicating that they may be encrypted and decrypted at runtime. Only two exports.

    I hope someone finds it interesting. A great way to test out any new disassemblers you may have found recently At least my new disassembler, an interactive one, handles the jumping flow obfuscation very nicely.

    If it does turn out to be suspicious, as per the sticky from Kayaker "If you find an unknown malware and would like assistance in reversing it, or learn how to reverse it safely, then we can consider making it a communal Mini-Project in which all can participate." - I would be more than happy for it to become a Mini-Project - I know I would love to learn a little more about reversing these things safely.

    If it is something less malign, well you can just point and laugh at my inexperience

    Kindest regards

  2. #2
    Hello bboitano,

    I have found nothing much interesting so far but as said it looks a bit suspicious.

    For record purpose I attach the malware to this thread.

    pass is the same
    Attached Files Attached Files
    Please consider donating to help staying online (here is why).
    Any amount greatly appreciated. Thank you.

  3. #3
    Salut Silkut,

    Thank you for taking the time to look at it - it is much appreciated.

    It might well be benign, but it just looks 'fishy' to me. The only file in the directory, not packed but no strings, odd code flow, unusual imports, no results in Google for that file name, appeared to be in use by multiple applications etc etc. All in all it adds up enough, to me, for me to post it here and ask others to have a look.

    I really hope it turns out to be interesting, it would be nice that those who have invested the effort to ahve a look are rewarded with more than just a plain old vanilla DLL!

    Kindest regards

Similar Threads

  1. some FB shared malware.
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 17th, 2014, 08:03
  2. JAVA malware
    By BATMAN in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 2nd, 2010, 10:08
  3. fun malware cryptor ~;
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 34
    Last Post: March 26th, 2009, 13:29
  4. Where to download malware?
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: February 18th, 2009, 05:52
  5. Some VB malware
    By b3n in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 24th, 2008, 11:38


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts